Wordfence Security is a free enterprise class security plugin that includes a firewall, virus scanning, real-time traffic with geolocation and more.
|Author:||Wordfence (profile at wordpress.org)|
|WordPress version required:||3.9|
|WordPress version tested:||4.8.2|
|Added to WordPress repository:||21-04-2012|
|Total downloads:||48 526 992|
|Active installs:||2 000 000+|
Click to start download
The dashboard gives you an overview of your site's security including notifications, attack statistics and Wordfence feature status.
The Web Application Firewall protects your site from common types of attacks and known security vulnerabilities.
The Wordfence Malware Scanner lets you know if your site has been compromised and alerts you to other security issues that need to be addressed.
The Wordfence Security Live Traffic view shows you real-time activity on your site including bot traffic and exploit attempts.
Block IPs that are known to be malicious, manage IPs that have been locked out and see recently throttled IPs that violated security rules.
The Wordfence Options page is where you manage high-level Wordfence features and upgrade your license to Premium.
The Advanced Options page allows technically-minded users fine-tune their security settings.
Secure your website with Wordfence.
Secure your website using the following steps to install Wordfence:
- Install Wordfence Security automatically or by uploading the ZIP file.
- Activate the security plugin through the ‘Plugins’ menu in WordPress.
- Wordfence WordPress Security is now activated. Go to the scan menu and start your first security scan. Scheduled security scanning will also be enabled.
- Once your first scan has completed a list of security threats will appear. Go through them one by one to secure your site.
- Visit the Wordfence Security options page to enter your email address so that you can receive email security alerts.
- Optionally change your security level or adjust the advanced options to set individual security scanning and protection options for your site.
- Click the “Live Traffic” menu option to watch your site activity in real-time. Situational awareness is an important part of website security.
To install the Wordfence WordPress security plugin on WordPress Multi-Site installations:
- Install Wordfence Security via the plugin directory or by uploading the ZIP file.
- Network Activate Wordfence Security. This step is important because until you network activate it, your sites will see the plugin option on their plugins menu. Once activated that option dissapears.
- Now that Wordfence is network activated it will appear on your Network Admin menu. Wordfence Security will not appear on any individual site’s menu.
- Go to the “Scan” menu and start your first security scan.
- Wordfence Security will do a security scan of all files in your WordPress installation including those in the blogs.dir directory of your individual sites.
- Live Traffic will appear for ALL sites in your network. If you have a heavily trafficked system you may want to disable live traffic which will stop logging to the DB.
- Firewall rules and login rules apply to the WHOLE system. So if you fail a login on site1.example.com and site2.example.com it counts as 2 failures. Crawler traffic is counted between blogs, so if you hit three sites in the network, all the hits are totalled and that counts as the rate you’re accessing the system.
How does Wordfence Security protect sites from attackers?
The WordPress security plugin provides the best protection available for your website. Powered by the constantly updated Threat Defense Feed, WordFence Firewall stops you from getting hacked. Wordfence Scan leverages the same proprietary feed, alerting you quickly in the event your site is compromised. The Live Traffic view gives you real-time visibility into traffic and hack attempts on your website. A deep set of additional tools round out the most comprehensive WordPress security solution available.
How will I be alerted if my site has a security problem?
Wordfence Security sends security alerts via email. Once you install Wordfence Security, you will configure a list of email addresses where security alerts will be sent. When you receive a security alert, make sure you deal with it promptly to ensure your site stays secure.
Do I need a security plugin like Wordfence if I’m using a cloud based firewall (WAF)?
Wordfence provides true endpoint security for your WordPress website. Unlike cloud based firewalls, Wordfence executes within the WordPress environment, giving it knowledge like whether the user is signed in, their identity and what access level they have. Wordfence uses the user’s access level in more than 80% of the firewall rules it uses to protect WordPress websites. Learn more about the Cloud WAF identity problem here. Additionally, cloud based firewalls can be bypassed, leaving your site exposed to attackers. Because Wordfence is an integral part of the endpoint (your WordPress website), it can’t be bypassed. Learn more about the Cloud WAF bypass problem here. To fully protect the investment you’ve made in your website you need to employ a defense in depth approach to security. Wordfence takes this approach.
What differentiates Wordfence from other WordPress Security plugins?
- Wordfence security provides a WordPress Firewall developed specifically for WordPress and blocks attackers looking for vulnerabilities on your site. The Firewall is powered by our Threat Defense Feed which is continually updated as new threats emerge. Premium customers receive updates in real-time.
- Wordfence Security verifies your website source code integrity against the official WordPress repository and shows you the changes.
- Wordfence Security scans check all your files, comments and posts for URLs in Google’s Safe Browsing list. We are the only plugin to offer this very important security enhancement.
- Wordfence Security scans do not consume large amounts of your bandwidth because all security scans happen on your web server which makes them very fast.
- Wordfence Security fully supports WordPress Multi-Site which means you can security scan every blog in your Multi-Site installation with one click.
- Wordfence Security includes Two-Factor authentication, the most secure way to stop brute force attackers in their tracks.
- Wordfence Security fully supports IPv6 including giving you the ability to look up the location of IPv6 addresses, block IPv6 ranges, detect IPv6 country and do a whois lookup on IPv6 addresses and more.
Will Wordfence slow down my website?
No. Wordfence Security is extremely fast and uses techniques like caching its own configuration data to avoid database lookups and blocking malicious attacks that would slow down your site.
What if my site has already been hacked?
Wordfence Security is able to repair core files, themes and plugins on sites where security is already compromised. You can follow this guide on how to clean a hacked website using Wordfence. However, please note that site security can not be assured unless you do a full reinstall if your site has been hacked. We recommend you only use Wordfence Security to get your site into a running state in order to recover the data you need to do a full reinstall. If you need help repairing a hacked site, we offer an affordable, high-quality site cleaning service that includes a Premium key for a year.
Does Wordfence Security support IPv6?
Yes. We fully support IPv6 with all security functions including country blocking, range blocking, city lookup, whois lookup and all other security functions. If you are not running IPv6, Wordfence will work great on your site too. We are fully compatible with both IPv4 and IPv6 whether you run both or only one addressing scheme.
Does Wordfence Security support Multi-Site installations?
Yes. WordPress Multi-Site is fully supported. Using Wordfence Security you can scan every blog in your network for malware with one click. If one of your customers posts a page or post with a known malware URL that threatens your whole domain with being blacklisted by Google, we will alert you in the next scan.
What support options are available for Wordfence users?
Providing excellent customer service is very important to us. We offer help to all our customers whether you are using the Premium or free version of Wordfence Security. For help with the free version, you can post in our forum where we have dedicated staff responding to questions. If you need faster or more in-depth help, Premium customers can submit a support ticket to our Premium support team.
Where can I learn more about WordPress security?
Designed for every skill level, The WordPress Security Learning Center is dedicated to deepening users’ understanding of security best practices by providing free access to entry-level articles, in-depth articles, videos, industry survey results, graphics and more.
- Emergency Fix: Updated wpdb::prepare calls using %.6f since it is no longer supported.
- Improvement: Better block counting for advanced comment filtering.
- Improvement: Increased logging in debug mode for plugin updates to help resolve issues.
- Fix: Reduced the minimum duration of a scan stage to improve reliability on some hosts.
- Improvement: Prepared code for upcoming scan improvement which will greatly increase scan performance by optimizing malware signatures.
- Improvement: Updated the bundled GeoIP database.
- Improvement: Better scan messaging when a publicly-reachable searchreplacedb2.php utility is found.
- Improvement: The no-cache constant for database caching is now set for W3TC for plugin updates and scans.
- Improvement: Added an additional home/siteurl resolution check for WPML installations.
- Improvement: Introduced a new scan stage to check for malicious URLs and content within WordPress core, plugin, and theme options.
- Improvement: New scan stage includes a new check for TrafficTrade malware.
- Improvement: Reduced net memory usage during forked scan stages by up to 50%.
- Improvement: Reduced the number of queries executed for some configuration options.
- Improvement: Modified the default whitelisting to include the new core AJAX action in WordPress 4.8.1.
- Fix: Synchronized the scan option names between the main options page and smaller scan options page.
- Fix: Fixed CSS positioning issue for dashboard metabox with IPv6.
- Fix: Fixed a compatibility issue with determining the site’s home_url when WPML is installed.
- Improvement: Reduced memory usage on scan forking and during the known files scan stage.
- Improvement: Added additional scan options to allow for disabling the blacklist checks while still allowing malware scanning to be enabled.
- Improvement: Added a Wordfence Application Firewall code block for the lsapi variant of LiteSpeed.
- Improvement: Updated the bundled GeoIP database.
- Fix: Added a validation check to IP range whitelisting to avoid log warnings if they’re malformed.
- Improvement: Introduced smart scan distribution. Scan times are now distributed intelligently across servers to provide consistent server performance.
- Improvement: Introduced light-weight scan that runs frequently to perform checks that do not use any server resources.
- Improvement: If unable to successfully look up the status of an IP claiming to be Googlebot, the hit is now allowed.
- Improvement: Scan issue results for abandoned plugins and unpatched vulnerabilities include more info.
- Fix: Suppressed PHP notice with time formatting when a microtimestamp is passed.
- Fix: Improved binary data to HTML entity conversion to avoid wpdb stripping out-of-range UTF-8 sequences.
- Fix: Added better detection to SSL status, particularly for IIS.
- Fix: Fixed PHP notice in the diff renderer.
- Fix: Fixed typo in lockout alert.
- Improvement: Adjusted the password audit to use a better cryptographic padding option.
- Improvement: Improved the option value entry process for the modified files exclusion list.
- Improvement: Added rel=”noopener noreferrer” to all external links from the plugin for better interoperability with other scanners.
- Improvement: Added support to the WAF for validating URLs for future use in rules.
- Fix: Time formatting will now correctly handle :30 and :45 time zone offsets.
- Fix: Hosts using mod_lsapi will now be detected as Litespeed for WAF optimization.
- Fix: Added an option to allow automatic updates to function on Litespeed servers that have the global noabort set rather than site-local.
- Fix: Fixed a PHP notice that could occur when running a scan immediately after removing a plugin.
- Improvement: The scan will alert for plugins that have not been updated in 2+ years or have been removed from the wordpress.org directory. It will also indicate if there is a known vulnerability.
- Improvement: Added a self-check to the scan to detect if it has stalled.
- Improvement: If WordPress auto-updates while a scan is running, the scan will self-abort and reschedule itself to try again later.
- Improvement: IP-based filtering in Live Traffic can now use wildcards.
- Improvement: Updated the bundled GeoIP database.
- Improvement: Added an anti-crawler feature to the lockout page to avoid crawlers erroneously following the unlock link.
- Improvement: The live traffic “Group By” options now dynamically show the results in a more useful format depending on the option selected.
- Improvement: Improved the unknown core files check to include all extra files in core locations regardless of whether or not the “Scan images, binary, and other files as if they were executable” option is on.
- Improvement: Better wording for the whitelisting IP range error message.
- Fix: Addressed a performance issue on databases with tens of thousands of tables when trying to load the diagnostics page.
- Fix: All dashboard and activity report email times are now displayed in the time zone configured for the WordPress installation.
- Improvement: Reduction in overall memory usage and peak memory usage for the scanner.
- Improvement: Support for exporting a list of all blocked and locked out IP addresses.
- Improvement: Updated the WAF’s CA certificate bundle.
- Improvement: Updated the browscap database.
- Improvement: Suppressed the automatic HTTP referer added by WordPress for API calls to reduce overall bandwidth usage.
- Improvement: When all issues for a scan stage have been previously ignored, the results now indicate this rather than saying problems were found.
- Fix: Worked around an issue with WordPress caching to allow password audits to succeed on sites with tens of thousands of users.
- Fix: Fixed an IPv6 detection issue with one form of IPv6 address.
- Fix: An empty ignored IP list for WAF alerts no longer creates a PHP notice.
- Fix: Better detection for when to use secure cookies.
- Fix: Fixed a couple issue types that were not able to be permanently ignored.
- Fix: Adjusted the changelog link in the scan results email to work for the new wordpress.org repository.
- Fix: Fixed some broken links in the activity summary email.
- Fix: Fixed a typo in the scan summary text.
- Fix: The increased attack rate emails now correctly identify blacklist blocks.
- Fix: Fixed an issue with the dashboard where it could show the last scan failed when one has never ran.
- Fix: Brute force records are now coalesced when possible prior to sending.
- Improvement: Malware signature checking has been better optimized to improve overall speed.
- Improvement: Updated the bundled GeoIP database.
- Improvement: The memory tester now tests up to the configured scan limit rather than a fixed value.
- Improvement: Added a test to the diagnostics page that verifies permissions to the WAF config location.
- Improvement: The diagnostics page now contains a callback test for the server itself.
- Improvement: Updated the styling of dashboard notifications for better separation.
- Improvement: Added additional constants to the diagnostics page.
- Change: Wordfence now enters a read-only mode with its configuration files when run via the ‘cli’ PHP SAPI on a misconfigured web server to avoid file ownership changing.
- Change: Changed how administrator accounts are detected to compensate for managed WordPress sites that do not have the standard permissions.
- Change: The table list on the diagnostics page is now limited in length to avoid being exceedingly large on big multisite installations.
- Fix: Improved updating of WAF config values to minimize writing to disk.
- Fix: The blacklist’s blocked IP records are now correctly trimmed when expired.
- Fix: Added error suppression to the WAF attack data functions to prevent corrupt records from breaking the no-cache headers.
- Fix: Fixed some incorrect documentation links on the diagnostics page.
- Fix: Fixed a typo in a constant on the diagnostics page.
- Fix: Addressed an issue that could cause scans to time out on sites with tens of thousands of potential URLs in files, comments, and posts.
- Improvement: All URLs are now checked against the Wordfence Domain Blacklist in addition to Google’s.
- Improvement: Better page load performance for multisite installations with thousands of tables.
- Improvement: Updated the bundled GeoIP database.
- Improvement: Integrated blacklist blocking statistics into the dashboard for Premium users.
- Fix: Added locking to the automatic update process to ensure non-standard crons don’t break Wordfence.
- Fix: Fixed an activation error on multisite installations on very old WordPress versions.
- Fix: Adjusted the behavior of the blacklist toggle for Free users.
- Improvement: Optimized the malware signature scan to reduce memory usage.
- Improvement: Optimized the overall scan to make fewer network calls.
- Improvement: Running an update now automatically dismisses the corresponding scan issue if present.
- Improvement: Added a time limit to the live activity status so only current messages are shown.
- Improvement: WAF configuration files are now excluded by default from the recently modified files list in the activity report.
- Improvement: Background pausing for live activity and traffic may now be disabled.
- Improvement: Added additional WAF support to allow us to more easily address false positives.
- Improvement: Blocking pages presented by Wordfence now indicate the source and contain information to help diagnose caching problems.
- Fix: All external URLs in the tour are now https.
- Fix: Corrected a typo in the unlock email template.
- Fix: Fixed the target of a label on the options page.
- Improvement: Sites can now specify a list of trusted proxies when using X-Forwarded-For for IP resolution.
- Improvement: Added options to customize which dashboard notifications are shown.
- Improvement: Improvements to the scanner’s malware stage to avoid timing out on larger files.
- Improvement: Provided additional no-caching indicators for caches that erroneously save pages with HTTP error status codes.
- Improvement: Updated the bundled GeoIP database.
- Improvement: Optimized the country update process in the upgrade handler so it only updates changed records.
- Improvement: Added our own prefixed version of jQuery.DataTables to avoid conflicts with other plugins.
- Improvement: Changes to readme.txt and readme.md are now ignored by the scanner unless high sensitivity is on.
- Fix: Addressed an issue with multisite installations where they would execute the upgrade handler for each subsite.
- Fix: Added additional error handling to the blocked IP list to avoid outputting notices when another plugin resets the error handler.
- Fix: Made the description in the summary email for blocks resulting from the blacklist more descriptive.
- Fix: Updated the copyright date on several pages.
- Fix: Fixed incorrect wrapping of the Group by field on the live traffic page.
- Improvement: Added a path for people blocked by the IP blacklist (Premium Feature) to report false positives.
- New: Malicious IPs are now preemptively blocked by a regularly-updated blacklist. [Premium Feature]
- Improvement: Better layout and display for mobile screen sizes.
- Improvement: Dashboard chart data is now updated more frequently.
- Fix: Fixed database errors on notifications page on multisite installations.
- Fix: Fixed site URL detection for multisite installations.
- Fix: Fixed tour popup positioning on multisite.
- Fix: Increased the z-index of the AJAX error watcher alert.
- Fix: Addressed an additional way to enumerate authors with the REST JSON API.
- Improvement: Improved the WAF’s ability to inspect POST bodies.
- Improvement: Dashboard now shows up to 100 each of failed/successful logins.
- Improvement: Updated internal GeoIP database.
- Improvement: Updated internal browscap database.
- Improvement: Better documentation on Country Blocking regarding Google AdWords
- Advanced: Added constant “WORDFENCE_DISABLE_FILE_VIEWER” to prohibit file-viewing actions from Wordfence.
- Advanced: Added constant “WORDFENCE_DISABLE_LIVE_TRAFFIC” to prohibit live traffic from capturing regular site visits.
- Fix: Fixed a few links that didn’t open the correct configuration pages.
- Fix: Unknown countries in the dashboard now show “Unknown” rather than empty.
- Improvement: Locked out IPs are now enforced at the WAF level to reduce server load.
- Improvement: Added a “Show more” link to the IP block list and login attempts list.
- Improvement: Added network data for the top countries blocked list.
- Improvement: Added a notification when a premium key is installed on one site but registered for another URL.
- Improvement: Switching tabs in the various pages now updates the page title as well.
- Improvement: Various styling consistency improvements.
- Change: Separated the various blocking-related pages out from the Firewall top-level menu into “Blocking”.
- Fix: Improved compatibility with our GeoIP interface.
- Fix: The updates available notification is refreshed after updates are installed.
- Fix: The scan notification is refreshed when issues are resolved or ignored.
- Enhancement: Added Wordfence Dashboard for quick overview of security activity.
- Improvement: Simplified the UI by revamping menu structure and styling.
- Fix: Fixed minor issue with REST API user enumeration blocking.
- Fix: Fixed undefined index notices on password audit page.
- Improvement: Better reporting for failed brute force login attempts.
- Change: Reworded setting for ignored IPs in the WAF alert email.
- Change: Updated support link on scan page.
- Fix: When a key is in place on multiple sites, it’s now possible to downgrade the ones not registered for it.
- Fix: Addressed an issue where the increased attack rate emails would send repeatedly if the threshold value was missing.
- Fix: Typo fix in firewall rule 11 name.
- Improvement: Updated internal GeoIP database.
- Improvement: Better error handling when a site is unreachable publicly.
- Fix: Fixed a URL in alert emails that did not correctly detect when sent from a multisite installation.
- Fix: Addressed an issue where the scan did not alert about a new WordPress version.
- Improvement: Added support for hiding the username information revealed by the WordPress 4.7 REST API. Thanks Vladimir Smitka.
- Improvement: Added vulnerability scanning for themes.
- Improvement: Reduced memory usage by up to 90% when scanning comments.
- Improvement: Performance improvements for the dashboard widget.
- Improvement: Added progressive loading of addresses on the blocked IP list.
- Improvement: The diagnostics page now displays a config reading/writing test.
- Change: Support for the Falcon cache has been removed.
- Fix: Better messaging when the WAF rules are manually updated.
- Fix: The proxy detection check frequency has been reduced and no longer alerts if the server is unreachable.
- Fix: Adjusted the behavior of parsing the X-Forwarded-For header for better accuracy. Thanks Jason Woods.
- Fix: Typo fix on the options page.
- Fix: Scan issue for known core file now shows the correct links.
- Fix: Links in “unlock” emails now work for IPv6 and IPv4-mapped-IPv6 addresses.
- Fix: Restricted caching of responses from the Wordfence Security Network.
- Fix: Fixed a recording issue with Wordfence Security Network statistics.
- Improvement: WordPress 4.7 improvements for the Web Application Firewall.
- Improvement: Updated signatures for hash-based malware detection.
- Improvement: Automatically attempt to detect when a site is behind a proxy and has IP information in a different field.
- Improvement: Added additional contextual help links.
- Improvement: Significant performance improvement for determining the connecting IP.
- Improvement: Better messaging for two-factor recovery codes.
- Fix: Adjusted message when trying to block an IP in the whitelist.
- Fix: Error log download links now work on Windows servers.
- Fix: Avoid running out of memory when viewing very large activity logs.
- Fix: Fixed warning that could be logged when following an unlock email link.
- Fix: Tour popups on options page now scroll into view correctly.
- Improvement: Improved formatting of attack data when it contains binary characters.
- Improvement: Updated internal GeoIP database.
- Improvement: Improved the ordering of rules in the malware scan so more specific rules are checked first.
- Fix: Country blocking redirects are no longer allowed to be cached.
- Fix: Fixed an issue with 2FA on multisite where the site could report URLs with different schemes depending on the state of plugin loading.
- Fix: Fixed an issue that could occur on older WordPress versions when processing login attempts
- Improvement: Scan times for very large sites with huge numbers of files are greatly improved.
- Improvement: Added a configurable time limit for scans to help reduce overall server load and identify configuration problems.
- Improvement: Email-based logins are now covered by “Don’t let WordPress reveal valid users in login errors”.
- Improvement: Extended rate limiting support to the login page.
- Fix: Fixed a case where files in the site root with issues could have them added multiple times.
- Fix: Improved IP detection in the WAF when using an IP detection method that can have multiple values.
- Fix: Added a safety check for when the database fails to return its max_allowed_packet value.
- Fix: Added safety checks for when the configuration table migration has failed.
- Fix: Added a couple rare failed login error codes to brute force detection.
- Fix: Fixed a sequencing problem when adding detection for bot/human that led to it being called on every request.
- Fix: Suppressed errors if a file is removed between the start of a scan and later scan stages.
- Fix: Addressed a problem where the scan exclusions list was not checked correctly in some situations.
- Improvement: Reworked blocking for IP ranges, country blocking, and direct IP blocking to minimize server impact when under attack.
- Improvement: Live traffic better indicates the action taken by country blocking when it redirects a visitor.
- Improvement: Added support for finding server logs to the Diagnostics page to help with troubleshooting.
- Improvement: Whitelisted StatusCake IP addresses.
- Improvement: Updated GeoIP database.
- Improvement: Disabling Wordfence now sends an alert.
- Improvement: Improved detection for uploaded PHP content in the firewall.
- Fix: Eliminated memory-related errors resulting from the scan on sites with very large numbers of issues and low memory.
- Fix: Fixed admin page layout for sites using RTL languages.
- Fix: Reduced overhead of the dashboard widget.
- Fix: Improved performance of checking for whitelisted IPs.
- Fix: Changes to the default plugin hello.php are now detected correctly in scans.
- Fix: Fixed IPv6 warning in the dashboard widget.
- Fix: Replaced a slow query in the dashboard widget that could affect sites with very large numbers of users.
- Improvement: Now performing scanning for PHP code in all uploaded files in real-time.
- Improvement: Improved handling of bad characters and IPv6 ranges in Advanced Blocking.
- Improvement: Live traffic and scanning activity now display a paused notice when real-time updates are suspended while in the background.
- Improvement: The file system scan alerts for files flagged by antivirus software with a ‘.suspected’ extension.
- Improvement: New alert option to get notified only when logins are from a new location/device.
- Change: First phase for removing the Falcon cache in place, which will add a notice of its pending removal.
- Fix: Included country flags for Kosovo and Curaçao.
- Fix: Fixed the .htaccess directives used to hide files found by the scanner.
- Fix: Dashboard widget shows correct status for failed logins by deleted users.
- Fix: Removed duplicate issues for modified files in the scan results.
- Fix: Suppressed warning from reverse lookup on IPv6 addresses without valid DNS records.
- Fix: Fixed file inclusion error with themes lacking a 404 page.
- Fix: CSS fixes for activity report email.
- Improvement: Massive performance boost in file system scan.
- Improvement: Added low resource usage scan option for shared hosts.
- Improvement: Aggregated login attempts when checking the Wordfence Security Network for brute force attackers to reduce total requests.
- Improvement: Now displaying scan time in a more readable format rather than total seconds.
- Improvement: Added PHP7 compatible .htaccess directives to disable code execution within uploads directory.
- Fix: Added throttling to sync the WAF attack data.
- Fix: Removed unnecessary single quote in copy containing “IP’s”.
- Fix: Fixed rare, edge case where cron key does not match the key in the database.
- Fix: Fixed bug with regex matching carriage returns in the .htaccess based IP block list.
- Fix: Fixed scans failing in subdirectory sites when updating malware signatures.
- Fix: Fixed infinite loop in scan caused by symlinks.
- Fix: Remove extra slash from “File restored OK” message in scan results.
- Fix: Replaced calls to json_decode with our own implentation for hosts without the JSON extension enabled.
- Improvement: Now performing malware scanning on all uploaded files in real-time.
- Improvement: Added Web Application Firewall activity to Wordfence summary email.
- Fix: Now using 503 response code in the page displayed when an IP is locked out.
wflogsdirectory is now correctly removed on uninstall.
- Fix: Fixed recently introduced bug which caused the Whitelisted 404 URLs feature to no longer work.
- Fix: Added try/catch to uncaught exception thrown when pinging the API key.
- Improvement: Improved performance of the Live Traffic page in Firefox.
- Improvement: Updated GeoIP database.
- Improvement: Removed file-based config caching, added support for caching via WordPress’s object cache.
- Improvement: Whitelisted Uptime Robot’s IP range.
- Fix: Notify users if suPHP_ConfigPath is in their WAF setup, and prompt to update Extended Protection.
- Fix: Fixed bug with allowing logins on admin accounts that are not fully activated with invalid 2FA codes when 2FA is required for all admins.
- Fix: Removed usage of
wp_get_sites()which was deprecated in WordPress 4.6.
- Fix: Fixed PHP notice from
Undefined index: urlwith custom/premium plugins.
- Improvement: Converted the banned URLs input to a textarea.
- Improvement: Support downloading a file of 2FA recovery codes.
- Fix: Fixed PHP Notice: Undefined index: coreUnknown during scans.
- Improvement: Add note to options page that login security is necessary for 2FA to work.
- Fix: Fixed WAF false positives introduced with WordPress 4.6.
- Improvement: Update Geo IP database.
- Fix: Fixed fatal error on sites running Wordfence 6.1.11 in subdirectory and 6.1.10 or lower in parent directory.
- Fix: Added a few common files to be excluded from unknown WordPress core file scan.
- Improvement: Alert on added files to wp-admin, wp-includes.
- Improvement: 2FA is now available via any authenticator program that accepts TOTP secrets.
- Fix: Fixed bug with specific Advanced Blocking user-agent patterns causing 500 errors.
- Improvement: Plugin updates are now only a critical issue if there is a security related fix, and a warning otherwise. A link to the changelog is included.
- Fix: Added group writable permissions to Firewall’s configuration files.
- Improvement: Changed whitelist entry area to textbox on options page.
- Fix: Move flags and logo served from wordfence.com over to locally hosted files.
- Fix: Fixed issues with scan in WordPress 4.6 beta.
- Fix: Fixed bug where Firewall rules could be missing on some sites running IIS.
- Improvement: Added browser-based malware signatures for .js, .html files in the malware scan.
- Fix: Added error suppression to
- Fix: Fixed fatal error in the event wflogs is not writable.
- Fix: Using WP-CLI causes error Undefined index: SERVER_NAME.
- Improvement: Hooked up restore/delete file scan tools to Filesystem API.
- Fix: Reworked country blocking authentication check for access to XMLRPC.
- Improvement: Added option to require cellphone sign-in on all admin accounts.
- Improvement: Updated IPv6 GeoIP lite data.
- Fix: Removed suPHP_ConfigPath from WAF installation process.
- Fix: Prevent author names from being found through /wp-json/oembed.
- Improvement: Added better solutions for fixing wordfence-waf.php, .user.ini, or .htaccess in scan.
- Improvement: Added a method to view which files are currently used for WAF and to remove without reinstalling Wordfence.
- Improvement: Changed rule compilation to use atomic writes.
- Improvement: Removed security levels from Options page.
- Improvement: Added option to disable ajaxwatcher (for whitelisting only for Admins) on the front end.
- Fix: Change wfConfig::set_ser to split large objects into multiple queries.
- Fix: Fixed bug in multisite with “You do not have sufficient permissions to access this page” error after logging in.
- Improvement: Update Geo IP database.
- Fix: Fixed deadlock when NFS is used for WAF file storage, in wfWAFAttackDataStorageFileEngine::addRow().
- Fix: Added third param to http_build_query for hosts with arg_separator.output set.
- Improvement: Show admin notice if WAF blocks an admin (mainly needed for ajax requests).
- Improvement: Clarify error message “Error reading config data, configuration file could be corrupted.”
- Improvement: Added better crawler detection.
- Improvement: Add currentUserIsNot(‘administrator’) to any generic firewall rules that are not XSS based.
- Improvement: Update URLs in Wordfence for documentation about LiteSpeed and lockouts.
- Improvement: Show message on scan results when a result is caused by enabling “Scan images and binary files as if they were executable” or…
- Fix: Suppressed warning: dns_get_record(): DNS Query failed.
- Fix: Suppressed warning gzinflate() error in scan logs.
- Fix: On WAF roadblock page: Warning: urlencode() expects parameter 1 to be string, array given …
- Fix: Scheduled update for WAF rules doesn’t decrease from 7 days, to 12 hours, when upgrading to a premium account.
- Improvement: Better message for dashboard widget when no failed logins.
- Security Fix: Fixed reflected XSS vulnerability: CVSS 6.1 (Medium). Thanks Kacper Szurek.
- Fix: Fixed bug with 2FA not properly handling email address login.
- Fix: Show logins/logouts when Live Traffic is disabled.
- Fix: Fixed bug with PCRE versions < 7.0 (repeated subpattern is too long).
- Fix: Now able to delete whitelisted URL/params containing ampersands and non-UTF8 characters.
- Improvement: Reduced 2FA activation code to expire after 30 days.
- Improvement: Live Traffic now only shows verified Googlebot under Google Crawler filter for new visits.
- Improvement: Adjusted permissions on Firewall log/config files to be 0640.
- Fix: Fixed false positive from Maldet in the wfConfig table during the scan.
- Fix: WordPress language files no longer flagged as changed.
- Improvement: Accept wildcards in “Immediately block IP’s that access these URLs.”
- Fix: Fixed bug when multiple authors have published posts, /?author=N scans show an author archive page.
- Fix: Fixed issue with IPv6 mapped IPv4 addresses not being treated as IPv4.
- Improvement: Added WordPress version and various constants to Diagnostics report.
- Fix: Fixed bug with Windows users unable to save Firewall config.
- Improvement: Include option for IIS on Windows in Firewall config process, and recommend manual php.ini change only.
- Fix: Made the ‘administrator email address’ admin notice dismissable.
- Fix: Fixed potential bug with ‘stored data not found after a fork. Got type: boolean’.
- Improvement: Added bulk actions and filters to WAF whitelist table.
- Improvement: Added a check while in learning mode to verify the response is not 404 before whitelising.
- Fix: Added index to attackLogTime. wfHits trimmed on runInstall now.
- Fix: Fixed attack data sync for hosts that cannot use wp-cron.
- Improvement: Use email@example.com as the Diagnostics page default email address.
- Improvement: When WFWAF_ENABLED is set to false to disable the firewall, show this on the Firewall page.
- Fix: Prevent warnings when $_SERVER is empty.
- Fix: Bug fix for illegal string offset.
- Fix: Hooked up multibyte string functions to binary safe equivalents.
- Fix: Hooked up reverse IP lookup in Live Traffic.
- Fix: Add the user the web server (or PHP) is currently running as to Diagnostics page.
- Improvement: Pause Live Traffic after scrolling past the first entry.
- Improvement: Move “Permanently block all temporarily blocked IP addresses” button to top of blocked IP list.
- Fix: Added JSON fallback for PHP installations that don’t have JSON enabled.
- Improvement: Added dismiss button to the Wordfence WAF setup admin notice.
- Fix: Removed .htaccess and .user.ini from publicly accessible config and backup file scan.
- Fix: Removed the disallow file mods for admins created outside of WordPress.
- Fix: Fixed bug with ‘Hide WordPress version’ causing issues with reCAPTCHA.
- Improvement: Added instructions for NGINX users to restrict access to .user.ini during Firewall configuration.
- Fix: Fixed bug with multiple API calls to ‘get_known_files’.
- Fix: Fixed fatal error when using a whitelisted IPv6 range and connecting with an IPv6 address.
- Enhancement: Added Web Application Firewall
- Enhancement: Added Diagnostics page
- Enhancement: Added new scans:
- Admins created outside of WordPress
- Publicly accessible common (database or wp-config.php) backup files
- Improvement: Updated Live Traffic with filters and to include blocked requests in the feed.
- Improvement: Added help callout for compromised sites.
- Improvement: Updated local GeoIP database.
- Improvement: Updated local browser data cache to support newer browsers and user-agents.
- Enhancement: Added automatic whitelisting for Facebook crawlers.
- Improvement: Added styling to premium callouts.
- Improvement: Updated local GeoIP database.
- Improvement: Updated local browser data cache to support newer browsers and user-agents.
- Improvement: Updated local GeoIP database.
- Improvement: Updated local browser data cache to support newer browsers and user-agents.
- Security Fix: Fixed stored XSS vulnerability discovered internally (thanks to Matt Rusnak).
- Enhancement: Added additional Sucuri scanner IP to our whitelist.
- Enhancement: Added better handling of Googlebot verification.
- Fix: Fixed bug with options that are enabled by default but disabled by the user are reset to defaults.
- Fix: Added check to verify pluggable.php is included before calling wp_hash.
- Fix: Resolved issue with some admin links not using the network admin URL.
- Fix: Resolved issue with slashes not being stripped from Advanced Blocking usernames, reasons.
- Enhancement: Added ability to Block any requests from IPs matching a PTR record.
- Fix: Updated the GeoIP lib to use the wfUtils::inet_pton functions instead of the PHP default for installs that do not have IPv6 support.
- Fix: Added help link for whitelisted 404’s entry on options page.
- Fix: Automatically exclude files that crash the scan.
- Fix: Clear the wfHoover database table after scan is killed.
- Enhancement: Added notice about false positives when running a scan with HIGH SENSITIVITY enabled.
- Fix: Removed WordPress version from style and script loaders. Hid the readme.html.
- Fix: Alert email for “lost password” did not send when the user used their username.
- Enhancement: Exclude zip files from scans by default, and add that as option under ‘Scan image and binary files’.
- Fix: Fixed edge case where .htaccess became garbled when using Falcon cache.
- Fix: Resolved issue where 301 redirects count as 404s with throttling applied.
- Fix: Fixed Falcon .htaccess code writing to .htaccess when ‘Immediately block IP’s that access these URLs’ option is modified.
- Fix: Fixed issue where filtering posts by author in wp-admin no longer works due to change in /?author=N scan prevention logic.
- Fix: Fixed issue in Live Traffic where 404s display as 200s.
- Fix: Resolved issue with throttling logins via XMLRPC are not applied.
- Fix: Resolved issue with some variations of author=N scans not being caught. Thanks James Golovich.
- Fix: Updated typo in author=N option.
- Fix: Resolved issue with Falcon not writing to .htaccess with WP installed in subdirectory.
- Fix: Added width to logo in activity report email.
- Fix: Resolved issue with Live Traffic endpoint in cases where WordPress is installed into a subdirectory.
- Improvement: Optimized database query with in unlocking user email routine.
- Improvement: Moved firewall logic into ‘wp_loaded’ hook.
- Fix: Resolved issue with GoogleBot being erroneously flagged as human in Live Traffic.
- Fix: Added better handling of human/bot detection.
- Improvement: Verified humans are flagged via cookie to prevent false positives.
- Fix: Live Traffic endpoint moved to site root to prevent issues with GoogleBot.
- Improvement: Updated local GeoIP database.
- Improvement: Updated local browser data cache to support newer browsers and user-agents.
- Improvement: Added option to exclude URLs from 404 throttling, and included some common 404s.
- Improvement: Added new branded logos.
- Fix: Fixed bug with live traffic ajax call being indexed by Google.
- Improvement: Updated local GeoIP database to July version.
- Improvement: Updated local browser data cache to support newer browsers and user-agents.
- Fix: Hooked up network ranges in CIDR format (192.168.0.0/16) in Whois to support data coming back from whois that includes CIDR network format.
- Fix: Fixed 2 PHP notices in wfUtils.
- Improvement: Removed locked out IPs from locked out list when permanently blocking all locked out IPs.
- Improvement: Added admin-configured blocked IPs and blocked network ranges to import/export.
- Fix: Fixed PHP warnings in activity report where an array is not returned.
- Fix: Fixed PHP notice in IP spam check portion of scan.
- Fix: Fixed bug in Live Traffic where v5 style blocked ranges generated PHP warning breaking the JSON response.
- Fix: Fixed invalid date bug in Live Traffic: Top Consumers and Top 404s.
- Fix: Fixed edge case bug with author=N scans redirecting to author archives page.
- Improvement: Added the local time stamp to ‘time since’ labels in Live Traffic and Blocked IPs pages.
- Improvement: Added a check to prompt the admin to download a backup copy of the wp-config.php in the event it’s flagged as containing malware.
- Improvement: Added option in Live Traffic to remove a blocked network range defined in Advanced Blocking in the Live Traffic feed for IPs within that range.
- Improvement: Added option to permanently block all IPs that are currently temporarily blocked or locked out from the Blocked IPs page.
- Improvement: Updated local GeoIP database.
- Fix: Fixed double forward slash in file path in the ‘View the File’ action of malicious code scan.
- Fix: Fixed notice in block IP JSON callback.
- Fix: Fixed bug with Top 5 Logins displaying all failed logins opposed to timeframe set by email frequency.
- Fix: Fixed bug with /?author=N scan protection not working for authors with no published posts.
- Improvement: Fixed Wordfence logo width in dashboard widget on smaller screens.
- Improvement: Added country names to flag icons in widget dashboard.
- Improvement: Updated issues email to use WordPress’ charset instead of ISO-8859-1.
- Improvement: Added check to see if premium API key is set to auto-renew and send email reminder prior to renewal.
- Improvement: Updated to API version 2.17.
- Improvement: Changed auto-renew reminder email to go out 10 days before renewal, 12 days before expiration.
- Improvement: Handled uncaught exception when noc1 is not available in 2FA.
- Improvement: Fixed issue with limit-logins mu-plugin on GoDaddy counting first login attempt in 2FA against total allowed login attempts.
- Fix: Fixed bug with IPs not resolving to countries when printable IP passed to logBlockedIP.
- Fix: Fixed issue with free users country blocking redirects working after downgrade.
- Fix: Encoded URL field in country blocking options.
- Fix: Added a check to verify field has not already been altered prior to calling ALTER in runInstall.
- Fix: Fixed issue with scan_options method being called after method has been removed.
- Fix: Fixed bug in scan when dns_get_record fails and error condition was not handled.
- Fix: Fixed PHP notice when ‘Crawler’ not included in browser pcap result.
- Fix: Removed anonymous function to ensure PHP 5.2 compatability.
- Improvement: Added option to disable SSL verification for hosts that have outdated versions cURL.
- Improvement: Added default of 127.0.0.1 when $_SERVER[‘REMOTE_ADDR’] is not set. Helps if you’re running WordPress cron from Linux cron.
- Improvement: Added compatability with Godaddy’s MU (must use) limit login plugin and our two factor. Change makes sure you can see the message from Wordfence to enter your cellphone code.
- Improvement: Added direction: ltr; to admin pages.
- Improvement: Added focus/blur events to scan activity log ajax to improve server performance.
- Improvement: Merged wp_option charset and database vulnerability scans to improve performance and make UI more intuitive.
- Improvement: Opened ‘See recent traffic’ in a new window from the Live Traffic page.
- Improvement: Updated browser pcap cache file for compatibility with detecting newer Firefox browsers.
- Fix: Fixed bug in directories excluded from scans (escaped directory separator).
- Fix: Updated known files and outdated plugins/themes to use wp_get_themes.
- Fix: Fixed bug with wfScanEngine where scans forked between scan_database_main and scan_database_finish would not display results of database scan.
- Fix: Added return false; to wfScan::error_handler to allow default error handler to process error.
- Fix: Fixed notice with wfUserIPRange::isValidIPv4Range.
- Fix: Fixed bug with ‘Allow HTTPS pages to be cached’ setting being unset after saving options.
- Fix: Fixed a couple of typos and spelling.
- Fix: Fixed errors upon plugin activation where wfConfig was queried before it was created.
- Fix: Fixed issue with notices from serializing wordfenceDBScanner and private properties belonging to parent class.
- Fix: Fix for hosts that don’t have IPv6 compiled into PHP (which is rare) we not manually define certain functions.
- Fix: Fixed an issue with the schema not updating when customers migrate to IPv6 schema to store IP’s.
- Improvement: Added additional safety checks during the schema update.
- Feature: IPv6 fully supported. This includes whois, range blocking, IPv6 city lookup in live traffic, country blocking and all other security functions. See www.wordfence.com/blog/ for more info.
- Feature: New scanning routine examines the wp_options table for executable code based on a new infection we are seeing that is well hidden.
- Improvement: Prevent Googlebot from being blocked if user has configured a banned URL and Google tries to crawl it.
- Improvement: Improved detection for additional Google crawlers especially if an IP PTR resolves to a .googlebot.com domain.
- Fix: Fixed bug with https:// URLs not allowed in country blocking.
- Fix: Fixed typos.
- Fix: Wordfence no longer can appear on sub-sites on multi-site installs, only on the network admin panel.
- Fix: Wordfence dashboard widget only can appear on network admin dashboard in multi-site installs.
- Fix: No more multiple scheduled scans on multi-site.
- Fix: Fixed mixed-protocol warning if you’re using SSL and Wordfence – our static assets are loaded without specifying protocol now.
- Fix: Fixed issue where non-existent users were shown in dashboard widget and email summary as valid users.
- Fix: Removed /e modifier in preg_replace for Diff_Renderer_Html_Array::formatLines since it is deprecated in PHP 5.5.
- Fix: Removed ssl_verify => false from wp_remote_post connectivity test since some versions of cURL will throw an error since WordPress uses their own certificate bundle.
- Fix: Fixed bug with activity report email date range (was one week ahead).
- Fix: Removed email summary report from cron on deactivation.
- Fix: Fixed an off-by-one bug in wfDirectoryIterator for maximum total files and max files per directory.
- Fix: Updated our browser data to fix an issue that caused newer browsers to appear in live traffic with version 0.0.
- Improvement: Updated the country database used for country blocking to April 2015 version.
- Improvement: Added an additional check for disabling script execution in the uploads directory that the .htaccess file actually contains our protection code before removing it.
- Improvement: Paused Live Traffic ajax request when the window/document loses focus to reduce server load.
- Improvement: Better error handling when making API calls to noc1 to help our support personell help you.
- Improvement: Added locked out IP’s and IP’s restricted through advanced blocking to the blocked IP log for dashboard and email summary.
- Improvement: Excluded whitelisted IP’s from dashboard and widget email summary.
- Fix: Dasboard widget no longer appearing for all users.
- Fix: Removed .htaccess file the previous release created in wfcache directory that caused problems.
- Premium Feature: Password Auditing. Audit the strength of your admin and user-level passwords against our GPU based auditing cluster. Easily alert users to weak passwords or force a password change.
- Feature: Activity email summary. See options page to enable a weekly, bi-weekly or monthly activity summary.
- Feature: Activity summary dashboard widget.
- Fix: Fixed bug on plugin activation where the configuration table was being queried before it was created.
- Improvement: Added .htaccess to wfcache directory.
- Improvement: Switched to using wp_remote_post for Wordfence cloud API calls to improved SSL support and a more standards based approach.
- Customers running WP versions older than 3.9 don’t support wp_normalize_path(). Added support for older WP versions to fix an error being thrown.
- Improvement: Updated country blocking database to the newest version (March 2015)
- Improvement: Added detection for many new samples we received (thanks all!) including a nasty polymorphic infection.
- Fix: Changed the way we find the plugin directory to fix a possible issue that would cause alerts to return blank plugin names.
- Fix: Improved Nginx detection so that we don’t accidentally detect Nginx if you’re running Apache.
- Feature: You can now block POST requests to your WordPress site that have an empty User-Agent and Referer header. This is a common pattern among badly written brute force bots.
- Feature: Added cron viewer at bottom of Wordfence options page. The plugin we were using to help diagnose customer issues is broken. Use this instead.
- Feature: Added DB table viewer at bottom of Wordfence options page. This is a read-only utility to view table names and detailed status. Also for customer diagnostic purposes.
- Improvement: Code cleanup after in-depth code analysis. Removed unused functions and variables and re-indented selected code.
- Fix: Fixed issue that appeared after last release where raw HTML tags were appearing in email alerts.
- Fix: Tour behaved inconsistently under some conditions. Fixed.
- Fix: Mismatched HTML tags in some presentation code. Fixed.
- Fix: When fetching theme list the interator had the same name as the array. Fixed.
- Fix: Detection for malware URLs in comments had a partial description in the issue. Was being overwritten when it should have been appended. Fixed.
- Fix: Check if dns_get_record() exists before using it to avoid warnings.
- Fix: If you have the wordfence security network disabled, the _wfVulnScanners table may have grown indefinitely. Fixed so it’s regularly truncated.
- Fix: wordfence::getLog() was private and should be public. Fixed.
- Fix: Removed warning about _wfsf not being an element of GET params. Usually hidden, but in case something checks error_get_last()
- Update: Upgraded the geoIP country database to Jan 2015 version.
- Improvement: Added an option to disable execution of PHP code in the uploads directory as an added level of protection. Under “Other Options” on the Wordfence options page.
- Improvement: We now email you any malware URLs encountered and they won’t be filtered by your spam filter because the URL is included in the alert email as an image.
- Fix: Fixed an issue that would cause multiple scans to be scheduled if the plugin was disabled and then reenabled.
- Fix: The name of malicious files detected are now included in the alert email sent containing the issues.
- Changed FAQ link when locked out and email unlock doesn’t work to correct link.
- Falcon cache now creates files as mode 0644 for improved security.
- Updated GeoIP database to December 2014 version.
- Security fix. Thanks Matt Barry.
- Changed what we consider to be private addresses to a smaller range of addresses. See current range at: http://docs.wordfence.com/en/How_Wordfence_handles_Private_Addresses
- Fixed a warning about an undefined value which appeared after we added referer blocking in 5.3.2.
- Feature: Advanced blocking now includes referer blocking. i.e. you can block visitors arriving from certain websites or pretending to. See updated http://docs.wordfence.com/en/Advanced_Blocking
- Feature: Developers, you can now ask Wordfence to whitelist your server IP by calling wordfence::whitelistIP(). See http://docs.wordfence.com/en/WhitelistIP
- IP to Country database updated to November 4th 2014 version.
- Options export and import now also exports Country Blocking and Scan Schedule configuration.
- Scans fully documented at docs.wordfence.com. Link on ‘Scan’ page under heading.
- Live Traffic fully documented at docs.wordfence.com. Link on Live Traffic page.
- Falcon Engine/Wordfence Caching fully documented. Link on Performance Setup page.
- Blocked IPs, locking and throttling fully documented. Link on Blocked IPs page.
- Cellphone Sign-in fully documented. Link under title on Cellphone sign-in page.
- Country blocking fully documented. Link on Country blocking page.
- Scan Scheduling fully documented. Link on Scan Scheduling page under title.
- Whois and Advanced Blocking documented including how Live Traffic, Whois and Advanced blocking work together.
- Removed unnecessary text from several menu items and moved into official docs where needed.
- Added ability to export Wordfence settings and reimport on one or many sites using secure token.
- Added API function to programatically import Wordfence settings from another WordPress site.
- Upgraded to Wordfence API version 2.14.
- Detailed documentation for all options on the Wordfence options page. Launching docs.wordfence.com wiki.
- Fixed server-side issue where diff’ing certain files would give a blank page or an API error.
- Removed now unused whois library because we’re now using Wordfence API server to get around whois port blocking.
- Fixed issue that would cause infected files with identical content to only have the first file found show up in scans and the rest would not appear.
- Whois queries now go via our own server as a workaround for hosting providers who block your web server’s access to port 43 preventing you from making a direct whois query.
- Fixed issue that caused litespeed users to receive multiple warnings about the noabort issue.
- Added detection for 5 new malware variants. Thanks to Dave M. and others for the samples. Keep them coming folks!
- Updated Wordfence server API to version 2.12.
- Added facility at bottom of Wordfence options page to send a test email from your WordPress system to check if email sending is working.
- Suppress LOCK_EX flock() warnings in falcon engine that were being generated by sites that use NFS and don’t support flock() or reliable file locking.
- Updated to the October 2014 version of the Geo IP country DB. (newest edition)
- Fixed bug that caused country blocking and redirecting to an external URL to not work if the external URL’s relative path matched the current page’s relative path.
- Made it clear that country blocking URL’s require absolute URL’s.
- Security release. Update immediately. Thanks to Julio Potier.
- Code hardening including improved sanitization and an additional nonce for unlock email form. Special thanks to Ryan Satterfield for the hard work.
- Stability of auto-update improved for LiteSpeed customers. We auto-detect if you don’t have E=noabort:1 in your .htaccess and give you instructions.
- Auto-update also disabled now for LiteSpeed customers who don’t have E=noabort:1 and you will get an email alert with an explanation.
- Fixed a bug that may cause you to have advanced blocking patterns disabled with falcon engine enabled that should not be disabled.
- Removed a benign warning in wfCache.php.
- Added clarity to the banned URL option on the options page. All URL’s must be relative.
- Added a primary key to the wp_wfStatus table which is required for certain incremental backup plugins and utilities.
- Fixed advanced country blocking which was not correctly displaying advanced options.
- Migrated to using wp_kses() for sanitization.
- Prevent IP spoofing in default Wordfence IP configuration.
- Change explanations of how Wordfence gets IP’s to make it clear which to use to prevent spoofing.
- Make it clear that the option to have IP’s immediately blocked when they access a URL requires relative URL’s starting with a forward slash.
- Whitelist Sucuri’s scanning IP addresses which were getting blocked because they triggered Wordfence blocking during a scan.
- Improved Wordfence’s code that acquires the visitor IP to block certain spoofing attacks, be more platform agnostic and deal with visits from private IP’s more elegantly.
- Security release. Upgrade immediately.
- This release fixes an XSS vunlerability on Wordfence “view all traffic from IP” page.
- Also fixes a hard to exploit XSS which exists if you have your site as the default site on your web server, falcon enabled and debugging comments enabled.
- Improves Revolution Slider proteciton.
- Fixed bypass for fake googlebot blocking.
- Updated Geo IP country database to newest version (September 2014 edition)
- Security fix. Improved referrer sanitization in live traffic.
- Changed scan success messaging for clarity.
- Fixed minor bug in IP validation which manifested when users use IPv6 to IPv4 translation which produces 255.x.x.x addrs.
- Protection from the Slider Revolution Plugin arbitrary file download vulnerability announced today. Attempts to download any .php file including wp-config.php are denied.
- Changed the Wordfence Memory config option’s label to make it clearer what the option does.
- Moved screenshots out of plugin distro directory to reduce plugin payload size.
- Fix: Users with large lists of blocked IP’s (over 2,100) would receive a browser error “Uncaught RangeError: Maximum call stack size exceeded”. Fixed.
- Improvement: Added detection for FOPO obfuscation often used by hackers to obfuscate PHP code. Will detect a range of newer infections. (Server-side code change)
- Fix: Crawler triggering update cron job threw error about show_message() being redeclared at end of update. Fixed.
- Fix: Live traffic cities were incorrect and did not match country blocking block effects under certain conditions. Fixed.
- Fix: If a site database contained a table with dashes in the table name, we would throw an error at the end of every scan. Fixed.
- Improvement: Upgraded country DB to newest version.
- Improvement: Changed live traffic geo location caching to be 24 hours instead of a week so that geo DB updates for live traffic on our servers take effect sooner.
- Improvement: Ignoring .sql files in scans which are usually backups and contain many false positives, unless high sensitivity scanning is enabled.
- Fix: Option to disable config caching. You can find this new option at the bottom of the Wordfence options page.
- Note: If you are seeing the “cron key does not match the saved key” error, check the box to disable config caching at the bottom of the Wordfence options page, save and this will fix it.
- Note: If you are trying to save your Wordfence options and the options keep reverting, enable the “disable config caching” at the bottom of your Wordfence options page, save and this will fix it.
- Improvement: Wordfence now supports websites behind proxy servers when communicating with the Wordfence API servers.
- Fix: Removed old image files that were unused.
- Feature: Country blocking now lets you block login page OR rest of site or any combination. So you can now block the login page only for example.
- Improvement: Upgraded the country blocking database to the newest version which is July 2014.
- Improvement: Improved server-side performance for Wordfence scanning.
- Improvement: Offer the option to keep Wordfence up-to-date automatically.
- Improvement: If file contains malicious code, include filename in email alert summary info.
- Fix: Removed strings in readme.txt that were causing false positives in hosts own scanning software.
- Fix: Prevent lockout email alerts being sent for blank usernames.
- Fix: Bing crawler was being misidentified as human. Fixed.
- Fix: Escaping HTML on whois records. Thanks Nikhil Srivastava, TechDefencelabs (http://techdefencelabs.com)
- Feature: Auto updates for Wordfence! This is a much-requested feature by our power admin’s. Enable the “Update Wordfence automatically when a new version is released” option on the Wordfence options page.
- Fix: Security fix. Thanks to Narendra Bhati from Suma Soft.
- Feature: You can now specify one or more URL’s that if accessed will cause the IP to immediately be blocked. See below “Other Options” for the new feature.
- Improvement: Added additional debugging info when cron key does not match saved key to help diagnose any problems.
- Improvement: New Issues email now contains site URL rather than just hostname to help identify subdirectory sites.
- Improvement: Upgraded the country blocking database to the newest version which is June 2014.
- Fix: Some browser versions were being reported as 0.0. Updated browser detection.
- Improvement: WooCommerce now officially supported out of the box.
- Feature: Added the wordfence:doNotCache() function that you can call in your themes and plugins to prevent caching of items.
- Fix: Fixed the warning appearing in lib/wfUtils.php about a scalar being treated as an array which appeared in 5.0.9.
- Fix: Failed logins were not being logged for non-existent usernames that were set to immediatelly block. Fixed.
- Fix: Removed several warnings/notices that would appear when WP_DEBUG is enabled.
- Fix: Added default character set to .htaccess which fixes garbled international characters being served from cache on sites with no default apache charset.
- Feature: (Premium) Advanced Comment Spam Filter. Checks comment source IP, author URL and hosts and IP’s in body against additional spam lists.
- Feature: (Premium) Check if your site is being Spamvertised i.e. your domain is being included in spam emails. Usually indicates you’ve been hacked.
- Feature: (Premium) Check if your website IP is generating spam. Checks against spam lists if your IP is a known source of spam.
- Improvement: Cache clearing errors are nown shown with clear explanations.
- Improvement: Added lightweight stats logging internally in preparation for displaying them on the admin UI in the next release.
- Fix: If a non-existent user tries to sign in it is not logged in the live logins tab. Fixed.
- Fix: Removed warning “Trying to get property of non-object” that would occur under certain conditions.
- Fix: Removed call to is_404() which was not having any effect and would issue a warning if debug mode is enabled.
- Fix: Check if CURL is installed as part of connectivity test.
- Feature: Support for Jetpack Mobile Theme in Falcon Caching engine. Regular pages are cached, mobile pages are served direct to browser.
- Improvement: Pages that are less than 1000 bytes will not be cached. The avg web page size in 2014 is 1246,000 bytes. Anything less than 1000 bytes is usually an error.
- Improvement: Wordfence will now request 128M on hosts instead of 64M where memory in php.ini is set too low.
- Fix: Wordfence was caching 404’s under certain conditions. Fixed.
- Fix: Nginx/FastCGI users would sometimes receive an error about not being able to edit .htaccess. Fixed.
- Feature: Immediately block IP if hacker tries any of the following usernames. (Comma separated list that you can specify on the Wordfence options page)
- Feature: Exclude exact URL’s from caching. Specifically, this allows you to exclude the home page which was not possible before.
- Feature: Exclude browsers or partial browser matches and specific cookies from caching.
- Fix: Fixed issue where /.. dirs would be included in certain scandir operations.
- Fix: logHuman function was not analyzing user-agent strings correctly which would allow some crawlers that execute JS to be logged as humans.
- Fix: Removed ob_end_clean warnings about empty buffers when a human is being logged.
- Fix: Removed warning in lib/wfCache.php caused by unset $_SERVER[‘QUERY_STRING’] when we check it.
- Fix: Fixed “logged out as ”” blank username logout messages.
- Fix: Improved security of config cache by adding a PHP header to file that we strip. Already secure because we have a .htaccess denying access, but more is better.
- Fix: Falcon Engine option to clear Falcon cache when a post scheduled to be published in future is published.
- Fix: Fixed Heartbleed scans hanging.
- Feature: Prevent discovery of usernames through ‘?/author=N’ scans. New option under login security which you can enable.
- Fix: Introduced new global hash whitelist on our servers that drastically reduces false positives in all scans especially theme and plugin scans.
- Fix: Fixed issue that corrupted .htaccess because stat cache would store file size and cause filesize() to report incorrect size when reading/writing .htaccess.
- Fix: Fixed LiteSpeed issue where Falcon Engine would not serve cached pages under LiteSpeed and LiteSpeed warned about unknown server variable in .htaccess.
- Fix: Fixed issue where Wordfence Security Network won’t block known bad IP after first login attempt if “Don’t let WordPress reveal valid users in login errors” option is not enabled.
- Fix: Sites installed under a directory would sometimes see Falcon not serving cached docs.
- Fix: If you are a premium customer and you have 2FA enabled and your key expires, fixed issue that may have caused you to get locked out.
- Improvement: If your Premium API key now expires, we simply downgrade you to free scanning and continue rather than disabling Wordfence.
- Improvement: Email warnings a few days before your Premium key expires so you have a chance to upgrade for uninterrupted service.
- Fix: Removed mysql_real_escape_string because it’s deprecated. Using WP’s internal escape.
- Fix: Wordfence issues list would be deleted halfway through scan under certain conditions.
- Fix: Connection tester would generate php error under certain conditions.
- Feature: We now scan for the infamous heartbleed openssl vulnerability using a non-intrusive scan method safe for production servers.
- Improvement: We now check if .htaccess is writable and if not we give you rules to manually enable Falcon.
- Improvement: Once Falcon is enabled, if we can’t write to .htaccess, we fall back to PHP based IP blocking.
- Feature: You can now clear pages and posts from the cache on the list-posts page under each item or on their edit pages next to the Update button.
- Fix: We now support sites who use a root URI but store their files and .htaccess in a subdirectory of the web root.
- Fix: Changed the extension of the backup .htaccess to be .txt to avoid anti-virus software alerting on a download with .com extension. [Props to Scott N. for catching this]
- Removed ability to disable XML-RPC. The feature broke many mobile apps and other remote services.
- Fix: Issue that caused users running WordPress in debug mode to see a is_404 warning message.
- Fix: Issue that caused Call to undefined function wp_get_current_user warning.
- Fix: Issue that caused caching to not work on sites using subdirectories.
- Fix: Issue that caused SQL errors to periodically appear about wfPerfLog table.
- Fix: Issue that caused warnings about array elements not being declared.
- To see a video introduction of Falcon Engine included with Wordfence 5, please watch this video
- SUMMARY: This is a major release which includes Falcon Engine which provides the fastest WordPress caching available today. It also includes many other improvements and fixes. Upgrade immediatelly to get a massive performance boost for your site, many new features and fixes.
- Feature: Falcon Engine provides the fastest caching algorithm for WordPress. Get up to a 50x site speedup now when you use Wordfence.
- Feature: PHP based caching as an alternative to Falcon.
- Feature: IP, browser and IP range blocking is now done using .htaccess if Falcon Engine is enabled providing a big performance boost.
- Feature: Falcon and PHP caching includes ability to exclude URL patterns from cache along with cache management.
- Feature: Disable XML-RPC in WordPress to prevent your site from being used as a drone in a DDoS attack.
- Feature: Option to disable Wordfence cookies from being sent.
- Feature: Option to start all scans using the remote start-scan option. This may fix some customers who can’t start scans.
- Feature: Falcon Engine includes the ability to block IP ranges using .htaccess. We take your ranges and convert them into CIDR compatible .htaccess lines that very efficiently block the ranges you’ve specified. Another great performance improvement.
- Feature: If user disables permalinks we automatically disable Falcon Engine caching.
- Feature: Before you enable Falcon Engine we make you download a backup of your .htaccess file just in case.
- Improvement: Real-time traffic monitoring loads asynchronously to provide a faster user experience.
- Improvement: All Wordfence configuration variables are now cached on disk rather than repeatedly looked up on the database providing a big performance improvement.
- Improvement: Updated browser detection algorithms for new browsers.
- Improvement: Updated country GeoIP database to the April edition.
- Improvement: Improved performance by only loading routines required for logged in users if they have a login cookie. No DB lookup required.
- Improvement: Added on-off switches to top of live traffic to make it easy to turn on/off.
- Improvement: Removed marketing message from Wordfence email alerts.
- Improvement: Added ability to exclude files from scan that match patterns. Multiple excludes using wildcards allowed.
- Improvement: Improved performance by moving all actions that would only be used by a logged in user to be set up using add_action if the user actually has a login cookie.
- Fix: Added a throttle to prevent identical email alerts being sent repeatedly.
- Fix: Changed order of IP blocking and alerting code to prevent multiple email alerts being sent in a race condition.
- Fix: Cleaned up legacy code including removing all array_push statements.
- Fix: Added try/catch block to fileTooBig() function when we encounter files that we can’t seek on and that throw an IO error to prevent scans from crashing.
- Fix: Resolved issue that may have caused wfhits table to grow continuously on some sites.
- Fix: Ensured that runInstall() isn’t called multiple times.
- Fix: Moved register_activation_hook to only be called if the user has a login cookie and has a likelihood of being actually logged in as admin. Performance improvement.
- Fix: Added doEarlyAccessLogging routine to move logging before caching so we can have both.
- Fix: Removed the “update LOW_PRIORITY” sql statement when updating wfHits which was intended to speed up MySQL performance but may have actually caused queries to queue up and slow things down.
- Fix: Whitelisted IP’s are no longer put through two factor authentication as one would expect.
- Fix: Changed our wp_enqueue_script calls to add a ‘wf’ prefix to our script names so that another plugin doesn’t cause our scripts to not load.
- Fix: Removed code that would cause all alerts to be turned on for some users under certain conditions.
- Fix: Automatically excluding backup files and log files from URL scans to reduce false positives on referring URLs in logs and backups.
- Improvement: Added “high sensitivity” scanning which catches evals with other bad functions but may give false positives. Not enabled by default.
- Fix: Removed code that caused error message during scan initialization.
- Fix: IP to number conversation code had a problem with IP’s with a single 0 in them. Bug was introduced in 4.0.2.
- Fix: Very fast attacks would generate a lot of email alerts due to race condition. Fixed.
- Feature: Ability to bulk repair or delete files when cleaning a site.
- Feature: You can now limit the number of emails per hour that Wordfence sends.
- Feature: You can now scan image files as if they are executables when cleaning a site. See the option under scanning options.
- Feature: New connectivity test for wp_remote_post to our servers.
- Feature: New detection for backdoors that were previously missed in scans.
- Improvement: Added a link to the Wordfence admin URL for a site when an email alert is received.
- Improvement: Removed “buy premium” message from the alert emails which was causing confusion and irritation.
- Improvement: Improved private address detection by making it faster and adding all private subnets, not just RFC1918 nets.
- Improvement: Switched to wp_remote_get for triggering scans instead of wp_remote_post()
- Improvement: Added some more verbose debugging for scan starts when in debug mode.
- Improvement: No longer include private addresses when checking malware URL’s and scanning IP’s.
- Improvement: Added code to disable Wordfence if WordPress is installing.
- Fix: Text change because not all “scan” buttons are blue.
- Fix: Removed URL from wfBrowscapCache.php which was causing false positives during scans.
- Fix: Fixed SQL bug that triggered when we logged a vulnerability scan.
- Fix: IP range blocks where a digit is preceded by a ‘0’ char will no longer generate an error.
- Fix: The getIP() routine will no longer use the IP closest to a visitor in network topology if that IP is a private address and behind a proxy.
- Real-time WordPress Security Network Launched.
- If another site is attacked and blocks the attacker, your site also blocks the attacker. Shared data among Wordfence sites.
- See our home page on www.wordfence.com for a live map of attacks being blocked. Then blog about us!!
- Fixed bug where wfBrowscapCache.php is reported as malicious.
- Big improvement in scanning speed and efficiency of URL’s and IP addresses.
- Fixed preg_replace() warning by using newer preg_replace_callback() func.
- Fixed issue that caused Wordfence security to not log 404’s.
- Made 404’s more visible on the live traffic page.
- Fixed panel width that was too narrow for WP 3.8 on live traffic and issues pages.
- Report hack attempts to Wordfence Security scanning server for DDoS protection.
- Remind admin if security alert email is blank and tour is closed.
- Updated links to new Wordfence Security support website at support.wordfence.com.
- Made Wordfence Security paid-users-only message a little more user friendly.
- Fix: Fixed issue that caused certain Wordfence Security login functions to not work. Was a PHP 5.4 vs older version incompatability issue.
- Updated GeoIP location database to new version for country blocking.
- Fix: Resolved issue that caused the Issues that Wordfence Security found to not be displayed in some cases.
- Updated Wordfence Security to WordPress 3.8 Compatability.
- Fix: We now truncate the wfHoover table after scans to save disk space on servers with huge numbers of URLs in files.
- Fix: isStrongPasswd function was being called statically but not declared as static.
- Fix: Improved error reporting when we can’t connect to Wordfence Security API servers.
- Fix: Fixed code that was causing an error log warning when we read the requested URL.
- Fix: Disable and clear cellphone sign-in if you downgrade to free from paid to prevent lockouts.
- Fixed issue that caused cellphone sign-in to not work with PHP version 5.4 or greater.
- Fixed conflict with other plugins that also use the Whois PHP library.
- Fixed an unsanitized user-agent string.
- Added new malware signatures for string rot13 heuristics.
- Updated compatibility to 3.7.
- Fixed issue that caused scheduled scans to run even if disabled.
- Fixed display bug when signin fails.
- Fixed issue that caused Human traffic to not be logged in Wordfence Security live traffic view.
- Removed Wordfence Security .htaccess because it doesn’t offer any security functionality and increases incompatibility.
- Fixed spelling errors.
- Added check to see if HTTP_USER_AGENT server variable is defined before using it to suppress large number of warnings on some sites.
- Changed the way we call admin_url to the correct syntax.
- Correctly escaped HTML on error messages.
- Fixed issue that generated non-compliant query string.
- Updated GeoIP database to newest version.
- Updated GeoIP database for country blocking security.
- Fixed bug in Wordfence Security where we called reverseLookup in wfUtils statically and it’s a non-static method. Thanks Juliette.
- Removed characters that are invalid in an IP address or domain from the Whois facility to improve security.
- Prevent users from creating 1 character passwords to improve security.
- Fixed issue that caused an invalid variable to be used in an error message and improved Wordfence Security temporary file implementation for get_ser/ser_ser functions. Thanks R.P.
- Fixed issue that caused IP to output as integer in status msg. Not security related but display issue.
- Declared Wordfence Security reverseLookup function as static to remove warning.
- Fixed returnARr syntax error in Wordfence Security class.
- Note, there is no Wordfence Security version 3.8.2.
- Added Cellphone Sign-in (Two Factor Authentication) for paid Wordfence Security members. Stop brute-force attacks permanently! See new “Cellphone Sign-in” menu option.
- Added ability to enforce strong passwords using Wordfence Security when accounts are created or users change their password. See Wordfence Security ‘options’ page under ‘Login Security Options’.
- Added new backdoor/malware signatures to Wordfence Security scanning including detection for spamming scripts, youtube spam scripts and a new attack shell.
- Fixed issue: Under some conditions, files not part of core or a known theme or plugin would be excluded from a Wordfence Security scan.
- Fixes from Juliette R. F. Remove warnings for unset variables. Fix options ‘save’ spinner spinning infinitely on some platforms. Removed redundant error handling code in Wordfence Security.
- Added ability to downgrade a paid Wordfence Security license to free.
- Fixed issue that caused locked out IP’s to not appear, or to appear with incorrect “locked out until” time.
- Moved global firewall, login security and live traffic options to top of options page.
- Made it clear that if you have Wordfence Security firewall disabled, IP’s won’t be blocked, country blocking won’t work and advanced blocking won’t work with warnings on each page.
- Fixed JS error in Wordfence Security that occurs occasionally when users are viewing Wordfence Security activity log in real-time.
- New Feature: Prevent users registering ‘admin’ username if it doesn’t exist to improve security. Recommended if you’ve deleted ‘admin’. Enable on ‘options’ page.
- Check if Wordfence Security GeoIP library is already declared for all functions. Fixes Fatal error: Cannot redeclare geoip_country_code_by_name.
- Fixed a Wordfence Security compatibility issue with sites and hosts using Varnish front-end cache to ensure legit users don’t get blocked. Added two HTTP no-cache and Expires headers.
- Fixed bug when using Wordfence Security Advanced User-Agent blocking with certain patterns this would appear: Warning: preg_match() [function.preg-match]: Unknown modifier
- Vastly improved speed of Wordfence Security Advanced User-Agent blocking security feature. No longer using regex but still support wildcards using fnmatch()
- We now support usernames with spaces in the list of users to ignore in the live traffic config on ‘options’ page.
- Improved language in status messages to avoid confusion. Changed “unrecognized files” to “additional files” to describe non-core/theme/plugin files.
- Fixed bug in Wordfence Security that caused IP range blocking to not block.
- Fixed bug that caused unblocking a permanently blocked IP to work, but not refresh the list.
- Added usernames to the email you receive when a user is locked out.
- Added a few more status messages for Wordfence Security URL malware scanning.
- Removed the sockets function call from connection testing because some hosts don’t allow calls to socket_create()
- Added detection in the Wordfence Security Whois page to check if the server has the fsockopen() function available with helpful message if it’s disabled.
- Whitelisted IP’s now override Wordfence Security country blocking and range blocking.
- Removed Bluehost affiliate links for free customers
- Fixed issue that caused scans to crash when checking URLs for malware.
- Fixed issue that caused scans with large numbers of posts that contain the same URL to crash.
- Updated the Wordfence Security GeoIP database for country blocking to newest version.
- Improved security for Cloudflare customers to prevent spoofing attacks and protect when a hacker bypasses Cloudflare proxies.
- Added clear explanation of what increasing AJAX polling time does on options page.
- Fixed issue with Wordfence Security detecting itself as malware. We messed up the version number in previous release.
- Added option to change AJAX polling frequency
- Fixed issue that caused whitelisted IP’s to not be whitelisted.
- Added code that prevents blocking of Wordfence’s API server (or Wordfence Security will cease to function)
- Added link at bottom of ‘options’ page to test connectivity to our API servers.
- Include any CURL error numbers in error reporting.
- Fixed issue that caused IP range blocking to not block access to login page.
- Fixed issue that caused cache files to be flagged as malicious.
- Fixed Fatal error: func_get_args(): Can’t be used as a function parameter.
- This bug affected users using PHP older than 5.3.0
- Clarified range blocking examples.
- Fixed ‘max_user_connections’ issue.
- Wordfence Security now uses WordPress’s WPDB and this halves the number of DB connections Wordfence Security establishes to your DB.
- Wordfence Security is now HyperDB compatible.
- Advanced blocking i.e. Browser and IP Range blocking is now a free feature.
- We no longer disable Live Traffic if we detect a caching plugin. Based on user feedback, apparently live traffic actually works with those plugins.
- Fixed issue that causes site to crash if a conflicting GeoIP library is installed.
- Changed logHuman routine to do a LOW_PRIORITY MySQL update to speed things up.
- Login failure counter is now reset if you send yourself an unlock email so you’re not locked out again after 1 failure.
- The free version of Wordfence Security is now supported with ads at the top of the admin pages. Please visit our sponsors and help keep Wordfence Security free!
- Fixed issue that may cause scans to not be scheduled using the default schedule for new users.
- There was no 3.6.2 release, in case you’re wondering about the version skip.
- Major new release that includes the much asked for IP Range blocking with ISP blocking ability and browser blocking.
- Added Wordfence Security feature: WHOIS for IP’s and Domains. Supports all registries and local rWhois
- Added Wordfence Security feature: Advanced Blocking to block IP ranges and browser patterns.
- Added Wordfence Security feature: WHOIS on live traffic pages.
- Added Wordfence Security feature: network blocking links on live traffic pages.
- Fixed bug where W3 Total Cache and WP Super Cache cache blocked Wordfence Security pages.
- Added explanation of how caching affects live traffic logging if we detect a caching plugin.
- Fixed AJAX loading to deal with multiple parallel ajax requests.
- Updated tour to include info on new WHOIS and Advanced Blocking features.
- Changed manual IP blocks to be permanent by default.
- Fixed issue in Wordfence Security that caused live traffic page not to reload when IP is unblocked.
- Modified “How does your site get IP’s” config to avoid confusing new users.
- Changed 503 block message to be more helpful with link to FAQ on how to unblock.
- Removed redundant code in wfAPI.php
- Optimized code by moving firewall specific code to execute only if firewall is enabled.
- Fixed issue that caused “last attempted access” to show over 500 months ago.
- Fixed issue that was causing warning in getIP() code.
- Upgraded to Wordfence Security API version 2.6.
- This is the dev version. Stable is 3.5.2.
- Added detection for “hacked by badi” hack. Check if wp_options has been changed to UTF-7.
- IP detection is now much more robust. Admins must specify how their site gets IP addresses.
- Fixed issue that would throw Ajax ticker into a hard loop and put load on a server if user is on “options” page and WF can’t detect IPs.
- Added support for Cloudflare proxies when getting client’s real IP address.
- If we fail to get an IP and then get an IP succesfully, we update the activity log.
- Activity log update in case of successful IP acquisition will warn if we’re getting internal RFC1918 IP’s e.g. the IP of your firewall.
- Fixed issue with twentyten, twentyeleven, twentytwelve themes showing up as modified in 3.5.
- Fixed issue with wpdb->prepare throwing warnings. WordPress changed their code and we have now caught up.
- Fixed issue of files containing “silence is golden” showing up as being changed with no executable content.
- Fixed security issue of being able to list wordfence Security’s own virtual dir on some server configurations.
- Fixed issue of WF using deprecated function which caused warnings or errors on install.
- Added link to security alert mailing list on “Scan” page next to manual start scan button and in tour.
- Fixed issue that caused scans to not complete.
- Fixed issue that caused scans to launch a large number of child processes due to very short scan timeout.
- Fixed issue that caused websites that don’t know their own hostname to not be able to scan.
- Added workaround for a bug in Better WP Security breaking Wordfence Security due to their code overwriting the WP version.
- Optimized the way we calculate max execution time for each process while scanning.
- Removed wfscan.php script and now using pseudo-ajax calls to fire off scans. Much more reliable.
- Removed visitor.php script and now using pseudo-ajax calls to log human visits.
- Added config option to allow admin to specify max execution time (advanced only!!).
- Fixed issue that caused API calls to fail on MultiSite installs.
- Fixed issue that caused comments to break on MultiSite installs under certain conditions.
- Fixed issue that caused incorrect domain to be shown in live traffic view on multi-site installs.
- Fixed issue where some proxies/firewalls send space delimited IP addresses in HTTP headers and Wordfence Security now handles that.
- Fixed issue that caused Wordfence Security to capture activation errors of other plugins.
- Geo IP database update to November 7th edition.
- Upgrade immediately. Fixes possible XSS vulnerability in Wordfence Security “firewall unlock” form.
- Also added rate limiting to max of 10 requests per second to the unlock form.
- Re-releasing to try and fix an issue with the WordPress plugin distro system.
- Fixed bug that caused malformed URLs to be sent to scanning server which caused errors on some installations.
- Fixed issue that caused scans to “hang” or stall on larger sites during “Analyzing” phase when we hash files. Sites of arbitrary size can now be scanned.
- Fixed issue that caused “plugin generated X characters of unexpected output” error during install or upgrade.
- Fixed errors caused by ini_set being disabled on certain servers.
- Removed error logging messages in certain cases because some badly configured hosts write these errors to the web browser.
- Fixed getIP code that was evaluating arrays as strings in some cases.
- Added error logging so that if there is an activation error, the Wordfence Security will display the actual error to you.
- Fixed issue that caused scan to output “Could not get the administrator’s user ID.” when a user has changed their table prefixes under certain conditions.
- A complete rearchitecture of Wordfence Security scanning to massively improve performance.
- Our free customers are now 100% back in business. Apologies for the delay, but this was worth the wait.
- Wordfence Security is now 4X faster for both free and paid customers.
- Significantly reduced CPU and memory overhead.
- Significantly reduced network througput when communicating with Wordfence Security scanning servers.
- Big performance improvement on our own scanning servers which allows us to continue to provide Wordfence Security free for the forseeable future.
- Upgraded scanning API to version 2.4
- Upgraded Geo IP database to October version.
- Moved core, theme, plugin and malware scanning into hashing recursive routine for big performance gain.
- Removed need for fileQ in hashing routine for reduction in memory usage and reduction in DB write size.
- Removed send-packet architecture and now processing files locally by fetching comparison data from scanning server instead.
- Removed wfModTracker – old module that is no longer used.
- Malware is now scanned by fetching hash prefixes from WF server instead of sending hashes of every file to our server. Much more efficient.
- Made status messages in summary console a little more user friendly.
- Fixed dates and times in activity log alert emails and other emails to be in site’s local timezone.
- Added advanced country blocking options which allow bypass if a special URL is hit.
- Added warning in options page if alert email is not configured under alert checkboxes.
- Modified scan times to be within 60 minute window after scheduled time to prevent stampede at the top of the hour on our scanning server.
- Fixed bug on Godaddy and a few other hosts where viewing list of files not in the repo caused error. This was caused by posix functions not being supported on Godaddy and some other hosts.
- Paid feature: Remote site vulnerability and infection scanning.
- Moved all attack signatures out of the plugin to prevent Wordfence Security being detected as malicious in a false positive.
- Improved country blocking to make bulk adding/deleting of countries much easier.
- Fixed bug that caused Google feed fetcher and other Google UA bots to get blocked if blocking of unverified Googlebots was enabled.
- Fixed issue where Locked out users were shown having the same expiry time as Blocked IP’s.
- Fixed issue where Locked out users were not shown in the locked out list, but were still locked out if Blocked IP and Locked out expiry was different.
- Improved performance of whitelisting so if whitelisted, all rules are bypassed.
- Fixed issue that caused twentyten and twentyeleven themes to be shown as missing core files if they have been removed and theme scanning is enabled.
- Fixed issue that made it impossible to end the tour for Firefox users.
- Theme and plugin scanning is now free. Woohoo!
- Added introductory tour for Wordfence Security.
- Upgraded to Wordfence Security scanning API version 2.0 to allow free theme and plugin scanning.
- Fixed two issue with scheduled scanning for premium users that would cause scans to not run or run at wrong times under certain conditions.
- Added feature to view unknown files on system to help clean badly infected systems. See on scanning page in “Tools” under yellow box.
- Fixed blocked countries overflowing their container in the user interface.
- Fixed case where if user is using MySQL >= 5.1.16 and doesn’t have the “drop” privilege, they can’t truncate the wfFileQueue table and it could grow uncontrollably.
- Updated to the new Libyan flag.
- Fixed mysql_ping() reconnection to DB generating warnings.
- Fixed issue that caused scans to hang. Wordfence Security now processes smaller batches of files before checking if it needs to fork.
- NOTE: We removed a list of shells we’re scanning for because they were yielding false positives on some host scanning software.
- DNS fix from previous release backed out because it’s no longer needed. (We temporarily hardcoded an IP)
- Emergency release to deal with DNS issue.
- Fixed SQL error in code that checks if IP blockedTime has expired. Changed column type to signed.
- Added detection of malicious injected titles with scripts or meta redirects.
- Fixed bug introduced in previous release that prevents blocked IP’s from being blocked.
- Fixed permanent IP blocking bug which caused permanently blocked IP’s to no longer display in the list after some time, even though there were still blocked. (Incorrect SQL query)
- Fixed “Can’t get admin ID” on scan starts for both MU and single site installs.
- Improved status messages for sites with very large numbers of comments.
- Fixed bug that caused sites in subdirectories to not be able to view site config or run the memory test on the Wordfence Security “options” page.
- Fixed database disconnect bug (mysql server has gone away). An additional fix was required to finally squash this bug.
- Removed the code that prevented you from installing Wordfence Security on Windows. Sorry Windows customers!
- Improved scheduling so that it is now more reliable.
- Fixed bug that caused a loop for customers who could not contact the Wordfence Security servers on install.
- Added helpful message if you get the “can’t connect to itself” error message with some additional documentation to help solve this issue.
- Improved error reporting when Wordfence Security can’t connect to the scanning servers. Now features a helpful explanation rather than a generic message.
- Added Country Geo-Blocking feature for paid customers.
- Added Scan Scheduling feature for paid customers.
- Added another fix for “mysql server has gone away” error. Wordfence Security now makes sure the DB is still connected and reconnects if not.
- Added new detection for encoded malicious code in files.
- Fixed bug introduced yesterday that prevented permanent blocking of IP’s.
- Improved ability to detect if we’re running on Windows (but we don’t support Windows yet).
- Issue intelligent warning if Wordfence Security can’t read base WordPress directory.
- Don’t activate Wordfence Security if user is running Windows.
- Cleaned up errors if a file can’t be scanned due to permission restrictions.
- Improved reporting of which user scan is running as and how we determined who the admin user is.
- Changed the way we monitor disk space from % to warning on 20 megs and critical on 5 megs remaining. This deals with very large disks in a more rational way. (Thanks Yael M. and Ola A.)
- We now deal with cases where the $_SERVER variable contains an array instead of string for IP address. It seems that some installations modify the value into an array. (Thanks S.S.)
- The Wordfence Security DB connection now more reliably changes the mysql timeout for the session to prevent “mysql server has gone away” errors. (Thanks Peter A.)
- Fixed problem where scan process can’t get admin ID.
- Fixed issue that caused permanent IP’s to not be permanent.
- Fixed SQL error when calculating if IP block has expired.
- Fixed incorrect calling of is_404 that caused intermittent issues.
- Fixed basedir warnings when scan tries to scan files it does not have access to.
- Fixed warning and incorrect calculation of rows in DB.
- Added ability to get IP from “HTTP_X_REAL_IP” header of a front-end proxy is sending it.
- Fixed warning about HTTPS element not existing in getRequestedURL()
- Fixed problem with paid vs free keys getting confused.
- Fixed error with fetching vulnerability patterns.
- Fixed bug that caused “Could not get the administrator’s user ID. Scan can’t continue.”
- Fixed bug that caused scan to loop, stop halfway or not start for many sites.
- Fix bug that caused scan to not start on sites with thousands (over 20,000 in one case) users.
- Scan start is now faster for sites with large numbers of users.
- Fix bug that caused scan to get killed when checking passwords on sites with thousands of users.
- Wordfence Security now intelligently determines how to do a loopback request to kick off a scan.
- Scan is no longer called with a cron key in HTTP header but uses a query string value to authenticate itself which is more reliable.
- Improved malware and phishing URL detection.
- Upgraded to Wordfence Security API version 1.9
- Fixed issue that caused large files to slow or crash a scan.
- Added workaround for PHP’s broken filesize() function on 32 bit systems.
- Added an improved test mode for URL scanner for better unit testing on our end.
- Suppressed warnings issued when a reverse DNS lookup fails.
- Added improved debug output to becomeAdmin() function in scans to help diagnose scans not starting.
- Fixed “The key used to start a scan has expired.” error and added data to help diagnose future issues like this.
- Removed HTTPHeaders from wfHits table which was using a lot of disk space and not used much.
- Removed limiting wfHits table size because it was unreliable.
- We’re now limiting wfHits to 20,000 rows and the rows are much smaller. About 2 to 8 megs.
- Fixed bug that could have caused install routine to run repeatedly.
- Fixed typo bug in blocking code that didn’t have any impact but was sloppy.
- Changed wfscan.php message when accessed directly to be more helpful.
- Detects if the Wordfence Security app (not scanner) is short on memory and requests more
- Fixes an issue where scan breaks if all scanning options are disabled
- Issue that caused all core files to show as missing has been fixed.
- We now handle all API server errors gracefully using exceptions.
- If your installation didn’t activate correctly you now get a friendly message.
- Removed unused menu_config.php code.
- The 503 message now tells you why your access to the site has been limited so that admin’s can tune firewall rules better.
- We no longer reuse the WordPress wpdb handle because we get better stability with our own connection.
- Overall this release is a very important upgrade. It drastically reduces memory usage on systems with large files from hundreds of megs to around 8 megs max memory used per scan.
- Moved queue of files that get processed to a new DB table to save memory.
- Reduced max size of tables before we truncate to avoid long DB queries.
- Reduced max size of wfStatus table from 100,000 rows to 1,000 rows.
- Introduced feature to kill hung or crashed scans reliably.
- Made scan locking much more reliable to avoid multiple concurrent scans hogging resources.
- Debug status messages are no longer written to the DB in non-debug mode.
- Modified the list of unknown files we receive back from the WF scanning servers to be a packed string rather than an array which is more memory efficient.
- Added summary at the end of scans to show the peak memory that Wordfence Security used along with server peak memory.
- Hashes are now progressively sent to Wordfence Security servers during scan to drastically reduce memory usage.
- Upgraded to Wordfence Security server API version 1.8
- List of hosts that Wordfence Security URL scanner compiles now uses wfArray which is a very memory efficient packed binary structure.
- Writes that WF URL scanner makes to the DB are now batched into bulk inserts to reduce load on DB.
- Fixed bug in wfscan.php (scanning script) that could have caused scans to loop or pick up old data.
- Massively reduced the number of status messages we log, but kept very verbose logging for debug mode with a warning about DB load.
- Added summary messages instead of individual file scanning status messages which show files scanned and scan rate.
- Removed bin2hex and hex2bin conversions for scanning data which were slow, memory heavy and unneeded.
- Wordfence Security database class will now reuse the WordPress database handle from $wpdb if it can to reduce DB connections.
- Fixed bug that caused WF to not work when certain DB caching plugins are used and override wpdb object.
- Fixed Wordfence Security so activity log only shows our own errors unless in debug mode.
- Wordfence Security now deletes all it’s tables and deletes all saved options when you deactivate the plugin.
- Removed all exit() on error statements. Critical errors are handled more gracefully by writing to the log instead.
- Fixed a bug that would cause a database loop until running out of memory under certain error conditions.
- Suppressed useless warnings that occur in environments with basedir set or where functions are disabled for security reasons.
- Removed redundant check that executed on every request and put it in activation instead.
- If serialization during scan breaks, exit gracefully instead of looping.
- Disk space in log is now shown as Gigabytes and formatted nicely.
- Removed wdie() function which is a little obnoxious. Writing to WF error log instead.
- Fixed bug where a non-empty but useless HTTP header can break getIP() function.
- Added useful data to error output if getIP() tells you it can’t work on your system.
- Removed option to start scan in debug because it’s no longer possible with a forked scan.
- Removed option to test process running time on a system because it breaks on most systems and confuses customers.
- Database connection errors no longer call die() but log an error instead in a way that removes the risk of a logging loop.
- Removed dropAll.php script because we now clean up tables on deactivate and it’s not needed.
- Updated readme to show that we support 3.4.
- Fixed registered users not appearing in live traffic.
- Fixed temp file deletion bug that caused warnings and loops.
- Fixed issue that caused warning about WORDFENCE_VERSION
- Fixed Wordfence Security admin area not working under SSL
- Fixed bug that caused IP addresses of clients to be misinterpreted if there are multiple addresses from chained proxies.
- Now stripping port numbers from IP’s which we weren’t doing before.
- Added check for validity of IP’s and report fatal error if it fails because this could lock users out.
- Improved error reporting including fixing an out of memory error when a specific error condition arose in wfConfig::set()
- Changed order of tmp dirs to be wordfence/lib protected dir first and then system temp dir. Added uploads as tmp dir for last resort.
- Malware URL’s are now marked in red in alerts so it’s obvious what the offending URL in a file is.
- Added fix for hosts that have max_allowed_packet set too small. We will write a temp file to disk instead if possible.
- Increased size of status column to 1000 chars
- Fixed issue with scan scheduling that caused a loop
- Fixed issue that caused version constant to not be included in scans
- Added ability to permanently block IP’s
- Added ability to manually block IP’s
- Made Wordfence Security more memory efficient, particularly the forking process.
- Fixed issue that caused WF to not work on databases with blank passwords.
- Wordfence Security now stops execution of a DB connection error is encountered.
- Clear cron jobs if Wordfence Security is uninstalled.
- Enabled hourly cron for Wordfence security network.
- Wordfence Security now works if your server doesn’t have openssl installed
- Wordfence Security now works even if you don’t have CURL
- Fixed visitor logging so it works with HTTPS websites.
- Alert emails now contain filenames in each alert description.
- Users with weak passwords alerts now contain the username in the email.
- Upgraded API to 1.7.
- Fixed issue that caused DISALLOW_FILE_MODS to make WF menu disappear.
- Modified wfDB to deal with very large queries without exceeding max_allowed_packet
- Fixed issue that broke ability to see file changes and repair files in security scan results.
- Fixed scans hanging on Dreamhost and other hosts.
- Made Wordfence Security more memory efficient.
- Wordfence Security scans are now broken into steps so we can scan a huge number of files, posts and comments.
- Alert emails now include IP address, hostname lookup and geographic location (city if available).
- Improved security scan locking. No longer time based but uses flock() if on unix or time on Windows.
- Suppressed warnings that WF was generating.
- Improve handling of non-standard wp-content directories.
- Fix restored files were still showing as changed if they contained international characters.
- Improve permission denied message if attempting to repair a file.
- Fixed problem that caused scans to not start because some hosts take too long to look up their own name.
- Fixed issue with Wordfence Security menu that caused it to not appear or conflict with other menus under certain conditions.
- Upgraded to security API version 1.6
- Improved geo lookup code for IP’s to improve security.
- Fixed debug mode output in live status box – coloring was wrong.
- Added ajax status message to WF admin pages.
- Fixed colorbox popup so that it doesn’t jump around on refresh.
- Fixed CSS bug that changed plugins page layout in admin area
- Added memory benchmark utility.
- Added process runtime benchmark utility.
- Added ability to security scan in debug mode which accesses the scan app directly.
- Added IP whitelisting including ability to whitelist ranges that are excluded from firewall and login security measures.
- RFC1918 private networks and loopback address is automatically whitelisted to prevent firewall or login security blocking internal routers and proxy servers, internal firewalls and internal users.
- Added WORDFENCE_VERSION constant to improve version lookup performance.
- Fixed issue that caused security scans to not start and humans to not be logged in live traffic. Wordfence Security makes security scan script and visitors script executable on install or upgrade now.
- Fixed bug that caused disk space scanning to still show an issue found in security scan summary even when user chooses to ignore the security issue.
- Made disk space thresholds 1 and 1.5% space remaining because many hosts have very large disks where 1% is gigabytes.
- Made wordfence Security database handle cache deal with concurrent connections to different databases.
- Improved Wordfence Security database library’s error reporting.
- Improved performance when Wordfence Security looks up it’s own version during security scans and other operations.
- Removed three rules in base wordfence Security htaccess that could cause 500 errors on servers that don’t allow these options to be overridden. Does not affect htaccess security because we inherit the base htaccess and still protect our lib/ directory with our own htaccess.
- If your plugin PHP files are viewable by the world, we now give you a detailed warning on the seriousness of this security threat with ability to view the offending .htaccess files.
- Added a debug mode in options for very verbose logging and marking errors in red.
- Added more logging for the process that starts the security scan.
- Ability to securely view the entire activity log added.
- Using plugin version in all CSS URL’s instead of API version.
- Activity log microtime is more accurate now.
- Fixed bug that would cause security scanning of PHP files with base64 content to stop.
- Now security scanning all comments, posts and pages on multi-site installation for malware and phishing URL’s. Significant security enhancement.
- Improved messages on multisite when a bad comment or post is found.
- Fixed bug that caused paid users to not be able to activate their premium key.
- Made upgrade process much friendlier.
- Got rid of GeSHi syntax highlighting because it segfaults and is resource intensive. Using built in PHP highlighting instead.
- Message asking you to configure an alert email address only appears for 3 pageviews after plugin activation so it’s less irritating.
- Fixed bug for MU users that caused WF to tell you that your WF schema is missing and you need to reactivate.
- Fixed bug that caused malware URL security scanner to not work for MU users.
- Removed unbuffered queries and switched to conventional queries that are memory efficient for better stability.
- Made security scanning large numbers of URL’s contained in things like awstats log files extremely memory efficient and way faster.
- Removed alerts about unknown files in core directory if they belong to an older wordpress version and are unchanged.
- Other performance improvements like using strpos instead of strstr.
- Moved “scan files outside base dir” option to be in correct place on config page.
- Fixed plugin upgrades so that css and scripts are not cached across versions.
- Improved security scanning for specific attacks being used in the PHP-CGI vulnerability ( CVE-2012-1823)
- API keys no longer required. WF fetches a temporary anonymous API key for you on activation.
- Added real-time activity log on scan page.
- Added real-time summary updates on scan page.
- Fixed ability to view files that have symlinks in path.
- Added message to configure alert email address for multi-site and single site installs on activation.
- Disabled firewall security rules by default because most sites don’t need them.
- Disabled blocking of fake googlebots except for high security levels to prevent users who like to pretend they’re googlebot from blocking themselves.
- Geshi the syntax highlighter now asks for more memory before running.
- Fixed bug that caused scan to hang on very large files.
- Added an index to wfStatus to make it faster for summary statuses
- Removed multisite pre-activation check to make activation more reliable on multisite installs.
- Better problem reporting if you trashed your Wordfence Security schema but the plugin is still installed.
- Removed use of nonces and purely using 30 minute key for unlocking emails.
- Fixed bug that caused admin emails to not get emailed when requesting unlocking email.
- Fixed minor issue with undefined array in issues loop.
- Added ability for admin’s to unlock login and unblock their IP addresses if they’re accidentally locked out by the firewall or login security. Uses two security tokens to prevent abuse.
- Admins can now also disable firewall and login security from the unlock-me email, just in case of emergency.
- Made advanced security options visible so you know they exist.
- Fixed dns_get_record() function not existing bug on Windows systems pre PHP 5.3.0. Was causing scans to hang.
- Increased login lockout defaults to be much higher which still protects against brute force hacks.
- Removed CURLOPT_MAXREDIRS in curl to avoid safe mode warnings.
- Fixed ability to view and diff files on blogs installed in subdirectories.
- Fixed ability to see individual IP hits on subdir sites.
- Plugin and theme update messages now include links to the upgrade page.
- Removed the link on the login form that mentions the site is protected by Wordfence Security.
- Changed lockout defaults to be much higher.
- Added options for higher number of failures before lockout in options page for configurable login security.
- Now including plugin version in the activity log when the admin chooses to email it to us for debugging.
- Admin can now select to scan outside the WordPress base dir and standard WordPress directories.
- Max memory size for scans is now configurable for larger installations. 256M is the default.
- Changed maximum scan time to 10 minutes.
- A harmless cosmetic error was being thrown up when some security scans started. Fixed that.
- Changed max scan time to 30 mins.
- Fixed a bug that caused scans to crash when permissions don’t allow a directory to be read.
- WP repo didn’t deploy the zip file correctly so recreating the version tag.
- Vastly improved error logging including catching fatal PHP errors and logging them to status log.
- Fixed accidental preg_replace variable interpolation.
- Syntax fixes (various)
- Increased memory available to Wordfence Security to 256M during security scans, configurable in wordfenceConstants.php
- Improved memory logging during security scans. Current memory usage is now shown on the far right of filenames while scans occur.
- Bugfix – fixed bug that caused Wordfence Security menu to dissapear.
- WordPress Multi-site support added. Currently in Beta. Tested with subdomains, not subdirectories, but it should work great on both.
- Main changes are moving menus to the Network Admin area, preventing individual blogs from enabling the plugin and dealing with database prefix issues.
- Improved diagnistic information on binary and regular API calls for better debugging.
- Changed ticker to only show activity with level < 3
- Email to send security alerts to is now configured at the same time an API key is entered.
- phpinfo is emailed along with activity log when user requests to send us activity log so that we can see things like PHP max execution time and other relevant data
- Now writing individual files to activity log during security scans for better diagnostics.
- Login security message.
- Updated readme.txt FAQ and description.
- Fixed bug where sites with self signed SSL security certificate never start scan because cert fails security check.
- Increased API curl timeout to 300 for slower hosts that seem affected during URL security scans.
- This is a major release of Wordfence Security, please upgrade immediately.
- Only scan files in the WordPress ABSPATH root directory and known WordPress subdirectories. Prevents potentially massive scans on hosts that have large dirs off their wordpress root.
- Don’t generate plain SHA hashes anymore because we don’t currently use them on the server side for scanning. (Still generates md5’s and SHAC)
- No longer do change tracking on files before scans because the change tracking does almost the same amount of work when generating hashes as the actual scan. So just do the scan, which is now faster.
- Updated internal version to 1.2 to use new code on the server side which sends back a list of unknown files rather than known files, which is usually smaller and more network efficient.
- Improved logging in activity log.
- Removed SSL peer verification because some hosts have bad cert config. Connection to our servers is still via SSL to enhance security.
- Fixed a few minor issues. Overall you should notice that scans are much faster now.
- Made real-time server polling more efficient.
- Entering your API key now automatically starts your first scan. Was causing some confusion.
- Reduced the number of database connections that Wordfence Security makes to one.
- Modified the memory efficient unbuffered queries we use to only use a single DB connection.
- Removed status updates during post and comment scans which prevents interference with unbuffered queries and makes the scans even faster.
- Fixed a bug where if you have the plugin “secure-wordpress” installed, you can’t do a Wordfence Security scan because it says you have the wrong version. This is because secure-wordpress trashes the $wp_version global variable to hide your version rather than using the filters provided by WordPress. So coded a workaround so that your Wordfence Security scans will work with that plugin installed.
- Minor fix to point to the correct binary API URL on the Wordfence Security cloud servers.
- It is now free to get a Wordfence Security API key.
- Premium keys include theme and plugin file security verification which consumes resources on the Wordfence Security servers.
- Various bugfixes and performance enhancements.
- Initial public release of Wordfence Security Plugin.