Constants

Wordfence has many options that can be set within the WordPress admin pages, but there are some additional options that are not often needed.

Wordfence constants for advanced configuration

Wordfence has many options that can be set within the WordPress admin pages, but there are some additional options that are not often needed. These can be set in wp-config.php before the line that says /* That's all, stop editing! Happy blogging. */, or in some cases, in the wordfence-waf.php file, where noted below.

Scans

WORDFENCE_SCAN_ISSUES_PER_PAGE

The Wordfence scan results page shows up to 100 results by default, and loads more results when you reach the bottom of the page. You can adjust this higher or lower by using this line, and changing the number:

define('WORDFENCE_SCAN_ISSUES_PER_PAGE', 100);

WORDFENCE_DISABLE_MISCONFIGURED_HOWGETIPS

Wordfence can detect how your server sees visitors’ IP addresses and alert you if your site may not be set up to get the visitor IP addresses correctly. If you need to disable notices about this, you can add this to wp-config.php:

define('WORDFENCE_DISABLE_MISCONFIGURED_HOWGETIPS', true);

WORDFENCE_CHECKHOWGETIPS_TIMEOUT

In addition to the option above, if you don’t want to disable the check, you can set a shorter timeout for the scan. This may be helpful if you have a development copy of your site that is not accessible publicly, so the scan will wait for a shorter time instead of the default of 30 seconds on that site. Many sites should work correctly with a timeout of only 10 seconds instead of 30:

define('WORDFENCE_CHECKHOWGETIPS_TIMEOUT', 30);

WORDFENCE_SCAN_FAILURE_THRESHOLD

If you see the message, “The current scan looks like it has failed” while a scan is still running properly, you may have a cache plugin or database server cache interfering with the scan results. By default, Wordfence checks for missing scan result messages in the last 5 minutes (300 seconds). If necessary, you can adjust this to a longer time period to prevent displaying the message. For example, this line would set the duration to 10 minutes:

define('WORDFENCE_SCAN_FAILURE_THRESHOLD', 600);

WORDFENCE_SCAN_MIN_EXECUTION_TIME

Wordfence scans are split into short segments, usually running for half of PHP’s max_execution_time. Some hosts have resource limits set outside of PHP or configuration problems that cannot be detected automatically, which may end a scan while it is still running, with no error message in the site’s error logs. Normally, the option Maximum execution time for each scan stage can be set to a lower value, but currently the lowest value that would work with most hosts is 8 seconds. We recommend not changing this limit in most cases, but fast servers with extremely low resource limits may be able to run scans successfully with a lower limit. The minimum time can be set by adjusting the time with this constant, shown here with the default of 8 seconds:

define('WORDFENCE_SCAN_MIN_EXECUTION_TIME', 8);

Web Application Firewall (WAF)

WFWAF_LOG_PATH

If running Wordfence on a site where the wp-content directory is not writable, you can change the default path to a path that is writable. When the firewall is set up with “Extended Protection” (using .htaccess or .user.ini), modify this line below in wordfence-waf.php, and change the path to a safe and writable location:

define("WFWAF_LOG_PATH", '/var/www/html/wp-content/wflogs/');

WFWAF_ENABLED

If you need to disable the Web Application Firewall this constant can be used. If the firewall “Protection Level” is set to “Extended Protection” then add the constant on the line after the opening “<?php” tag in the “wordfence-waf.php” file. This file is located in the root directory of your WordPress installation, the same directory where you will find the WordPress “wp-config.php” configuration file. If the “Protection Level” is set to “Basic WordPress Protection”, or the “wordfence-waf.php” file doesn’t exist in the root directory of your WordPress installation, then you will need to add the constant on the line after the opening “<?php” tag in the WordPress “wp-config.php” configuration file:

define('WFWAF_ENABLED', false);

WFWAF_DISABLE_RAW_BODY

Due to the way PHP handles reading from php://input, some plugins could have a conflict with the firewall. There are no known conflicts at the time of this writing, but if you find a plugin that conflicts with this part of the firewall, it can be disabled. Disabling this feature will prevent some firewall rules from detecting malicious activity, so it is only recommended as a temporary solution. If necessary, this line should be added to wordfence-waf.php instead of wp-config.php if the firewall is set up with “Extended Protection”:

define('WFWAF_DISABLE_RAW_BODY', true);

WFWAF_ALWAYS_ALLOW_FILE_WRITING

In rare cases, a logged-in admin may see a notice saying:

“The Wordfence Web Application Firewall is in read-only mode. PHP is currently running as a command line user and to avoid file permission issues, the WAF is running in read-only mode. It will automatically resume normal operation when run normally by a web server.”

Read-only mode means that the firewall will not write to its configuration file or other files, mainly to avoid issues with file permissions or other issues when PHP is not being run via the web server.

This notice should only appear when PHP is being run from the command line, and it should not appear when you are logged in as an admin on a site with a normal PHP installation. If you see this notice during normal use of your site, you can set the constant below in the WordPress “wp-config.php” configuration file as a temporary fix. Please also notify us so we can determine how your server has been set up.

define('WFWAF_ALWAYS_ALLOW_FILE_WRITING', true);

WFWAF_LOG_FILE_MODE

Wordfence detects whether its files in wp-content/wflogs/ should have group read/write permissions set. If detection does not work on your server, for example if programs aside from the web server need access to the files and run as a different user in the same group, you can change the permissions with this constant. Valid options are 0600 (do not allow group read/write) and 0660 (allow group read/write). If needed, this line should be added to wordfence-waf.php instead of wp-config.php if the firewall is set up with “Extended Protection”:

define('WFWAF_LOG_FILE_MODE', 0660);

WAF mysqli storage engine

WFWAF_STORAGE_ENGINE

For sites that are unable to read/write files for WAF configuration consistently, you can set this constant to use the MySQL database instead. A separate connection to the database is necessary, since the WAF can run before WordPress. Details and recommendations can be found on the MySQLi storage engine page, and the constant to set in wordfence-waf.php is:

define('WFWAF_STORAGE_ENGINE', 'mysqli');

Optional mysqli storage engine constants

If your database settings cannot be read automatically from wp-config.php, you can set these constants in wordfence-waf.php. This may be necessary if you set the WordPress database constants dynamically in your dev/staging/production environments, or if you load them from environment variables or other files. Setting these “WFWAF_DB_” constants will override the values read from wp-config.php, when the WAF connects to the database, and they will not affect the database connection that WordPress itself uses.

Note: The WAF must be able to connect to the database. Be sure these values are correct, since the site will fail to load if incorrect values are used. If you have trouble entering them, commenting them out or removing them temporarily will restore the site’s operation.

Example:
define('WFWAF_DB_NAME', 'db_name');
define('WFWAF_DB_USER', 'db_user');
define('WFWAF_DB_PASSWORD', 'db_password');
define('WFWAF_DB_HOST', '127.0.0.1');
define('WFWAF_DB_CHARSET', 'utf8');
define('WFWAF_DB_COLLATE', '');
define('WFWAF_TABLE_PREFIX', 'wp_');

WFWAF_MYSQL_CLIENT_FLAGS

If you use MYSQL_CLIENT_FLAGS to connect WordPress to your database via SSL/TLS, you should also set WFWAF_MYSQL_CLIENT_FLAGS in wordfence-waf.php, so that the WAF will also use SSL/TLS. Supported values are MYSQLI_CLIENT_SSL, and optionally MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT if you do not need the server’s certificate checked.

Example:
define('WFWAF_MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL | MYSQLI_CLIENT_SSL_DONT_VERIFY_SERVER_CERT);

MySQL also accepts additional SSL/TLS settings. These constants are optional and are passed to mysqli_ssl_set(). You should use the same settings that you use for WordPress itself, if your site needs them. Otherwise, do not set them.

Example:
define('WFWAF_DB_SSL_KEY', '/path/to/client-key.pem');
define('WFWAF_DB_SSL_CERTIFICATE', '/path/to/client-cert.pem');
define('WFWAF_DB_SSL_CA_CERTIFICATE', '/path/to/ca-files/ca.pem');
define('WFWAF_DB_SSL_CA_PATH', '/path/to/ca-files/');
define('WFWAF_DB_SSL_CIPHER_ALGOS', 'DHE-RSA-AES128-SHA');

Compatibility options

WORDFENCE_ALLOW_DIRECT_MYSQLI

On sites with HyperDB configured with one or more read-only database servers, or when there are other uncommon issues with a database, the mysqli PHP extension sometimes does not work correctly. You can set this constant to ‘false’ in wp-config.php so that Wordfence will not use mysqli directly:

define('WORDFENCE_ALLOW_DIRECT_MYSQLI', false);

WORDFENCE_PREFER_WP_HOME_FOR_WPML

WPML in certain configurations will change the internal domain that WordPress uses when generating URLs. Normally, Wordfence can detect the site’s main domain automatically in these cases, but it can’t detect if you override the site’s URL using WP_HOME and WP_SITEURL in your wp-config.php to a single domain or a dynamic value. If your site is set up with a single domain in WP_HOME and WP_SITEURL, you can set this constant in wp-config.php so Wordfence will prefer that domain:

define('WORDFENCE_PREFER_WP_HOME_FOR_WPML', true);

Other Features

WORDFENCE_DISABLE_FILE_VIEWER

Wordfence has a file viewer that lets you view files from the scan results page. If you have limited your admin account’s abilities and would like to disable the file viewer, you can set this constant. This also disables the side-by-side comparison for modified core/plugin/theme files, but the scans will still notify you if the files have changed:

define('WORDFENCE_DISABLE_FILE_VIEWER', true);

WORDFENCE_DISABLE_LIVE_TRAFFIC

The Live Traffic feature can be disabled either on the “Live Traffic” tool page or the “All Options” page by setting the traffic logging mode to SECURITY ONLY.  However, if you need to stop other admins from enabling it then you can set this constant. This can be helpful for developers who have clients using slow hosts or if the client has an admin account and might turn on Live Traffic.  To find out more about what is logged by the SECURITY ONLY logging option then please click on this link here:

define('WORDFENCE_DISABLE_LIVE_TRAFFIC', true);

WORDFENCE_BLOCKED_IPS_PER_PAGE

The Blocked IPs page will show up to 100 blocked IPs by default. If you have a long list of blocked IPs, you can change this value to a lower amount if you prefer faster loading, or increase the amount to load more entries, which may be helpful if you use your browser’s search to find blocked IPs:

define('WORDFENCE_BLOCKED_IPS_PER_PAGE', 100);

WORDFENCE_LS_EMAIL_VALIDITY_DURATION_MINUTES

When using the reCAPTCHA option on the Login Security page, visitors who fail the captcha while logging in will receive an email with a validation link. By default, these emails are valid for 15 minutes. You can change this duration constant to a shorter or longer time period if needed. For example, if your host’s mail server delivers mail too slowly, you could change this to 30 minutes instead of 15:

define('WORDFENCE_LS_EMAIL_VALIDITY_DURATION_MINUTES', 15);

WORDFENCE_LS_DISABLE_NTP

Wordfence uses NTP (Network Time Protocol on UDP port 123) in order to generate valid 2FA codes if the server’s clock is not correct. If you do not want to use NTP, you can disable the checkbox on the Login Security settings, or set this constant:

define('WORDFENCE_LS_DISABLE_NTP', true);