April 18, 2023

Wordfence and Wordpress caching plugins

(Note: This applies to self-hosted Wordpress installations, not blogs hosted by Wordpress.com.)

Although the Wordfence security plugin claims to work with Wordpress caching plugins, such as WP Super Cache, it does not operate as completely as it would otherwise. Namely, it may not process requests for pages for which a cached version is available. The two plugins both want to handle requests before Wordpress runs. If a requested page has a cached version available (i.e., html instead of php), Wordpress and thus Wordfence are not run. So if you want Wordfence to handle every request, the cache plugin needs to be set up to run after. What follows is the example of WP Super Cache. Apache 2.4, PHP 8.0, Wordpress 6.2, Wordfence 7.9.2, WP Super Cache 1.9.4.

In Wordfence, the firewall protection is enabled and the protection level is “extended”, such that “All PHP requests will be processed by the firewall prior to running.” This entails its adding a directive to the htaccess file of the Wordpress directory to prepend Wordfence.

But WP Super Cache in Expert mode also adds directives to the htaccess file to return cached html files if available instead of running Wordpress (and its huge resource demand). Thus, if the request is for a page that has a cached copy, it bypasses the Wordfence firewall.

For Wordfence to act on every request, WP Super Cache needs to be run in simple mode. And the advanced setting of “late init” (“Display cached files after WordPress has loaded”) needs to be turned on as well.

In summary, to allow the Wordfence firewall to work when cached files are returned, any caching plugin has to operate in PHP mode rather than via Mod_Rewrite in htaccess. Furthermore, it needs to operate after Wordpress is initialized.

On the other hand, serving cached html files is not only faster, but also avoids running PHP code, obviating the vulnerability that Wordfence protects against. As for DDoS attacks, your server should be providing that protection (and serving cached html pages makes it much more able to withstand such attacks).