In my opinion, WordFence is one of the most overrated WordPress security plugins out there and there are several reasons, namely….
- It fills the database with tables and options that will remain there after deactivation if you do not remedy it.
- High consumption of WordPress and server resources.
- No options to manage and/or disable XML-RPC.
- Uninstalling it is not just uninstalling it from the plugins screen and that’s it, it requires additional work.
And to the latter we go.
Table of Contents
The problem with Wordfence uninstallation
No matter which version of WordFence you have, free or premium, always before deactivating WordFence you must go to the WordFence general options, which are in the administration of your WordPress, in Wordfence → All options, and check the box called “Delete Wordfence tables and data on deactivation“.
This ensures that the following is deleted when you deactivate Wordfence in the plugins screen:
- The files in the plugin folder.
- Records in the
.htaccess
file. - Records in the
wp-config.php
file. - Wordfence firewall configuration file in the root of the installation (
wordfence-waf.php
). .user.ini
file with Wordfence rules in the root of the installation.- Additional
.htaccess
files in plugin, theme andwp-content
folders. - Wordfence logs folder (
wpflogs
) inwp-content
directory. - Wordfence tables and options in the database.
As you can see it is not a joke the amount of residue that Wordfence will leave if you don’t uninstall it properly. Of course, if you delete the plugin directly it is just as bad, so remember:
- Check the delete Wordfence data and tables checkbox in your general options.
- Deactivate Wordfence
- Delete Wordfence
- Check that everything has been deleted
Normally the first 3 points would be enough but my advice is to check that no trace is left, but what if after doing all this my website crashes, shows a 500 error?
Web down with error 500 after disabling Wordfence
It doesn’t matter if you followed the recommended steps before, although it is more likely to happen if you don’t follow them, it may happen that when you deactivate Wordfence your website breaks, showing a 500 error.
Why does this happen?
Well, basically because not all the Wordfence junk has been deleted, and there are still some references to files that no longer exist.
The culprit, 99.99% of the time, is the .user.ini
file in the root folder of your installation, which will still include a reference to the Wordfence firewall configuration file and, not finding it, breaks your website completely, with a 500 error.
How do I fix error 500 when disabling Wordfence?
You must check at least 2 files in the root folder of your WordPress installation:
.htaccess
.user.ini
In the .htaccess
file you should look for lines like these, delete them and save the changes:
# Wordfence WAF
<Files ".user.ini">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
</Files>
# END Wordfence WAF
Code language: HTML, XML (xml)
In the .user.ini
file you will probably find these or similar lines:
; Wordfence WAF
auto_prepend_file = '/home/customer/www/tudominio.com/public_html/web/wordfence-waf.php'
; END Wordfence WAF
Code language: JavaScript (javascript)
Delete them anyway and save the changes.
An alternative solution, or if you prefer a quick check, would be to rename these files, for example by adding at the end of the file something like .wf
or whatever you want (e.g. .htaccess.wf
and .user.ini.wf
) to disable them completely, then saving the permalinks settings. WordPress will generate the correct .htaccess
file again.
After these changes you should now be able to view and access your site normally, without the 500 error.
However, I encourage you to review the list above to check that the rest of the Wordfence residues have been deleted, which as we have seen are many and varied, both in files and in the database.
That’s all for now. I hope I have helped you.
If you still have doubts or you have not solved the problem tell us in the comments anyway, we will try to help you as much as possible.
Thank you Hector! I found I also needed to uninstall a `.quarantine` folder in my main site directory. (and a `.tmb` as well though I’m not 100% certain of what that is)
You can delete it safely 😉