Scan Troubleshooting

If you are having problems getting your scans to start or complete then here are instructions for some basic debugging steps.

First, make sure you are using the latest version of Wordfence. Also, make sure your site meets our System Requirements.

If your scans are completing but your site has been hacked, or you think that it may have been hacked, then follow our site cleaning guide here.

“The current scan looks like it has failed”

If the scan has stopped running unexpectedly, the scan page may show this message:

“The current scan looks like it has failed. Its last status update was 7 mins ago. You may continue to wait in case it resumes or stop and restart the scan. Some sites may need adjustments to run scans reliably.”

This is often caused by the host stopping processes that run longer than a time limit they have set lower than what they have set in the PHP function “max_execution_time”. It can also be caused when the host monitors memory usage of multiple processes rather than only the PHP function “memory_limit”. Some hosts may have other limits in place. In most cases, the steps below should help, but if not, please see the additional items below and submit a support request if needed.

Advanced users can change the threshold for this message using the WORDFENCE_SCAN_FAILURE_THRESHOLD constant described on the page Wordfence constants for advanced configuration.

Scan time limit exceeded

Some options combined with a large number of files can make scans take a long time, especially on slower servers. You can set a limit for how long Wordfence scans will run on your site. The option is called “Time limit that a scan can run in seconds” and it is found in the “Performance Options” section on the “Scan” > “Scan Options and Scheduling “page. Leaving this option blank will allow Wordfence to use the default limit of 3 hours. If your site reaches this time limit during a scan, you will see a message in the scan results like:

“Scan terminated with error: The scan time limit of 3 hours has been exceeded and the scan will be terminated. This limit can be customized on the options page.”

If this happens, then the scan stops and reports the issues it has found so far, but the remainder of the scan will not be able to run unless you make some changes to scan options or the site’s files. This issue will remain listed in the scan results until a successful scan has been completed without reaching the time limit.

Resolving the issue

You can adjust some options to help scans complete more quickly, look for reasons that might cause the long scans, or increase the time limit, as described below.

Scan images, binary, and other files as if they were executable
This option can be disabled if you have many non-PHP files being scanned. This option is off by default, but you may have enabled it on your site. If you have limited memory on your site but also have an exceptionally large amount of images (for example 50,000 on a fast server, or even just 5,000 on a much slower server) turning this option off may be necessary.

Exclude files from scan that match these wildcard patterns
You can add files, directories, or patterns to the “Exclude files from scan that match these wildcard patterns” text area on the options page, to prevent them from being scanned. This can be useful if you keep large files within your site’s directories, such as backups.

Additionally, we recommend saving backups somewhere other than in your site’s own directories. In addition to saving time in scans, if the host had a major problem with the server and the whole site was lost, it is best to have your backups stored somewhere else.

Scan files outside your WordPress installation
If you have “Scan files outside your WordPress installation” enabled, you can disable it to scan fewer files. If you have additional non-WordPress applications installed or additional sites in subdirectories of the main site (such as on some shared hosting plans), they will not be scanned if this option is disabled. If the additional sites also run Wordfence, their scans will still run normally.

Error logs
Check the PHP error logs and web server error logs generated by your site. It is possible that a conflict with another plugin, a database issue, or settings on the server may be interfering with the scans thus causing them to take longer than they should. Wordfence may be able to locate the PHP error log files for you. If so, you will be able to see the path to your PHP error log files and download them from the “Log Files” section on the “Tools” > “Diagnostics” page.

Time limit that a scan can run in seconds
You can set this option to a longer duration if you want scans to run for a longer time. Many hosts have limits on resource usage, especially on shared hosting plans, so it is generally best to reduce resource usage rather than increasing the time limit.  The default scan time limit is 3 hours, which equates to 10,800 seconds.

Adjust the max execution time

If your scans do not complete and seem to be dying silently, or if you are getting an error about the “max_execution_time” PHP function in your PHP error logs, you can try adjusting the Wordfence option “Maximum execution time for each scan stage“.

  1. Go to the Wordfence “Scan” > “Scan Options and Scheduling” page.
  2. In the section “Performance Options”, set “Maximum execution time for each scan stage” to 15 seconds.
  3. Press the SAVE CHANGES button.
  4. Try running another scan.

If the scan still does not complete, try this instead:

  1. Go to the Wordfence “Tools” > “Diagnostics”, and open the “Other Tests” section.
  2. Now click on “Click to view your system’s configuration in a new window”.
  3. Look for the “max_execution_time” function line in the “Core” section.
  4. Go back to the “Scan Options and Scheduling” page. In the “Performance Options” section, set the “Maximum execution time for each scan stage” to about 80% of that value. So if it is 30, try setting our option to 24.  Note that if you have a large value for the “max_execution_time” function, such as 300, then we recommend that you set a maximum value of 45 in Wordfence. Also note that you can also test lower values in Wordfence such as 12, 10, and 8.
  5. Try another scan and see if that works.

Details about the debugging steps above

Wordfence scans run for a few seconds up to several minutes. Most web servers do not allow processes that run for several minutes. The way that we overcome this problem is that we start a scan, and then after the time value set for “Maximum execution time for each scan stage” we pause the scan and launch another scan process to continue the scan. We try to auto-detect what the “max_execution_time” is for your server, but sometimes the detected value may be incorrect. So we have added this advanced configuration option to allow you to tell Wordfence how long a scan fork process should be allowed to run on your server.

When you set this value, you must make sure it is not greater than the maximum execution time that PHP allows on your server. If your web host has set an Apache configuration variable that limits process execution time or if they have a “killer daemon” that kills long-running processes, you also need to make sure that your value for the “Maximum execution time for each scan stage” is shorter than the maximum process time that these allow. However, you do not want to set this value too low because it will increase load on your server as Wordfence pauses and restarts every time it hits the time limit. So the ideal situation is to find a happy medium. Often this seems to be around 15 seconds, so try that first.

Handling memory errors

If you see an error about running out of memory, you can try the following:

  1. Go to wordfence “Scan Options and Scheduling” page.
  2. In the section “Performance Options”, find the option “How much memory should Wordfence request when scanning”.
  3. Increase this to 300 Megabytes (the default value is 256 Megabytes).
  4. Try another scan.

If you still get an out-of-memory error, try increasing by another 50 and try another scan. You can keep increasing by 50 megabytes, but be careful that your web server does not run out of memory, because this may cause the operating system to behave unpredictably. You can refer to your hosting provider’s documentation to find out what the maximum memory is that you have been allocated.

Additional memory limits and other limits you may not see

Some hosts limit memory across multiple processes or may have CPU usage limits over a period of time. These limits are not always obvious since they may not cause error messages in your PHP error logs, and may make the scan appear to just stop working.

PHP 7 has substantial performance improvements in both memory and CPU usage, compared to any of the 5.x versions, so switching to a newer PHP version may help in these cases. Many hosts allow you to choose your preferred PHP version, and others will help you change it if you ask. We have collected help documents for switching PHP versions for a few of them:

Dreamhost
GoDaddy
GoDaddy (cPanel)
BlueHost
SiteGround

Make sure to test your site after switching PHP versions. WordPress and many plugins will also perform better with PHP 7, but some plugins that haven’t been updated for a long time may not be compatible with it yet.

Plugin conflicts

These plugins have been known to cause issues with scans, with certain settings:

W3 Total Cache

The “Database cache” functionality can return outdated database records during a scan. All other cache options in W3 Total Cache should be okay if the database cache is disabled.

Query Monitor

This plugin is helpful for query troubleshooting, but it causes all database queries to be saved, which uses a lot of memory during Wordfence scans. This can cause fatal PHP memory errors to occur. We recommend deactivating this plugin when you are not actively using it.

PilotPress

This plugin can cause scans to malfunction.  Try disabling the PilotPress option “Lock all users without Admin role out of profile editor”.

Scan process ended after forking

If you get the “Scan process ended after forking” message as the last line in the scan log, check and make sure that you have not blocked access to the “wp-admin” directory with a “.htaccess” file or limited access to it via another method. If you have, make sure to allow your server’s IP address to access this directory. Also, check if you have Memcache running on your server. Memcache may have to be restarted twice in order for the object cache to remove the saved Wordfence scan cronkey.

LiteSpeed web server settings

If you are using a LiteSpeed server you may need to add a “noabort” directive to your .htaccess file.

If your scans aren’t starting

Try starting scans remotely
Try enabling the option “Start all scans remotely” found in the “Debugging Options” section at the bottom of the “Diagnostics” tab on the Wordfence “Tools” page. If it does not fix the problem then try the following.

Check plugins
Make sure you do not have an “Under Construction” plugin running that is blocking access to the WordPress AJAX handler. If you do, deactivate the under construction plugin and try another scan.

Do not password-protect wp-admin
Make sure you have not set up a secondary password to protect access to the “wp-admin” directory. This will break Wordfence scanning along with any public AJAX functionality in WordPress. Read more about this in this blog entry.

Make sure our servers are not blocked from reaching your site
Make sure you have not blocked Wordfence scanning server IP addresses listed below from accessing your site. If your site is unable to connect to itself to start a scan, we get our scanning servers to connect to your site to start the scan instead. If you have blocked our servers then your scans will not start. The latest version of Wordfence has code that prevents you from blocking individual IP addresses that we use, but you can still block network ranges that our IP addresses reside in, so make sure you have not done that.

Also, you can check with your hosting provider and ask them if they are blocking outbound connections to our IP addresses listed below.

44.239.130.172
44.238.191.15
35.155.126.231
54.68.32.247
44.235.211.232
54.71.203.174

Check the database tables
We have seen some customers who are experiencing table corruption where, for example, the table ending in “wfstatus” is corrupted and marked as “crashed” by MySQL. What happens, in this example, is that the scan will run, but every time Wordfence tries to write to the scan activity log then nothing gets written and an error is written to your web server error log. To diagnose this, check your web server error log and it will contain a lot of errors that look like this:

WordPress database error Table ‘./xxx/wp_wfStatus’ is marked as crashed and should be repaired for query…

If you see this, you need to launch “phpMyAdmin” in your hosting account and repair any crashed tables. Or, you can log a support call with your hosting provider and they can do this for you.

Check the WordPress AJAX handler
A common problem is that your site’s WordPress AJAX handler is not working. You may have accidentally blocked access to it, or a theme you are using may have broken it. Test that you can access the following URL:

example.com/wp-admin/admin-ajax.php

Replace “example.com” with your site’s domain name. You should see a blank page with a “0” in the top left corner. If you do not see this, then you need to fix your site’s AJAX handler or Wordfence and many other WordPress features will not work.

Additional scan troubleshooting

If you see a “500 Internal Server Error”, then check your web server error logs for the reason. If you do not know how to do this then ask your hosting provider.

If you see a FORBIDDEN message, then you have probably set up a “.htaccess” file that blocks access to your “wp-admin” directory and you will need to add an exclusion for the WordPress AJAX handler.

If you see a page that looks like your site’s home page or some other page on your site, then your personal site designer/developer or the author of your theme has broken the way your site works and you will need to ask them to fix access to the WordPress AJAX handler.

Hosting provider issues

1&1 Hosting. Also known as 1and1 or IONOS

If your site is hosted with this provider then try setting a value of 8 for the scan performance option “Maximum execution time for each scan stage”.

Quadra Hosting / Vodien Hosting / WPX Hosting

If your scan fails shortly after starting then it has been known for these three hosting providers to have a ModSecurity server firewall rule that blocks Wordfence scans from running. You will need to ask your hosting provider for assistance to verify if this is the cause and to prevent this blocking from taking place.

123 Reg / Heart Internet

If you see an error message saying that the scan time limit of three minutes has been exceeded then these two hosting companies in the UK may have set this very short time limit compared to the default time limit value of 3 hours. As a consequence, you may not be able to permanently increase the scan time limit length above 3 minutes for scans to be able to successfully complete.

Frequently Asked Questions

  • PHP Fatal error: Allowed memory size exhausted

    Occasionally, depending on your site, resources, and plugins and themes you may get a php error that says something like this:

    PHP Fatal error: Allowed memory size of 67108864 bytes exhausted (tried to allocate 491520 bytes)

    Fatal error: Out of memory (allocated 33292288) (tried to allocate 616 bytes) in...

    This issue is not a Wordfence error but simply indicates that you need to contact your hosting provider and ask them to increase your site memory. Usually your hosting provider will edit your php.ini file to increase the memory_limit parameter, and they may also have to increase your web server memory limit along with any operating system limits they have.

    Increase PHP Memory
    This is an indication that your memory in php.ini is not set high enough. You can define this in your php.ini file (usually found in /etc on linux systems – check your documentation for windows servers, which are currently unsupported by Wordfence). Look through the file for a line like this: memory_limit = 128M. Keep in mind the 128M is probably different. That’s the amount of memory that php is allowed to consume. If you have 10 plugins and combined they consume more memory than you have allocated, you’re going to have problems. You can assign more by increasing this value. (Some of our personal sites have 256M allowed, but these are pretty big sites with a substantial number of hits and plugins). Make sure and restart httpd (apache) after making changes here.

    Disable plugins that affect database queries
    When the scan is running Wordfence has to make a lot of database queries. If you are using plugins that affect all database queries such as Query Monitor, you may run out of PHP memory. If you have Query Monitor or any similar plugin installed, make sure it’s deactivated while Wordfence scan is running.

  • Error connecting to the Wordfence scanning servers

    Errors about connecting to the Wordfence scanning servers usually mean that your web server cannot connect to our scanning servers. It is possible that your server is blocking outgoing connections or there are some DNS resolution issues.

    When you run a scan your web server needs to be able to connect to our scanning server which is noc1.wordfence.com, so that it can send hashes of files and signatures for comparison against known bad items. Your web server must be able to connect to port 443 and port 80 of noc1.wordfence.com. To test if it can do this, you can use an SSH connection to your server and run the following commands. If you do not know how to do this then you can ask your server administrator or your hosting provider.

    Depending on what software is installed on your server then one or more of these commands may work:

    dig noc1.wordfence.com
    nslookup noc1.wordfence.com
    host noc1.wordfence.com
    getent hosts noc1.wordfence.com
    ping noc1.wordfence.com

    You can try connecting to port 80 and port 443. As long as you can connect to both then you should be able to use the scanner. You should see the IP 69.46.36.28 returned. If you are seeing anything other than that it’s possible that your host has a caching nameserver that isn’t respecting the TTL (Time To Live). This would mean that it’s keeping old records longer than it should.

    You can also try:

    • Uncheck “Enable ssl verification”. It is found under Tools, on the Diagnostics tab at the bottom of the page.
    • Make sure your cUrl is not outdated and allows outbound connections. Run the connectivity tester (near bottom of the Wordfence options page) to test. If you receive an error, a ticket with your hosting provider may be required.
    • Check iptables (linux) to make sure you are accepting those connections.

    To set iptables to accept the connections, the following code should be checked and adjusted for your particular site, by an experienced server manager or your hosting company:


    sudo iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
    sudo iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

  • Red error messages in the scan log

    You can view the activity log by clicking Scan on the Wordfence menu on the left of your WordPress admin console and then clicking the link “View activity log” below the “Scan Detailed Activity” box. The red errors you see here are not just Wordfence errors, but also errors from other plugins and even WordPress itself in rare cases.

    If you see red errors here, they are often just warnings which may not affect the functioning of your site. But you should investigate them and report any errors to the owner of the plugin that is generating the error.

    An example of a plugin error is:

    Use of undefined constant user_level – assumed ‘user_level’ (8) File: /home/blah/foo/bar/home/wp-content/plugins/the-name-of-the-plugin-here/somefile.php Line: 525

    If you look at the filename above, notice where the name of the plugin appears. Use that to determine which plugin is generating the errors you’re seeing, and report the issue to the plugin maker. If Wordfence is generating the error, then report it to us ASAP! If the error is the last error (or close to last) that appears before a scan mysteriously stops running, then send that to us too.