TL;DR fixes (try in order)
- Confirm the exact error in Wordfence → Scan → “Click here to view full scan log”. If you see “Scan Engine Error: The signature on the request to start a scan is invalid”, you’re in the right place.
- Rule out conflicting plugins (temporarily deactivate login/security plugins such as Loginizer, All-In-One Login, Limit Login Attempts, iThemes Security, etc.), then start a scan.
- Reinstall Wordfence to replace any corrupted files (keep settings; see safe method below).
- Bypass cache/CDN for admin-ajax and /wp-admin/ (exclude at your caching plugin/CDN; see rules below), then retry.
- Fix URL mismatches (Settings → General: WordPress Address / Site Address) so www/non-www and HTTP/HTTPS match what your site actually uses.
Why this happens
Wordfence starts scans via a signed URL (often wp-admin/admin-ajax.php?action=wordfence_doScan&...&signature=...). If another layer modifies or strips query args, injects code, or changes the URL, the verification fails. Users have reported this after other security/login plugins interfered, and in some cases a fresh reinstall of Wordfence resolved damaged files.
Step 1 — Confirm the error in the scan log
- Go to Wordfence → Scan.
- Click “Click here to view full scan log”.
- Look for lines like:
[Time] Starting cron with normal ajax at URL ...admin-ajax.php?...&signature=...
[Time] Verifying start request signature.
[Time] Scan Engine Error: The signature on the request to start a scan is invalid.
Step 2 — Rule out plugin conflicts (most common)
Temporarily deactivate plugins that hook into login/security/cookies/headers (e.g., Loginizer, All-In-One Login, other firewalls, rate-limiters). Then run a Wordfence scan:
- Plugins → Installed Plugins → bulk deactivate the likely suspects.
- Run a scan. If it works, re-enable plugins one by one to find the culprit.
Tip: If the culprit is required, look in its settings for “block REST/AJAX” or header/cookie hardening options and loosen only what affects Wordfence’s scan initiation.
Step 3 — Reinstall Wordfence safely (fixes corrupted/missing files)
- In Wordfence → All Options, ensure “Delete Wordfence tables and data on deactivation” is OFF (so you keep settings).
- Go to Plugins → Installed Plugins → Deactivate Wordfence.
- Click Delete (with the above setting off, data is preserved).
- Plugins → Add New → search “Wordfence Security” → Install Now → Activate.
- Run a scan again.
Step 4 — Bypass cache/CDN for AJAX & admin
Scans can fail if a cache/CDN strips or rewrites signed URLs.
- Caching plugins: Exclude
/wp-admin/ and /wp-admin/admin-ajax.php.
- Cloudflare: Add Page Rules / Cache Rules to set Cache Level: Bypass for:
*example.com/wp-admin/**example.com/wp-admin/admin-ajax.php*
- Server cache (Nginx/varnish/litespeed): exclude the same paths.
Apache (no-cache for admin-ajax)
<FilesMatch "admin-ajax\.php$">
Header set Cache-Control "no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "0"
</FilesMatch>
Nginx (bypass cache for admin-ajax)
location ~* /wp-admin/admin-ajax\.php$ {
add_header Cache-Control "no-cache, no-store, must-revalidate";
add_header Pragma "no-cache";
add_header Expires "0";
# proxy_pass / fastcgi_pass blocks here...
}
Step 5 — Fix URL mismatches
In Settings → General, make sure WordPress Address (URL) and Site Address (URL) match your live domain exactly (same HTTPS and same www vs non-www). An inconsistency can generate a signature for one host while the request is made against another.
Step 6 — Still failing? Do a controlled test
- Switch to a default theme (Twenty Twenty-Five).
- Deactivate all plugins except Wordfence.
- Run a scan. If it works, re-enable items progressively until the problem returns.
Emergency access (can’t reach wp-admin?)
- Via FTP/SSH, rename
wp-content/plugins/wordfence to wordfence-off to disable it.
- Log in, correct the conflicting setting/plugin, then reinstall/activate Wordfence.
References
Need a hand? If the error persists after the steps above, grab the full scan log and your environment details and we can help you pinpoint the blocker.