How to fix error 500 when disabling WordFence

500 wordfence

In my opinion, WordFence is one of the most overrated WordPress security plugins out there and there are several reasons, namely….

  • It fills the database with tables and options that will remain there after deactivation if you do not remedy it.
  • High consumption of WordPress and server resources.
  • No options to manage and/or disable XML-RPC.
  • Uninstalling it is not just uninstalling it from the plugins screen and that’s it, it requires additional work.

And to the latter we go.

The problem with Wordfence uninstallation

No matter which version of WordFence you have, free or premium, always before deactivating WordFence you must go to the WordFence general options, which are in the administration of your WordPress, in WordfenceAll options, and check the box called “Delete Wordfence tables and data on deactivation“.

This ensures that the following is deleted when you deactivate Wordfence in the plugins screen:

  • The files in the plugin folder.
  • Records in the .htaccess file.
  • Records in the wp-config.php file.
  • Wordfence firewall configuration file in the root of the installation (wordfence-waf.php).
  • .user.ini file with Wordfence rules in the root of the installation.
  • Additional .htaccess files in plugin, theme and wp-content folders.
  • Wordfence logs folder (wpflogs) in wp-content directory.
  • Wordfence tables and options in the database.

As you can see it is not a joke the amount of residue that Wordfence will leave if you don’t uninstall it properly. Of course, if you delete the plugin directly it is just as bad, so remember:

  1. Check the delete Wordfence data and tables checkbox in your general options.
  2. Deactivate Wordfence
  3. Delete Wordfence
  4. Check that everything has been deleted

Normally the first 3 points would be enough but my advice is to check that no trace is left, but what if after doing all this my website crashes, shows a 500 error?

Web down with error 500 after disabling Wordfence

It doesn’t matter if you followed the recommended steps before, although it is more likely to happen if you don’t follow them, it may happen that when you deactivate Wordfence your website breaks, showing a 500 error.

Why does this happen?

Well, basically because not all the Wordfence junk has been deleted, and there are still some references to files that no longer exist.

The culprit, 99.99% of the time, is the .user.ini file in the root folder of your installation, which will still include a reference to the Wordfence firewall configuration file and, not finding it, breaks your website completely, with a 500 error.

How do I fix error 500 when disabling Wordfence?

You must check at least 2 files in the root folder of your WordPress installation:

  • .htaccess
  • .user.ini

In the .htaccess file you should look for lines like these, delete them and save the changes:

# Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END Wordfence WAFCode language: HTML, XML (xml)

In the .user.ini file you will probably find these or similar lines:

; Wordfence WAF
auto_prepend_file = '/home/customer/www/tudominio.com/public_html/web/wordfence-waf.php'
; END Wordfence WAFCode language: JavaScript (javascript)

Delete them anyway and save the changes.

An alternative solution, or if you prefer a quick check, would be to rename these files, for example by adding at the end of the file something like .wf or whatever you want (e.g. .htaccess.wf and .user.ini.wf) to disable them completely, then saving the permalinks settings. WordPress will generate the correct .htaccess file again.

After these changes you should now be able to view and access your site normally, without the 500 error.

However, I encourage you to review the list above to check that the rest of the Wordfence residues have been deleted, which as we have seen are many and varied, both in files and in the database.


That’s all for now. I hope I have helped you.

If you still have doubts or you have not solved the problem tell us in the comments anyway, we will try to help you as much as possible.

How useful was this post?

Click on a smiley to rate it!

Average rating 5 / 5. Vote count: 2

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

About The Author

2 thoughts on “How to fix error 500 when disabling WordFence”

  1. Thank you Hector! I found I also needed to uninstall a `.quarantine` folder in my main site directory. (and a `.tmb` as well though I’m not 100% certain of what that is)

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top