At WP Engine, we maintain a list of plugins that are disallowed on our platform for various reasons. We do this to ensure the security and performance of our WordPress Digital Experience Platform and to prevent redundancies between certain plugins and our platform.
WordFence, which is a highly popular security plugin used by more than 3 million WordPress users, was originally introduced to WP Engine’s Disallowed Plugins list in 2014 due to its incompatibility with our platform’s internal security offering.
For many WordFence and WP Engine customers, this incompatibility between the two platforms was a major pain point during site creation, development, and maintenance. But no longer.
After developers from both companies teamed up and worked together to make the services compatible with one another, we’re excited to announce that WordFence now works on WP Engine’s DXP and is no longer included on our list of disallowed plugins!
What is WordFence?
WordFence is the most popular WordPress security plugin in the world and the ninth most popular WordPress plugin overall. Wordfence includes a Web Application Firewall (WAF) that identifies and blocks malicious traffic. It runs at the endpoint, enabling deep integration with WordPress.
Unlike cloud-based alternatives, WordFence doesn’t break encryption, cannot be bypassed, nor can it leak data. The plugin’s integrated malware scanner blocks requests that include malicious code or content and it defends against brute force attacks by limiting login attempts, enforcing strong passwords, and other login security measures.
Additionally, Wordfence’s WordPress scanner checks core files, themes, and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections. It also compares your files with those in the WordPress.org repository, checks their integrity, and reports any changes back to you.
It also checks your site for known security vulnerabilities, as well as abandoned and closed plugins. Content safety checks ensure that your files, posts, and comments don’t contain dangerous URLs or suspicious content.
WordFence + WP Engine: Becoming Compatible
As mentioned above, WordFence was originally introduced to the WP Engine Disallowed Plugins list due to its incompatibility with WP Engine’s internal security offering. More specifically, WP Engine implemented a policy that restricted writing to PHP files from external requests. In other words, write access is only granted to the filesystem when a WordPress administrator is logged in. This policy helps keep our customers’ file systems safe by limiting change-making capabilities to authenticated users. However, the policy limited WordFence’s compatibility with the platform because the plugin required the restricted capability in order to update its WAF rules.
To remedy this, the WP Engine and WordFence team worked together to update the WordFence plugin so it would store their WAF rules in a database instead of the filesystem. This change improves the security of WordFence because storing the rules in a database, rather than a filesystem, makes the data more secure.
WP Engine now fully supports WordFence, widening the possibilities for users who are interested in WordFence or WP Engine.