Global Options
These allow you to update your Wordfence License, set your Alert Preferences, and other settings.
Wordfence License
Each Wordfence installation has its own unique identifier, a “license key” (or API key). Free versions of Wordfence automatically have one of these. To upgrade to Wordfence premium, you purchase a premium license key and install it in place of the free key. You can read more about License Keys here.
General Wordfence Options
Update Wordfence automatically when a new version is released?
New vulnerabilities and infections appear daily. Keeping Wordfence up to date is a critical part of keeping your site secure. This ensures that you have the latest protection, detection, and removal technology that Wordfence provides. This ensures that you have a better chance of maintaining a secure site. As of WordPress 5.5, if you enable automatic updates for Wordfence on the “Plugins” page in WordPress, then WordPress’s built-in auto-updates will occur instead. Our update option will have no effect, in order to avoid potential conflicts in updating the same plugin twice in a single cron job hit. We recommend that you choose one method or the other, and still watch for pending updates, just in case an issue on your site prevents scheduled cron jobs from running. [Read more about Auto Update]
In very rare cases, allowing Wordfence to update automatically can be problematic because the update may fail and you won’t know about it until you login to your site and see that Wordfence is missing from the list of plugins for example. This can also happen to other plugins that are set to update automatically and not just Wordfence. Often site owners will try to install Wordfence again and be presented with a common error message containing, ‘Destination folder already exists’.
An automatic update of Wordfence is usually related to a problem on the hosting server. The update process involves removing old files, extracting the new plugin and then copying over the new files to the plugin location. On some hosting servers that process can exceed the PHP max_execution_time or even the gateway timeout. It is usually during the last part of the transfer when the new files are copied over that issues can occur.
To resolve this you can manually delete the Wordfence plugin directory in the plugins directory below:
~/wp-content/plugins/wordfence
All of your plugin settings will remain intact as they are stored in the database.
You can then reinstall the plugin again on the WordPress Plugins page.
Where to email alerts
This is the email address where Wordfence emails its security alerts. This should usually be your WordPress site administrator’s email address, but you can add multiple email addresses here and separate them using commas.
How does Wordfence get IPs
Wordfence needs to determine each visitor’s IP address to provide security functions on your site. The Wordfence default configuration works automatically for most sites, but it is important that this configuration is correct.
If Wordfence isn’t configured to detect IP addresses correctly then Wordfence can see all visits to your site as coming from a proxy server IP address instead of the original IP addresses of site visitors. If an attacker is blocked then everyone else can also be blocked for the duration of that block, or until the proxy server IP address changes, because Wordfence sees the attacker and everyone else, including you, as having the same proxy server IP address.
For a practical example of this, many people use the Cloudflare Content Delivery Network to improve their site performance. When a site visitor uses their internet browser to send a request for a page on your site then the request is routed through a Cloudflare server first. The request is then passed onto your hosting server to fetch the full page for the site visitor. Your hosting server then effectively sees the page request as coming from a Cloudflare IP address instead of the original IP address of the site visitor. There are also other scenarios where different types of proxy servers are used. There are a number of different HTTP headers available to use for these different types of proxy servers so that the identity of the original IP addresses of site visitors can be correctly seen. Wordfence has options for these different HTTP headers which are explained below.
For another example, your hosting provider might be using an internal proxy server to improve the performance of their hosting infrastructure. These internal proxy servers can use private IP addresses. If Wordfence is not detecting IP addresses correctly, and detects that an external visitor originates from a private IP address, then it will allow that visitor to bypass some Wordfence security features. You can read more about which addresses Wordfence considers private here.
If you are not able to set up the configuration of correct IP address detection then you can use the support links at the top of this page.
You can find your correct IP address using the example site link below. There are other sites that you can find in a search engine that will tell you your IP address.
https://whatismyipaddress.com/
Your IP address should match the IP address shown on the line “Your IP with this setting”.
Another way of determining if Wordfence is getting IP addresses correctly is to check the “IP Detection” section on the Wordfence “Tools” > “Diagnostics” page.
The Wordfence scanner also has an option to “Scan for misconfigured How does Wordfence get IPs”. This scan feature can help you detect if the wrong option has been selected for “How does Wordfence get IPs”.
Let Wordfence use the most secure method to get visitor IP addresses. Prevents spoofing and works with most sites.
This is the default mode of operation for Wordfence. Wordfence will try to get a valid IP address from PHP. If that does not work, it will look at headers that a firewall or reverse proxy sends in case your site uses this configuration.
This option provides a good balance between security and compatibility.
Use PHP’s built in REMOTE_ADDR and don’t use anything else. Very secure if this is compatible with your site.
If you know that you definitely do not use a reverse proxy, cache, Cloudflare, CDN, or any other type of proxy in front of your web server that “proxies” traffic to your website, and if you are sure that your website is just a standalone PHP web server, then using this option will work and is the most secure in a non-proxy or load balancer configuration.
Use the X-Forwarded-For HTTP header. Only use if you have a front-end proxy or spoofing may result.
Only use this option if you are using Nginx, a load balancer, or CDN as a front-end proxy in front of your web server, and the front-end proxy server sends IP addresses using the X-Forwarded-For HTTP header to the web server that runs WordPress.
Be careful about enabling this option if you do not have a front-end proxy configuration because it will then allow visitors to spoof their IP address.
Use the X-Real-IP HTTP header. Only use if you have a front-end proxy or spoofing may result.
Only use this option if you are using Nginx, a load balancer, or CDN as a front-end proxy in front of your web server, and the front-end proxy server sends IP addresses using the X-Real-IP HTTP header to the web server that runs WordPress.
Use the Cloudflare “CF-Connecting-IP” HTTP header to get a visitor IP. Only use if you’re using Cloudflare.
Wordfence is compatible with Cloudflare, and in most configurations, Cloudflare will send the real visitor IP address to your web server using the CF-Connecting-IP HTTP header. If Cloudflare support personnel have advised you that this is the case, then enable this option in Wordfence. Note that Cloudflare offers a web server module that takes care of detecting the visitor IP address, which may be used at some hosting companies, so be sure to work with their technical support staff and read their documentation to determine which configuration you are using.
Trusted Proxies and Trusted Proxy Preset
If your host requires using the “X-Forwarded-For” HTTP header, there may be multiple IP addresses detected. If your own IP address does not appear where it shows “Your IP with this setting” then you may need to add trusted proxies.
Using the “+ Edit trusted proxies” link, you can enter IP addresses or CIDR ranges in the “Trusted Proxies” field manually, or if you are using a service that is listed in the “Trusted Proxy Preset” field, such as Amazon CloudFront, Ezoic, or Quic.cloud, you can choose that option in the drop-down list. Additional services will be added in future releases.
If you do not know whether your host uses more than one proxy address, contact your host or the proxy service that you use. If you know there is only one proxy address, it will usually be the last address in the “Detected IP(s)” field. If you need to enter proxies manually:
- Once you know which proxies to trust, click the “+ Edit trusted proxies” link below the detected IP addresses.
- In the “Trusted Proxies” field that appears, enter the IP addresses of the proxies. You can enter a single IP like 10.0.0.15. You can also enter a “CIDR” range like 10.0.0.0/24. Note that your host’s trusted IP addresses should not be the same addresses in these examples.
- Click the “Save Options” button to save the changes, and check that your IP appears correctly in the “Your IP with this setting” field.
If you are using the Ezoic advertising platform
If you are using the Ezoic advertising platform, as of Wordfence 7.11.0 Ezoic’s list of IP addresses can be set as trusted proxies automatically, by setting the “Trusted Proxy Preset” field to “Ezoic”, and choosing “Use the X-Forwarded-For HTTP header”. This uses Ezoic’s list of IP addresses from https://support.ezoic.com/kb/article/how-to-fix-origin-errors
This is necessary for Wordfence to be able to detect each visitor’s IP address correctly instead of Wordfence seeing all visits to your site as coming from Ezoic IP addresses.
In previous Wordfence versions, Ezoic’s IP addresses had to be entered manually in the “Trusted Proxies” field. If you had entered addresses there previously, these can be removed, once the Trusted Proxy Preset has been set to “Ezoic.”
If you had previously added Ezoic’s IP address ranges to the Wordfence option “Allowlisted IP addresses that bypass all rules” then all of Ezoic’s IP address ranges must be removed from the allowlist. If Wordfence has not been configured to detect IP addresses correctly then Wordfence will see all threat actors as having an Ezoic IP address and will be able to bypass all WordPress protection due to all of Ezoic’s IP addresses having been added to the allowlist.
Note that if your website is hosted at SiteGround then currently it appears that SiteGround will overwrite or remove the “X-Forwarded-For” HTTP header so that Wordfence cannot detect IP addresses correctly if you use Ezoic. You may be able to use the Ezoic Integration plugin available from WordPress.org instead of making changes to the DNS records of your domain name.
Look up visitor IP locations via Wordfence servers
This option allows Wordfence to look up the city and country for visitors’ IP addresses on Wordfence’s servers, for features like the Live Traffic page and login alerts. This is enabled by default. If you disable this option, Wordfence will use a smaller local database instead, but can look up only the country.
Hide WordPress version
WordPress, by default, discloses what its version is. This option will hide it from outsiders. We generally recommend that you do not enable this anymore, since there are other methods of determining the WordPress version such as fingerprinting of static content such as CSS and javascript files. This option will be disabled on new installations.
Disable Code Execution for Uploads directory
Enabling this option will place a “.htaccess” file in your “wp-content/uploads/” directory which prevents any PHP code in your uploads directory from executing. This is an added level of protection against a hacker managing to upload PHP code into your “uploads” directory. Even if they manage to do that, the code won’t execute if you have this option enabled. The contents of the .htaccess file are below:
# BEGIN Wordfence code execution protection
<IfModule mod_php5.c>
php_flag engine 0
</IfModule>
<IfModule mod_php7.c>
php_flag engine 0
</IfModule>
<IfModule mod_php.c>
php_flag engine 0
</IfModule>
AddHandler cgi-script .php .phtml .php3 .pl .py .jsp .asp .htm .shtml .sh .cgi
Options -ExecCGI
# END Wordfence code execution protection
Disable Wordfence Cookies
This option was removed as part of our adjustments for EU GDPR with Wordfence version 7.1.16. Sites that were previously enabling this option to avoid issues with cache do not need to make any changes. Wordfence has implemented other ways of distinguishing between bots/humans and regular users/admins and does not use cookies by default on the front end of sites. The only time a cookie is set on the front end is when the country blocking bypass feature is enabled. You can read more about the cookies that Wordfence sets here.
Pause live updates when window loses focus
This option displays a “Live Updates Paused” overlay on the “Scan” and “Live Traffic” pages, and the small overlay on the “Wordfence Live Activity” bar on some pages. This saves server resources by only updating the page while you are actively using it. For this reason, it is enabled by default, but you can disable it if you need your site to display updates while you are working in another window.
Disabling this option is not recommended for most shared hosting plans, as it can be the resource usage equivalent of a visitor reaching your site every two seconds. If you keep this option disabled, you may want to increase the time in the “Update interval in seconds” option, so your browser will request fewer updates from the site.
Update interval in seconds
This option specifies how often Wordfence updates the view in your admin interface. This applies specifically to real-time views like on the “Live Traffic” and the “Scan” pages. On both pages, data appears in real-time as progress is occurring.
Wordfence will cause your web browser to repeatedly send a request to check if new data is available. Those requests consume server resources, and on web hosting providers that don’t provide many resources, you may receive complaints from your host about the resources you are using when viewing the “Live Traffic” or “Scan” pages and leaving your web browser window open.
By changing this setting, which controls how often the live data is refreshed, from the default of 2 seconds to something like 10 or 15 seconds, you dramatically reduce the amount of processing power that viewing the “Live Traffic” or “Scan” page will consume.
This setting does not affect the resource usage of the scan process itself. It determines how often your web browser connects to your site to refresh the scan log where you see the scan progress. Increasing this value decreases the frequency, making your view refresh less frequently. This reduces the number of requests that are made to your site which can help on resource-limited sites.
Bypass the LiteSpeed “noabort” check
On many LiteSpeed web servers in the past, the server administrator had set the “External Application Abort” option to abort long-running processes, which can cause scans to fail and Wordfence plugin automatic updates from working properly. This could usually be overridden by setting a value in your main “.htaccess” file (see Wordfence and LiteSpeed). If this is not done, we normally disable automatic updates, to prevent LiteSpeed from interrupting an update.
But on some LiteSpeed servers we’ve seen recently, the administrator has disabled these aborts for all sites, so it is not necessary to set “noabort” in your main “.htaccess” file. If you are certain that your host uses LiteSpeed and that that the “External Application Abort” is set to “No Abort” then you can enable this option so that Wordfence will skip checking for “noabort” in your main “.htaccess” file.
Delete Wordfence tables and data on deactivation
By default, if you disable Wordfence, the database tables will remain in place with their data. This is to ensure that if you accidentally or temporarily deactivate Wordfence then you won’t lose your configuration or the data you have accumulated like the “Live Traffic” page data.
If you would like to remove all Wordfence data when you deactivate the plugin then check this box and save the change. When you disable the plugin then all Wordfence database tables, entries in the WordPress options database table, scheduled cron jobs, and any other stored data associated with the Wordfence plugin will be removed.
Note that this does not include “Login Security” settings and tables, which have a similar option at the bottom of the “Login Security” > “Settings” page. This allows you to leave those settings in place if you are switching to the standalone Wordfence Login Security plugin. This will be simplified in an upcoming version.
If you then reactivate Wordfence after removing all tables and data, it will appear as if it has been activated on your website for the first time.
Dashboard Notification Options
These options allow you to select which types of notifications appear on the Wordfence “Dashboard” page. Free users can choose to disable notifications for updates (plugins, themes, and WordPress core) and scan results. If you have Wordfence Premium, options for disabling other types of notifications will appear.
Email Alert Preferences
Wordfence sends email alerts on certain events if you have enabled the alerts in this section. The alerts are sent to the email address provided under the “General Wordfence Options” section in the field titled “Where to email alerts”.
Using the option “Maximum email alerts to send per hour” allows you to limit the number of email alerts received per hour to prevent being inundated with emails. You can also disable alerts if you are experiencing a brute force attack and the email alerts you are receiving are becoming overwhelming.
Activity Report
This feature lets you enable an email activity report that summarizes recent security-related events on your site. You can choose whether you want this activity report every day, every week, or every month. There is also an option to exclude certain directories from the “Recently Modified Files” section of the activity report. Two directories are added here by Wordfence itself. These directories are excluded since file modifications in these folders are normal and frequent.
- wp-content/cache
- wp-content/wflogs
The “Activity Report” section also lets you enable or disable the Wordfence activity report widget on the WordPress “Dashboard” page.