Hi,
I installed the plugin and now I can’t access my site even though I’m the admin. I get this message: “Two-factor authentication – Your 2FA grace period has expired. Please contact your site administrator to restore access and configure 2FA.”
It’s very annoying when a plugin manages to block the site admin.
What’s the solution to this problem?

I recently rebuilt my website on a LEMP stack and it was working perfectly until I installed and configured Wordfence to employ the hide login page feature. Now, when I try to login, the website comes up without the login page with the following message:

Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-file-upload domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /var/www/odyssey/wp-includes/functions.php on line 6114

I want to deactivate the Wordfence plugin but can’t because I can’t log in to the WordPress dashboard. Alternatively, I would like to know how to fix this problem as I really do want to use Wordfence.

I am so frustrated. I was helping another admin user set up their 2 factor authentication using Google Authenticator and finally got it set up for them. They told me that when they went to finally log in, the log in button turned gray and nothing happened. They thought maybe it was because I was logged into the site on a different account, which doesn’t really make sense but I logged out just to see.

Now neither of us are able to log in and we both get the gray log in button doing nothing. I’m so frustrated since we are the only 2 users on this account. I want to cry because I was editing a blog post that needed to be posted today. PLEASE HELP! I don’t know what went wrong and I am so frustrated.

• This topic was modified 2 days, 7 hours ago by goldenemo98.

I’ve been testing an embed form in a pop-up but it keeps going BLANK at least overnight. Suddenly it occurred to me to check Wordfence. Sure enough there are lots of hits showing my ‘test page’ on the same site is blocked (the popup uses an Iframe to call the page with the embed form.)

Is there a way to stop it doing this? I whitelisted the IP I found in Wordfence, but the block seems to be stuck somewhere.

So now I can not finish testing nor make it live, because I can’t see the form at all to confirm it looks or works right.

My website is running Wordfence, and suddenly, from one day to the next, I can’t log in to the admin panel. I get the error message:

“CAPTCHA EXPIRED: The CAPTCHA verification for this login attempt has expired. Please try again.”

I’ve tried clearing the cache and even deactivating W3 Total Cache, but nothing seems to work. Any ideas on how to fix this?

Hello,

I have a recurring issue with Wordfence Central. From the “Configuration” tab, the sync state of my sites always returns to “local changes” even though I haven’t made any changes.

Each time, the local changes indicate modifications of commas or spaces. However, the data is exactly the same on both Wordfence and the back office.

Thank you.

Hi,

I activated Wordfence, and made some setting changes. After saving the blocking settings, I got a 403 response from nginx. Since then, I can visit the site, I can log in, and I can basically do anything, but if try to open any Wordfence pages or the plugins page, I get the 403, so there is no way I can make any changes to the settings anymore. How can I fix this?

Thanks!

Ben

• This topic was modified 2 days, 15 hours ago by jofbe.

Hi, I am the administrator and site admin of my website. I was trying to login to WP dashboard but it shows 2FA grace period is expired. Contact site administrator to regain access and configure 2FA. I logged in through my cpanel but don’t know and can’t find where is this option? I deactivated the 2FA but still the same issue. How to fix it please? Thanks.

The dashboard widget shows blocked ips, But in the WF interface there are no blocked ips but those manually added. https://www.loom.com/share/1e3dff11826d42db989ed3214fb77ce4?sid=02650df5-1090-4c10-8478-6a718f5180ec … Is this normal on the free version? Thanks.

Hi!

Please add ability to change the endpoint URL and name for Wordfence 2FA in Woo MyAccount.

It should say “Two Factor” so people know what it is. Nobody outside of WordPress has ever heard of WordFence.

Please add option to customize in settings.

thank you

Hello – as Google Recapcha is becoming a paid service it would be fantastic if we can add Turnstyle as an option

First off, there are several topics with the same issue and I commented on them to say I was also experiencing the same issue. For some reason the support moderator has deleted my posts. Surely this is creating more work for devs with so many topics for the same issue??

Back to my issue and others. I was unable to login to my website admin due to there being an issue with recaptcha and Wordfence blocking this. I kept getting “CAPTCHA EXPIRED: The CAPTCHA verification for this login attempt has expired. Please try again.” And emails sent saying “The request was flagged as suspicious, and we need verification that you attempted to log in to allow it to proceed. This verification link?will be valid for 15 minutes?from the time it was sent. If you did not attempt this login, please change your password immediately.”

Clicking the link in the email did nothing as I was still unable to login. Eventually I had to log in to the server by SSH and deactivate Wordfence completely. It’s now enabled again and I can log in but will this happen again as it’s lost 2 hours of my day trying to learn how to do all this!

I have added these definitions to the wp-config file and it still gives the same error

define(‘WORDFENCE_SCAN_ISSUES_PER_PAGE’, 100);
define(‘WORDFENCE_DISABLE_MISCONFIGURED_HOWGETIPS’, true);
define(‘WORDFENCE_CHECKHOWGETIPS_TIMEOUT’, 30);
define(‘WORDFENCE_SCAN_FAILURE_THRESHOLD’, 600);
define(‘WORDFENCE_SCAN_MIN_EXECUTION_TIME’, 8);

So I have been using Wordfence for many years with very few problems. I have been with my current host for 18 months (rocket.net) and they are pretty good, Lightspeed Servers etc, but lately when a scheduled scan runs every now and again it will start of fine but when it’s scanning the additional files it will start quite fast at around 18-19 files per second but after a while it slows right down to 1.5-2 files per second and eventually the 3 hour limit is hit and the scan fails. Annoyingly it doesn’t do it all the time, roughly 25% of the time. It seems as though something maybe throttling the scan but not sure what that could be, any ideas?

Been using Wordfence for years without issue.

In the last month or so we’re getting errors on all wordfence sites with recaptcha issues. Sometimes its the “CAPTCHA EXPIRED: The CAPTCHA verification for this login attempt has expired. Please try again.” or other times it’s recaptcha timing out with an error saying the site key is missing.

I know there has been an update to recaptcha but not sure if this is related.

We’ve had to uninstall wordfence from all the sites to get them working

Hey!

I will try to keep this as short as possible.

We installed the wordfence with the firewall. Noticed that the website is slower and first time in 10 years in one week we received multiple dm’s on instagram that the website is not loading for them. I disabled the firewall and deleted the plugin. And the problem with page not loading is still here. We keep receiving 1-2 dms a day. We are on cloudways.

Asked for screenshots and videos, and some replied and showed. For example a person googles and than click on the top result (our website on google) – he instantly gets blank page with error “Safari can’t open the page because it couldn’t establish a secure connection to the server.” The same person than loaded vpn and he can access. (originally he has T-Mobile from California).

Can you please help?

This is a general question on how to use the plugin.

I am a NEW user of Wordfence. We are currently using the tool feature to monitor live traffic. If a logon attempt has been BLOCKED, should we BLOCK IP also?

Hello, my website has probably been hacked. I found external files via FTP. I have been using the free plan so far, if I upgrade to premium now, can you help me to fix the problem or is this an additional cost?
Thank you

Sometimes I find multiple logins from the same user in the Login Attempts screen list (Firewall menu). They are stacked one after the other, eg:

Frankie 109.xxx.178.xxx 20 hours 58 minutes ago
Frankie 109.xxx.178.xxx 20 hours 58 minutes ago
Frankie 109.xxx.178.xxx 20 hours 58 minutes ago

They look like multiple attempts to login, BUT this is in the Successful tab: so why should a person try to login if he’s logged in? (look at the time too: it’s always about the same time)

What could be the cause? This happens in Tools > Live traffic too.

Thanks

I have a E-commerce website and recently started using Free WordFence Security Plugin. But few of my regular client have complaint that they are unable to access the website. Please help

Hey!

I am trying to install wordfence on my woocommerce store, I already messaged my hoster to check if they are any restrictions on the server configuration and I was told, that there shouldnt be any issues – other clients are able to use WordFence without any issues. I am getting curl error 28 and I am not using any kind of security plugin. I already mailed the report to you!

I have a website and my scan stopped with this message.

[Feb 24 17:29:46] Analyzed 9300 files containing 205.68 MB of data so far
[Feb 24 17:36:53] Calling Wordfence API v2.26:https://noc1.wordfence.com/v2.26/?k=0010b64d10ea8a5db02a92a69169062ab28bbe819797ab23a9e927d95d3939569003b3139aae1ec56c64672db45133d0dc4fdb0cbf368f8ef596589134785e97&s=eyJ3cCI6IjYuNy4yIiwid2YiOiI4L

How to fix the fail scan?

If I understand correctly when should I change my domain:

I can disable Wordfence, delete it, then install Wordfence Assistant and click ‘Remove all Wordfence Data in the Database and elsewhere.’

Should I select ‘Delete 2FA secrets’ before clicking ‘Remove all Wordfence Data in the Database and elsewhere’ in that case?

After that, I can move the site to a brand new domain (change domain) and reinstall Wordfence from scratch?

Hi all

On one of my websites i use the buddyboss plugin that has the option to include .gify gifs in forum and activity comments.

Unfortunately, every time there is an attempt to add gif it is blocked by firewall for “XSS: Cross Site Scripting in POST body:”

I can add the url/Param to the allow list which adds the param request.body[bbp_media_gif] to the allow list for the url and the post can be made with the gif attahed.

however, the next time someone else tries to post a gif on a different forum topic, they get the gif blocked for the same reason.

Is there anyway I can allow list request.body[bbp_media_gif] for all URLs? I did try to use

/* in the URL

and

/* request.body[bbp_media_gif] in the param body but this did not work as I hoped.

Thanks in advance

Just installed Wordfence since my site has been compromised. After doing a high-sensitivity scan, it’s returning about 2800 malicious files.

Unfortunately, the only way I can see which files are malicious is to “View Full Logs” which is plain text. The actual scan results box that is supposed to be populated with each malicious file and some helpful descriptions/actions to take is empty.

Also, when I go to “Repair all repairable files” nothing seems to happen.

I am assuming this is probably from the malware itself. I believe I have the AnonymousFox malware, since it is creating tons of .htaccess files in every folder with code like:

<FilesMatch ".(py|exe|phtml|php|PHP|Php|PHp|pHp|pHP|pHP7|PHP7|phP|PhP|php5|suspected)$">
Order allow,deny
Deny from all
</FilesMatch>
<FilesMatch "^(index.php|cache.php)$">#
Order allow,deny
Allow from all
</FilesMatch>

Also, I am on shared hosting from Hostgator (if that makes a difference).

Wondering how I can get wordfence to work correctly?

Hello.

Please allow adding notes to IPs on the allowlist (“Allowlisted IP addresses that bypass all rules”).

For example:

111.11.11.1 || Google
222.22.22.2 || Bing

This way, it is possible to keep track of the list and remove IPs which aren’t relevant anymore.

Thanks.

I see that my website is being crawled by bots from Boardman Oregon. These are not the exact IP addresses that Wordfence says not to block, but they’re close and coming from the same place. Should I leave these unblocked? Thank you.

Boardman, Oregon, United States visited https://mywebsite.ext/
2/22/2025 4:33:07 AM (4 hours 40 mins ago)
IP: 35.94.11.75 Hostname: ec2-35-94-11-75.us-west-2.compute.amazonaws.com
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36

Boardman, Oregon, United States visited https://mywebsite.ext/
2/22/2025 4:33:02 AM (4 hours 41 mins ago)
IP: 54.245.195.197 Hostname: ec2-54-245-195-197.us-west-2.compute.amazonaws.com
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36

• This topic was modified 1 week, 1 day ago by Jonas Grumby.

Hi, I am having an issue that seems to be cause by Wordfence. All of a sudden yesterday my website is showing nothing but a white screen. I tried disabling plugin, themes, etc., with no resolution. Even when Wordfence is disabled through the file manager.

I don’t have access to any any part of the site, front or backend, so I have been going through the file manager in my cp. I even tried changing the php version with no luck.

I checked the error logs and I get the same repeated error as this one:

[22-Feb-2025 04:33:11 UTC] PHP Fatal error: Failed opening required ‘/home/webservers1/healthiness.win/wordfence-waf.php’ (include_path=’.:/opt/alt/php81/usr/share/pear:/opt/alt/php81/usr/share/php:/usr/share/pear:/usr/share/php’) in Unknown on line 0

I wanted to see if there is something I can do to easily fix this issue. Any help, suggestions or guidance would be greatly appreciated.

Thanks in advance.

Hello,

I’m trying to customize the blocked message displayed by Wordfence so that it doesn’t mention “Wordfence.” In previous versions, I was able to do this by editing the blocked.php file located in the wp-content/plugins/wordfence/templates/ directory. However, I cannot find that file in my current installation.

I have searched for blocked.php and for any references to “Wordfence” in the plugin files without success. Could someone please advise me on how to modify the blocked message in the latest version of Wordfence? Is there a hook, filter, or alternative method available to customize this message?

Thank you in advance for your help!

Best regards, Zulema

We need to block fraudulent credit card transactions. We have reCaptcha enabled but it doesn’t stop them. We had over 1,000 attempts last night to process credit cards. Fortunately only 2 were successful. How can we stop this?