Wordfence firewall frequently reverts to learning mode

Hi @rawthey,
The presence of the config.tmp files usually indicate an issue with file locking on the server when two hits are causing the Firewall to write to the config.php file at the same time. I’m not sure what’s up with the dates there, haven’t seen that before but that seems like it would be an issue with the file system as well.

If you check the PHP error logs you should be able to figure out the point in time when the Firewall reverted to learning mode. That would be the first time you see an error saying “Unable to open /wflogs/config.php for reading and writing” or something along those lines.

If you then check the servers access logs for the exact same timestamp, you may be able to figure out what was happening on the server at that point.

It’s back in learning mode again and due to automatically enable again on 2018-08-20 which suggests that it switched sometime today, 13th August.

I have a php error log file for the period from 11th August up until now and there’s no sign of “Unable to open /wflogs/config.php for reading and writing” anywhere in it, in fact I’ve also searched for the single words “wflogs” and “open” and there’s no sign of them either.

Here’s the current listing for wflogs

total 5628
-rw-r–r– 1 sedbergh1 83005 3399631 Jul 13 02:01 GeoLite2-Country.mmdb
-rw-rw—- 1 sedbergh1 83005 40083 Aug 7 18:58 attack-data.php
-rw-rw—- 1 sedbergh1 83005 1783 Aug 13 21:06 config.php
-rw-rw—- 1 sedbergh1 83005 1002999 Jul 9 09:59 config.tmp.0gY5Jz
-rw——- 1 sedbergh1 83005 0 Jul 9 08:56 config.tmp.6MS74Y
———- 1 sedbergh1 83005 0 Jul 18 2002 config.tmp.88AGG3
———- 1 sedbergh1 83005 0 May 12 1984 config.tmp.8mj8ou
-rw——- 1 sedbergh1 83005 0 Jul 9 08:56 config.tmp.AfKhsn
-rw——- 1 sedbergh1 83005 0 Jul 9 02:10 config.tmp.BE6FAE
-rw——- 1 sedbergh1 83005 1024305 Jul 8 04:15 config.tmp.Chw4jL
———- 1 sedbergh1 83005 0 Jul 18 1977 config.tmp.EjIV7M
———- 1 sedbergh1 83005 0 Jun 23 2024 config.tmp.FPSKsJ
-rw——- 1 sedbergh1 83005 0 Jul 8 02:38 config.tmp.GePTkX
-rw——- 1 sedbergh1 83005 1782 Jul 9 14:19 config.tmp.SbSEwH
———- 1 sedbergh1 83005 0 Dec 16 2033 config.tmp.XUC8Hk
-rw——- 1 sedbergh1 83005 0 Jul 9 02:10 config.tmp.YIQO6M
———- 1 sedbergh1 83005 0 Mar 31 2031 config.tmp.jSGfm6
-rw——- 1 sedbergh1 83005 1782 Jul 9 14:19 config.tmp.mvzQrt
———- 1 sedbergh1 83005 0 Jan 24 2003 config.tmp.o1LgHq
———- 1 sedbergh1 83005 0 Jul 11 2027 config.tmp.pFePGv
———- 1 sedbergh1 83005 0 Mar 30 1981 config.tmp.yQiYGE
-rw-rw—- 1 sedbergh1 83005 51 Aug 13 20:53 ips.php
-rw-rw-r– 1 sedbergh1 83005 130430 Aug 6 21:31 rules.php
-rw-rw—- 1 sedbergh1 83005 59117 Aug 6 21:31 wafRules.rules

Hi again @rawthey,
Sorry for the late reply.

Thanks for checking the error logs. It’s strange that you didn’t see anything show up there. The Firewall resetting to Learning Mode definitely indicates Wordfence had problems writing to the config.php file though. We have a change coming up in our next release which could potentially help in your situation though. We’ll be splitting out some of the config information in to a separate file with the hopes that when problems occur they will be less severe and Wordfence will not revert to Learning Mode. So please keep an eye out for our next release, and then let us know if that update fixed your issue.

Hi @rawthey,
Since we haven’t heard from you for a while I’m going to go ahead and resolve this thread. You are welcome to create a new one at any time!