Wordfence Now Works on WP Engine
At WP Engine, we maintain a list of plugins that are disallowed on our platform for various reasons. We do this to ensure the security and performance of our WordPress Digital Experience Platform and to prevent redundancies between certain plugins and our platform.
Wordfence, which is a highly popular security plugin used by more than 3 million WordPress users, was originally introduced to WP Engine’s Disallowed Plugins list in 2014 due to its incompatibility with our platform’s internal security offering.
For many Wordfence and WP Engine customers, this incompatibility between the two platforms was a major pain point during site creation, development, and maintenance. But no longer.
After developers from both companies teamed up and worked together to make the services compatible with one another, we’re excited to announce that Wordfence now works on WP Engine’s DXP and is no longer included on our list of disallowed plugins!
What is Wordfence?
Wordfence is the most popular WordPress security plugin in the world and the ninth most popular WordPress plugin overall. Wordfence includes a Web Application Firewall (WAF) that identifies and blocks malicious traffic. It runs at the endpoint, enabling deep integration with WordPress.
Unlike cloud-based alternatives, Wordfence doesn’t break encryption, cannot be bypassed, nor can it leak data. The plugin’s integrated malware scanner blocks requests that include malicious code or content and it defends against brute force attacks by limiting login attempts, enforcing strong passwords, and other login security measures.
Additionally, Wordfence’s WordPress scanner checks core files, themes, and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections. It also compares your files with those in the WordPress.org repository, checks their integrity, and reports any changes back to you.
It also checks your site for known security vulnerabilities, as well as abandoned and closed plugins. Content safety checks ensure that your files, posts, and comments don’t contain dangerous URLs or suspicious content.
Wordfence + WP Engine: Becoming Compatible
As mentioned above, Wordfence was originally introduced to the WP Engine Disallowed Plugins list due to its incompatibility with WP Engine’s internal security offering. More specifically, WP Engine implemented a policy that restricted writing to PHP files from external requests. In other words, write access is only granted to the filesystem when a WordPress administrator is logged in. This policy helps keep our customers’ file systems safe by limiting change-making capabilities to authenticated users. However, the policy limited Wordfence’s compatibility with the platform because the plugin required the restricted capability in order to update its WAF rules.
To remedy this, the WP Engine and Wordfence team worked together to update the Wordfence plugin so it would store their WAF rules in a database instead of the filesystem. This change improves the security of Wordfence because storing the rules in a database, rather than a filesystem, makes the data more secure.
WP Engine now fully supports Wordfence, widening the possibilities for users who are interested in Wordfence or WP Engine.
Thank you for working with Wordfence to get this going. Wordfence is a “trusted friend” and one of the first plugins we install on any WordPress website we develop. Now WP Engine sites don’t have to be an exception!
Does the impact of running Wordfence have much impact on the site’s performance?
Hey Charlie. I work for WPE. We haven’t tested that specifically. I’d imagine it depends a bit on which features in WF you use, but I can confirm that WF is not popping up as worrisome offender regarding performance for us. Of course, you can use our staging features to make a clone of your site to test with WF to gauge the performance impact for you (if any). I hope this helps!
Hi David,
I would LOVE to see a list of those worrisome offenders regarding performance from WPE’s perspective. Any chance to see that in a future post?
Glad to hear of the change and happy both teams were able to work together to accomplish this.
Are there any recommended settings for Wordfence (note the small “f” BTW) when used on WP Engine? Are there any features that overlap or conflict with one another?
Hey Kevin. I work for WPE.
I’m not sure if you’re looking at a cached version of this blog post, but we did correct the misspelling to the lowercase “f” 🙂
As for feature overlap, I’m not 100% sure if there is no overlap, but I can confirm we don’t have any overlap that would cause customers problems. In this way, you should be good to go. Please let us know in your portal / support chat if you have any issues, and we’ll be happy to help out!
Did it stop working recently? I get the following error:
“The Wordfence Web Application Firewall cannot run. The configuration files are corrupt or inaccessible by the web server, which is preventing the WAF from functioning. Please verify the web server has permission to access the configuration files. You may also try to rebuild the configuration file by clicking here. It will automatically resume normal operation when it is fixed. “
Hello Isaac. Nothing has changed recently that would result in this. I’d recommend you open up a support chat at my.wpestaging.qa so we can help troubleshoot. If this is indeed a platform compatibility issue vs. something specific to your site, support will escalate to my team. In either case, we’re happy to help 🙂