The scan is failing because requests to start it from your own web server are blocked. The diagnostics page shows this error:
wp_remote_post() test back to this server failed! Response was: 403 Forbidden
This additional info may help you diagnose the issue. The response headers we received were:
Under Additional Details you can see that Cloudflare is blocking the site when it tries.
Additional Detail
HTTP/1.1 403 Forbidden
Date: Fri, 11 Jun 2021 11:51:06 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Cf-Railgun: 913d202a65 0.00 0.036647 0030 0dda
Host-Header: 8441280b0c35cbc1147f8ba998a563a7
Vary: Accept-Encoding
X-Proxy-Cache-Info: DT:1
CF-Cache-Status: DYNAMIC
cf-request-id: 0a9c826e0400001f0f0f367000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v2?s=hQBx%
So when your scan tries to start by calling a URL similar to https://www.yourwebsite.com/wp-admin/admin-ajax.php?action=wordfence_doScan&isFork=1&scanMode=custom&cronKey=acb00b097f26110c692e2a7dc52d3c&signature=85abde5f44c12b0a656b7e5f7cfbe95a39b0cadc523de35212b575 it gets blocked by Cloudflare.
You’ll need to add your web server’s IP address to the Cloudflare allowlist. I might add that this is how most scheduled jobs (backups, scheduled posts, crons, etc) are started. You are likely experiencing this with other plugins or functionality but don’t realize it. For instance you have cron jobs that haven’t run since June 11th and this is likely why.
Let me know how this goes.
//tim
