Title: Invalid firewall API Key Last modified: March 16, 2018 --- # Invalid firewall API Key * Resolved [G Conklin](https://wordpress.org/support/users/geoconklin/) * (@geoconklin) * [8 years ago](https://wordpress.org/support/topic/invalid-firewall-api-key/) * My site was running WordPress 4.6.10 and my Wordfence plugin was deactivated automatically due to missing files. I added the free Sucuri Security – Auditing, Malware Scanner and Hardening plugin, and retrieved an API during the process. Each time I go to Sucuri Security > Firewall (WAF) I see this message: * `SUCURI: Firewall API key was not found.` * I go to Sucuri > Settings where I can copy the API Key (in green) and go back to Sucuri Security > Firewall (WAF) and paste that code (no extra spaces etc) into the FIREWALL API KEY box, then after clicking Save at the top I get this message: * `SUCURI: Invalid firewall API key` * Followed shortly by this message below the FIREWALL API KEY box: * `SUCURI: Firewall API key was not found.` * Since then I updated to WordPress 4.9.4 and the same thing was still happening. Screenshot: [http://ghcs.co/00/sucuri-2018-03-15.png](http://ghcs.co/00/sucuri-2018-03-15.png) * I uninstalled, deleted files when prompted, reinstalled Sucuri and then retrieved the API key via email and the same thing is occurring still. * I’ve got this message at Sucuri Security > Dashboard: * `Core WordPress Files Were Modified` * But the info enderneath of that is out-of-date still shwoing an Outdated WordPress under 4.8. * Screenshot [http://ghcs.co/00/sucuri-dashboard-2018-03-15.png](http://ghcs.co/00/sucuri-dashboard-2018-03-15.png) * I’m pretty sure I just need to get this API Key issue fixed so that Sucuri can scan again. * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Finvalid-firewall-api-key%2F%3Foutput_format%3Dmd&locale=en_US) to see the link]_ Viewing 3 replies - 1 through 3 (of 3 total) * Thread Starter [G Conklin](https://wordpress.org/support/users/geoconklin/) * (@geoconklin) * [8 years ago](https://wordpress.org/support/topic/invalid-firewall-api-key/#post-10080682) * Oh, and after trying to Save the API key and getting the invalid key message I get an email with this: * Message: API key was successfully set: [API KEY HIDDEN] * [yorman](https://wordpress.org/support/users/yorman/) * (@yorman) * [8 years ago](https://wordpress.org/support/topic/invalid-firewall-api-key/#post-10080828) * I will have to talk with our designers about this because… * The “Sucuri API Key” and the “Sucuri Firewall API Key” are two different things. * **Sucuri API Key** * This key is the one that you can generate for free using the big “Generate API Key” button at the top of the plugin’ page. It takes your domain name and email address and creates an unique identifier for your installation. This key is used to store the event logs in a secure remote storage system managed by Sucuri Inc. When you click the “Recover” button, this is the key that you get back via email. * **Sucuri Firewall API Key** * This key is the one that you can generate from the Sucuri Firewall dashboard [ 1] which you can have access to if you are a paying customer. This key is used to authenticate your website against the firewall API to block malicious attacks, visualize the current settings and monitor the traffic in real time. You can only generate and/or recover this key if you are a Sucuri customer. * > I go to Sucuri > Settings where I can copy the API Key (in green) and go back > to Sucuri Security > Firewall (WAF) and paste that code * Please don’t do this. It will not work. * You can only use the “Sucuri API Key” to authenticate here [2]. * You can only use the “Sucuri Firewall API Key” to authenticate here [3]. * > Since then I updated to WordPress 4.9.4 and the same thing was still happening. > I uninstalled, deleted files when prompted, reinstalled Sucuri and then retrieved > the API key via email and the same thing is occurring still. * Yes, this is because you are trying to use the free API key to activate a feature that is only available to paying customers. If you don’t have access to the Sucuri Firewall you will not be able to activate that feature with the key that you are getting via email. The key that you currently have can only be used to activate the audit logs. * > I’ve got this message at Sucuri Security > Dashboard: “Core WordPress Files > Were Modified”. But the info enderneath of that is out-of-date still shwoing > an Outdated WordPress under 4.8 * I think there are two things here that are adding more to the confusion. * The message “Core WordPress Files Were Modified” is shown because your installation contains six files in the document root that are not part of a normal WordPress installation. Below is a description of each file, you will have to decide to either delete them or mark them as false/positives using the option “mark as fixed”. - `.user.ini`: I have no idea what this is. - `fantversion.php`: Fantastico website installer. - `sitemap.backup.xml.gz`: Regular sitemap.xml file (backup). - `wordfernce-waf.php`: Rudimentary firewall script by Wordfence. - `wp-admin/error_log`: Generic PHP error log file. - `wp-includes/error_log`: Generic PHP error log file. * > I’m pretty sure I just need to get this API Key issue fixed so that Sucuri > can scan again. * The malware scanner is automatically activated without an API key. You just need the key to activate the audit logs, and if you are a paying customer, you will need another API key to activate the firewall. If what you want is to get rid of that “Outdated WordPress” warning, then just delete this file [4] using the tool available in the settings page under the “Data Storage” panel, this will force the plugin to scan the website once again skipping the cache _(the cache is alive for 20 minutes in your server, and 48 hours in the Sucuri servers)_. * [1] [https://waf.sucuri.net/](https://waf.sucuri.net/) [2] [https://wordpress.sucuri.net/api/](https://wordpress.sucuri.net/api/)[ 3] [https://waf.sucuri.net/api?v2](https://waf.sucuri.net/api?v2) [4] `/wp-content/ uploads/sucuri/sucuri-sitecheck.php` * Thread Starter [G Conklin](https://wordpress.org/support/users/geoconklin/) * (@geoconklin) * [8 years ago](https://wordpress.org/support/topic/invalid-firewall-api-key/#post-10082539) * [@yorman](https://wordpress.org/support/users/yorman/) thanks so much for your detailed and thoughtful answer. * This is an aha moment, very nice reply and thanks! * I’ll go through all of this when I can sit back down and work on my website. Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Invalid firewall API Key’ is closed to new replies. * ![](https://ps.w.org/sucuri-scanner/assets/icon-256x256.png?rev=2875755) * [Sucuri Security - Auditing, Malware Scanner and Security Hardening](https://wordpress.org/plugins/sucuri-scanner/) * [Frequently Asked Questions](https://wordpress.org/plugins/sucuri-scanner/#faq) * [Support Threads](https://wordpress.org/support/plugin/sucuri-scanner/) * [Active Topics](https://wordpress.org/support/plugin/sucuri-scanner/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/sucuri-scanner/unresolved/) * [Reviews](https://wordpress.org/support/plugin/sucuri-scanner/reviews/) ## Tags * [invalid API key.](https://wordpress.org/support/topic-tag/invalid-api-key/) * 3 replies * 2 participants * Last reply from: [G Conklin](https://wordpress.org/support/users/geoconklin/) * Last activity: [8 years ago](https://wordpress.org/support/topic/invalid-firewall-api-key/#post-10082539) * Status: resolved