Ready to get started?Download WordPress

Plugin Directory

Wordfence Security

Wordfence Security is a free enterprise class security and performance plugin that makes your site up to 50 times faster and more secure.


  • Fix: Crawler triggering update cron job threw error about show_message() being redeclared at end of update. Fixed.
  • Fix: Live traffic cities were incorrect and did not match country blocking block effects under certain conditions. Fixed.
  • Fix: If a site database contained a table with dashes in the table name, we would throw an error at the end of every scan. Fixed.
  • Improvement: Upgraded country DB to newest version.
  • Improvement: Changed live traffic geo location caching to be 24 hours instead of a week so that geo DB updates for live traffic on our servers take effect sooner.
  • Improvement: Ignoring .sql files in scans which are usually backups and contain many false positives, unless high sensitivity scanning is enabled.


  • Fix: Option to disable config caching. You can find this new option at the bottom of the Wordfence options page.
  • Note: If you are seeing the "cron key does not match the saved key" error, check the box to disable config caching at the bottom of the Wordfence options page, save and this will fix it.
  • Note: If you are trying to save your Wordfence options and the options keep reverting, enable the "disable config caching" at the bottom of your Wordfence options page, save and this will fix it.


  • Improvement: Wordfence now supports websites behind proxy servers when communicating with the Wordfence API servers.
  • Fix: Removed old image files that were unused.


  • Feature: Country blocking now lets you block login page OR rest of site or any combination. So you can now block the login page only for example.
  • Improvement: Upgraded the country blocking database to the newest version which is July 2014.
  • Improvement: Improved server-side performance for Wordfence scanning.
  • Improvement: Offer the option to keep Wordfence up-to-date automatically.
  • Improvement: If file contains malicious code, include filename in email alert summary info.
  • Fix: Removed strings in readme.txt that were causing false positives in hosts own scanning software.
  • Fix: Prevent lockout email alerts being sent for blank usernames.


  • Fix: Bing crawler was being misidentified as human. Fixed.
  • Fix: Escaping HTML on whois records. Thanks Nikhil Srivastava, TechDefencelabs (http://techdefencelabs.com)


  • Feature: Auto updates for Wordfence! This is a much-requested feature by our power admin's. Enable the "Update Wordfence automatically when a new version is released" option on the Wordfence options page.
  • Fix: Security fix. Thanks to Narendra Bhati from Suma Soft.


  • Feature: You can now specify one or more URL's that if accessed will cause the IP to immediately be blocked. See below "Other Options" for the new feature.
  • Improvement: Added additional debugging info when cron key does not match saved key to help diagnose any problems.
  • Improvement: New Issues email now contains site URL rather than just hostname to help identify subdirectory sites.
  • Improvement: Upgraded the country blocking database to the newest version which is June 2014.
  • Fix: Some browser versions were being reported as 0.0. Updated browser detection.


  • Improvement: WooCommerce now officially supported out of the box.
  • Feature: Added the wordfence:doNotCache() function that you can call in your themes and plugins to prevent caching of items.
  • Fix: Fixed the warning appearing in lib/wfUtils.php about a scalar being treated as an array which appeared in 5.0.9.
  • Fix: Failed logins were not being logged for non-existent usernames that were set to immediatelly block. Fixed.
  • Fix: Removed several warnings/notices that would appear when WP_DEBUG is enabled.
  • Fix: Added default character set to .htaccess which fixes garbled international characters being served from cache on sites with no default apache charset.


  • Feature: (Premium) Advanced Comment Spam Filter. Checks comment source IP, author URL and hosts and IP's in body against additional spam lists.
  • Feature: (Premium) Check if your site is being Spamvertised i.e. your domain is being included in spam emails. Usually indicates you've been hacked.
  • Feature: (Premium) Check if your website IP is generating spam. Checks against spam lists if your IP is a known source of spam.
  • Improvement: Cache clearing errors are nown shown with clear explanations.
  • Improvement: Added lightweight stats logging internally in preparation for displaying them on the admin UI in the next release.
  • Fix: If a non-existent user tries to sign in it is not logged in the live logins tab. Fixed.
  • Fix: Removed warning "Trying to get property of non-object" that would occur under certain conditions.
  • Fix: Removed call to is_404() which was not having any effect and would issue a warning if debug mode is enabled.
  • Fix: Check if CURL is installed as part of connectivity test.


  • Feature: Support for Jetpack Mobile Theme in Falcon Caching engine. Regular pages are cached, mobile pages are served direct to browser.
  • Improvement: Pages that are less than 1000 bytes will not be cached. The avg web page size in 2014 is 1246,000 bytes. Anything less than 1000 bytes is usually an error.
  • Improvement: Wordfence will now request 128M on hosts instead of 64M where memory in php.ini is set too low.
  • Fix: Wordfence was caching 404's under certain conditions. Fixed.
  • Fix: Nginx/FastCGI users would sometimes receive an error about not being able to edit .htaccess. Fixed.


  • Feature: Immediately block IP if hacker tries any of the following usernames. (Comma separated list that you can specify on the Wordfence options page)
  • Feature: Exclude exact URL's from caching. Specifically, this allows you to exclude the home page which was not possible before.
  • Feature: Exclude browsers or partial browser matches and specific cookies from caching.
  • Fix: Fixed issue where /.. dirs would be included in certain scandir operations.
  • Fix: logHuman function was not analyzing user-agent strings correctly which would allow some crawlers that execute JS to be logged as humans.
  • Fix: Removed ob_end_clean warnings about empty buffers when a human is being logged.
  • Fix: Removed warning in lib/wfCache.php caused by unset $_SERVER['QUERY_STRING'] when we check it.
  • Fix: Fixed "logged out as ''" blank username logout messages.
  • Fix: Improved security of config cache by adding a PHP header to file that we strip. Already secure because we have a .htaccess denying access, but more is better.
  • Fix: Falcon Engine option to clear Falcon cache when a post scheduled to be published in future is published.
  • Fix: Fixed Heartbleed scans hanging.


  • Feature: Prevent discovery of usernames through '?/author=N' scans. New option under login security which you can enable.
  • Fix: Introduced new global hash whitelist on our servers that drastically reduces false positives in all scans especially theme and plugin scans.
  • Fix: Fixed issue that corrupted .htaccess because stat cache would store file size and cause filesize() to report incorrect size when reading/writing .htaccess.
  • Fix: Fixed LiteSpeed issue where Falcon Engine would not serve cached pages under LiteSpeed and LiteSpeed warned about unknown server variable in .htaccess.
  • Fix: Fixed issue where Wordfence Security Network won't block known bad IP after first login attempt if "Don't let WordPress reveal valid users in login errors" option is not enabled.
  • Fix: Sites installed under a directory would sometimes see Falcon not serving cached docs.
  • Fix: If you are a premium customer and you have 2FA enabled and your key expires, fixed issue that may have caused you to get locked out.
  • Improvement: If your Premium API key now expires, we simply downgrade you to free scanning and continue rather than disabling Wordfence.
  • Improvement: Email warnings a few days before your Premium key expires so you have a chance to upgrade for uninterrupted service.


  • Fix: Removed mysql_real_escape_string because it’s deprecated. Using WP’s internal escape.
  • Fix: Wordfence issues list would be deleted halfway through scan under certain conditions.
  • Fix: Connection tester would generate php error under certain conditions.


  • Feature: We now scan for the infamous heartbleed openssl vulnerability using a non-intrusive scan method safe for production servers.
  • Improvement: We now check if .htaccess is writable and if not we give you rules to manually enable Falcon.
  • Improvement: Once Falcon is enabled, if we can’t write to .htaccess, we fall back to PHP based IP blocking.
  • Feature: You can now clear pages and posts from the cache on the list-posts page under each item or on their edit pages next to the Update button.
  • Fix: We now support sites who use a root URI but store their files and .htaccess in a subdirectory of the web root.
  • Fix: Added an additional filter to prevent crawlers like Bing who execute javascript from being logged as humans.
  • Fix: Changed the extension of the backup .htaccess to be .txt to avoid anti-virus software alerting on a download with .com extension. [Props to Scott N. for catching this]


  • Removed ability to disable XML-RPC. The feature broke many mobile apps and other remote services.


  • Fix: Issue that caused users running WordPress in debug mode to see a is_404 warning message.
  • Fix: Issue that caused Call to undefined function wp_get_current_user warning.
  • Fix: Issue that caused caching to not work on sites using subdirectories.
  • Fix: Issue that caused SQL errors to periodically appear about wfPerfLog table.
  • Fix: Issue that caused warnings about array elements not being declared.


  • To see a video introduction of Falcon Engine included with Wordfence 5, please watch this video
  • SUMMARY: This is a major release which includes Falcon Engine which provides the fastest WordPress caching available today. It also includes many other improvements and fixes. Upgrade immediatelly to get a massive performance boost for your site, many new features and fixes.
  • Feature: Falcon Engine provides the fastest caching algorithm for WordPress. Get up to a 50x site speedup now when you use Wordfence.
  • Feature: PHP based caching as an alternative to Falcon.
  • Feature: IP, browser and IP range blocking is now done using .htaccess if Falcon Engine is enabled providing a big performance boost.
  • Feature: Falcon and PHP caching includes ability to exclude URL patterns from cache along with cache management.
  • Feature: Disable XML-RPC in WordPress to prevent your site from being used as a drone in a DDoS attack.
  • Feature: Option to disable Wordfence cookies from being sent.
  • Feature: Option to start all scans using the remote start-scan option. This may fix some customers who can’t start scans.
  • Feature: Falcon Engine includes the ability to block IP ranges using .htaccess. We take your ranges and convert them into CIDR compatible .htaccess lines that very efficiently block the ranges you’ve specified. Another great performance improvement.
  • Feature: If user disables permalinks we automatically disable Falcon Engine caching.
  • Feature: Before you enable Falcon Engine we make you download a backup of your .htaccess file just in case.
  • Improvement: Real-time traffic monitoring loads asynchronously to provide a faster user experience.
  • Improvement: All Wordfence configuration variables are now cached on disk rather than repeatedly looked up on the database providing a big performance improvement.
  • Improvement: Updated browser detection algorithms for new browsers.
  • Improvement: Updated country GeoIP database to the April edition.
  • Improvement: Improved performance by only loading routines required for logged in users if they have a login cookie. No DB lookup required.
  • Improvement: Added on-off switches to top of live traffic to make it easy to turn on/off.
  • Improvement: Removed marketing message from Wordfence email alerts.
  • Improvement: Added ability to exclude files from scan that match patterns. Multiple excludes using wildcards allowed.
  • Improvement: Improved performance by moving all actions that would only be used by a logged in user to be set up using add_action if the user actually has a login cookie.
  • Fix: Added a throttle to prevent identical email alerts being sent repeatedly.
  • Fix: Changed order of IP blocking and alerting code to prevent multiple email alerts being sent in a race condition.
  • Fix: Cleaned up legacy code including removing all array_push statements.
  • Fix: Added try/catch block to fileTooBig() function when we encounter files that we can’t seek on and that throw an IO error to prevent scans from crashing.
  • Fix: Resolved issue that may have caused wfhits table to grow continuously on some sites.
  • Fix: Ensured that runInstall() isn’t called multiple times.
  • Fix: Moved register_activation_hook to only be called if the user has a login cookie and has a likelihood of being actually logged in as admin. Performance improvement.
  • Fix: Added doEarlyAccessLogging routine to move logging before caching so we can have both.
  • Fix: Removed the “update LOW_PRIORITY” sql statement when updating wfHits which was intended to speed up MySQL performance but may have actually caused queries to queue up and slow things down.
  • Fix: Whitelisted IP’s are no longer put through two factor authentication as one would expect.
  • Fix: Changed our wp_enqueue_script calls to add a ‘wf’ prefix to our script names so that another plugin doesn’t cause our scripts to not load.
  • Fix: Removed code that would cause all alerts to be turned on for some users under certain conditions.
  • Fix: Automatically excluding backup files and log files from URL scans to reduce false positives on referring URLs in logs and backups.


  • Improvement: Added "high sensitivity" scanning which catches evals with other bad functions but may give false positives. Not enabled by default.
  • Fix: Removed code that caused error message during scan initialization.
  • Fix: IP to number conversation code had a problem with IP's with a single 0 in them. Bug was introduced in 4.0.2.
  • Fix: Very fast attacks would generate a lot of email alerts due to race condition. Fixed.


  • Feature: Ability to bulk repair or delete files when cleaning a site.
  • Feature: You can now limit the number of emails per hour that Wordfence sends.
  • Feature: You can now scan image files as if they are executables when cleaning a site. See the option under scanning options.
  • Feature: New connectivity test for wp_remote_post to our servers.
  • Feature: New detection for backdoors that were previously missed in scans.
  • Improvement: Added a link to the Wordfence admin URL for a site when an email alert is received.
  • Improvement: Removed "buy premium" message from the alert emails which was causing confusion and irritation.
  • Improvement: Improved private address detection by making it faster and adding all private subnets, not just RFC1918 nets.
  • Improvement: Switched to wp_remote_get for triggering scans instead of wp_remote_post()
  • Improvement: Added some more verbose debugging for scan starts when in debug mode.
  • Improvement: No longer include private addresses when checking malware URL's and scanning IP's.
  • Improvement: Added code to disable Wordfence if WordPress is installing.
  • Fix: Text change because not all "scan" buttons are blue.
  • Fix: Removed URL from wfBrowscapCache.php which was causing false positives during scans.
  • Fix: Fixed SQL bug that triggered when we logged a vulnerability scan.
  • Fix: IP range blocks where a digit is preceded by a '0' char will no longer generate an error.
  • Fix: The getIP() routine will no longer use the IP closest to a visitor in network topology if that IP is a private address and behind a proxy.


  • Real-time WordPress Security Network Launched.
  • If another site is attacked and blocks the attacker, your site also blocks the attacker. Shared data among Wordfence sites.
  • See our home page on http://www.wordfence.com for a live map of attacks being blocked. Then blog about us!!
  • Fixed bug where wfBrowscapCache.php is reported as malicious.
  • Big improvement in scanning speed and efficiency of URL's and IP addresses.
  • Fixed preg_replace() warning by using newer preg_replace_callback() func.


  • Fixed issue that caused Wordfence security to not log 404's.
  • Made 404's more visible on the live traffic page.
  • Fixed panel width that was too narrow for WP 3.8 on live traffic and issues pages.
  • Report hack attempts to Wordfence Security scanning server for DDoS protection.
  • Remind admin if security alert email is blank and tour is closed.
  • Updated links to new Wordfence Security support website at support.wordfence.com.
  • Made Wordfence Security paid-users-only message a little more user friendly.


  • Fix: Fixed issue that caused certain Wordfence Security login functions to not work. Was a PHP 5.4 vs older version incompatability issue.
  • Updated GeoIP location database to new version for country blocking.
  • Fix: Resolved issue that caused the Issues that Wordfence Security found to not be displayed in some cases.
  • Updated Wordfence Security to WordPress 3.8 Compatability.


  • Fix: We now truncate the wfHoover table after scans to save disk space on servers with huge numbers of URLs in files.
  • Fix: isStrongPasswd function was being called statically but not declared as static.
  • Fix: Improved error reporting when we can't connect to Wordfence Security API servers.
  • Fix: Fixed code that was causing an error log warning when we read the requested URL.
  • Fix: Disable and clear cellphone sign-in if you downgrade to free from paid to prevent lockouts.


  • Fixed issue that caused cellphone sign-in to not work with PHP version 5.4 or greater.
  • Fixed conflict with other plugins that also use the Whois PHP library.
  • Fixed an unsanitized user-agent string.
  • Added new malware signatures for string rot13 heuristics.
  • Updated compatibility to 3.7.


  • Fixed issue that caused scheduled scans to run even if disabled.
  • Fixed display bug when signin fails.


  • Fixed issue that caused Human traffic to not be logged in Wordfence Security live traffic view.


  • Removed Wordfence Security .htaccess because it doesn't offer any security functionality and increases incompatibility.
  • Fixed spelling errors.
  • Added check to see if HTTP_USER_AGENT server variable is defined before using it to suppress large number of warnings on some sites.
  • Changed the way we call admin_url to the correct syntax.
  • Correctly escaped HTML on error messages.
  • Fixed issue that generated non-compliant query string.
  • Updated GeoIP database to newest version.


  • Updated GeoIP database for country blocking security.
  • Fixed bug in Wordfence Security where we called reverseLookup in wfUtils statically and it's a non-static method. Thanks Juliette.
  • Removed characters that are invalid in an IP address or domain from the Whois facility to improve security.
  • Prevent users from creating 1 character passwords to improve security.
  • Fixed issue that caused an invalid variable to be used in an error message and improved Wordfence Security temporary file implementation for get_ser/ser_ser functions. Thanks R.P.
  • Fixed issue that caused IP to output as integer in status msg. Not security related but display issue.
  • Declared Wordfence Security reverseLookup function as static to remove warning.
  • Fixed returnARr syntax error in Wordfence Security class.
  • Note, there is no Wordfence Security version 3.8.2.


  • Added Cellphone Sign-in (Two Factor Authentication) for paid Wordfence Security members. Stop brute-force attacks permanently! See new "Cellphone Sign-in" menu option.
  • Added ability to enforce strong passwords using Wordfence Security when accounts are created or users change their password. See Wordfence Security 'options' page under 'Login Security Options'.
  • Added new backdoor/malware signatures to Wordfence Security scanning including detection for spamming scripts, youtube spam scripts and a new attack shell.
  • Fixed issue: Under some conditions, files not part of core or a known theme or plugin would be excluded from a Wordfence Security scan.
  • Fixes from Juliette R. F. Remove warnings for unset variables. Fix options 'save' spinner spinning infinitely on some platforms. Removed redundant error handling code in Wordfence Security.
  • Added ability to downgrade a paid Wordfence Security license to free.


  • Fixed issue that caused locked out IP's to not appear, or to appear with incorrect "locked out until" time.


  • Moved global firewall, login security and live traffic options to top of options page.
  • Made it clear that if you have Wordfence Security firewall disabled, IP's won't be blocked, country blocking won't work and advanced blocking won't work with warnings on each page.


  • Fixed JS error in Wordfence Security that occurs occasionally when users are viewing Wordfence Security activity log in real-time.
  • New Feature: Prevent users registering 'admin' username if it doesn't exist to improve security. Recommended if you've deleted 'admin'. Enable on 'options' page.
  • Check if Wordfence Security GeoIP library is already declared for all functions. Fixes Fatal error: Cannot redeclare geoip_country_code_by_name.
  • Fixed a Wordfence Security compatibility issue with sites and hosts using Varnish front-end cache to ensure legit users don't get blocked. Added two HTTP no-cache and Expires headers.
  • Fixed bug when using Wordfence Security Advanced User-Agent blocking with certain patterns this would appear: Warning: preg_match() [function.preg-match]: Unknown modifier
  • Vastly improved speed of Wordfence Security Advanced User-Agent blocking security feature. No longer using regex but still support wildcards using fnmatch()
  • We now support usernames with spaces in the list of users to ignore in the live traffic config on 'options' page.
  • Improved language in status messages to avoid confusion. Changed "unrecognized files" to "additional files" to describe non-core/theme/plugin files.


  • Fixed bug in Wordfence Security that caused IP range blocking to not block.
  • Fixed bug that caused unblocking a permanently blocked IP to work, but not refresh the list.
  • Added usernames to the email you receive when a user is locked out.
  • Added a few more status messages for Wordfence Security URL malware scanning.
  • Removed the sockets function call from connection testing because some hosts don't allow calls to socket_create()
  • Added detection in the Wordfence Security Whois page to check if the server has the fsockopen() function available with helpful message if it's disabled.
  • Whitelisted IP's now override Wordfence Security country blocking and range blocking.
  • Removed Bluehost affiliate links for free customers
  • Fixed issue that caused scans to crash when checking URLs for malware.
  • Fixed issue that caused scans with large numbers of posts that contain the same URL to crash.
  • Updated the Wordfence Security GeoIP database for country blocking to newest version.


  • Improved security for Cloudflare customers to prevent spoofing attacks and protect when a hacker bypasses Cloudflare proxies.
  • Added clear explanation of what increasing AJAX polling time does on options page.
  • Fixed issue with Wordfence Security detecting itself as malware. We messed up the version number in previous release.


  • Added option to change AJAX polling frequency
  • Fixed issue that caused whitelisted IP's to not be whitelisted.
  • Added code that prevents blocking of Wordfence's API server (or Wordfence Security will cease to function)
  • Added link at bottom of 'options' page to test connectivity to our API servers.
  • Include any CURL error numbers in error reporting.
  • Fixed issue that caused IP range blocking to not block access to login page.
  • Fixed issue that caused cache files to be flagged as malicious.


  • Fixed Fatal error: func_get_args(): Can't be used as a function parameter.
  • This bug affected users using PHP older than 5.3.0


  • Fixed a major javascript bug that snuck in 2 releases ago and has disabled many features for Internet Explorer browsers.
  • Clarified range blocking examples.


  • Fixed 'max_user_connections' issue.
  • Wordfence Security now uses WordPress's WPDB and this halves the number of DB connections Wordfence Security establishes to your DB.
  • Wordfence Security is now HyperDB compatible.
  • Advanced blocking i.e. Browser and IP Range blocking is now a free feature.
  • We no longer disable Live Traffic if we detect a caching plugin. Based on user feedback, apparently live traffic actually works with those plugins.
  • Fixed issue that causes site to crash if a conflicting GeoIP library is installed.
  • Changed logHuman routine to do a LOW_PRIORITY MySQL update to speed things up.
  • Login failure counter is now reset if you send yourself an unlock email so you're not locked out again after 1 failure.
  • The free version of Wordfence Security is now supported with ads at the top of the admin pages. Please visit our sponsors and help keep Wordfence Security free!
  • Fixed issue that may cause scans to not be scheduled using the default schedule for new users.
  • There was no 3.6.2 release, in case you're wondering about the version skip.


  • Major new release that includes the much asked for IP Range blocking with ISP blocking ability and browser blocking.
  • Added Wordfence Security feature: WHOIS for IP's and Domains. Supports all registries and local rWhois
  • Added Wordfence Security feature: Advanced Blocking to block IP ranges and browser patterns.
  • Added Wordfence Security feature: WHOIS on live traffic pages.
  • Added Wordfence Security feature: network blocking links on live traffic pages.
  • Fixed bug where W3 Total Cache and WP Super Cache cache blocked Wordfence Security pages.
  • Added explanation of how caching affects live traffic logging if we detect a caching plugin.
  • Fixed AJAX loading to deal with multiple parallel ajax requests.
  • Updated tour to include info on new WHOIS and Advanced Blocking features.
  • Changed manual IP blocks to be permanent by default.
  • Fixed issue in Wordfence Security that caused live traffic page not to reload when IP is unblocked.
  • Modified "How does your site get IP's" config to avoid confusing new users.
  • Changed 503 block message to be more helpful with link to FAQ on how to unblock.
  • Removed redundant code in wfAPI.php
  • Optimized code by moving firewall specific code to execute only if firewall is enabled.
  • Fixed issue that caused "last attempted access" to show over 500 months ago.
  • Fixed issue that was causing warning in getIP() code.
  • Upgraded to Wordfence Security API version 2.6.


  • This is the dev version. Stable is 3.5.2.
  • Added detection for "hacked by badi" hack. Check if wp_options has been changed to UTF-7.


  • IP detection is now much more robust. Admins must specify how their site gets IP addresses.
  • Fixed issue that would throw Ajax ticker into a hard loop and put load on a server if user is on "options" page and WF can't detect IPs.
  • Added support for Cloudflare proxies when getting client's real IP address.
  • If we fail to get an IP and then get an IP succesfully, we update the activity log.
  • Activity log update in case of successful IP acquisition will warn if we're getting internal RFC1918 IP's e.g. the IP of your firewall.


  • Fixed issue with twentyten, twentyeleven, twentytwelve themes showing up as modified in 3.5.
  • Fixed issue with wpdb->prepare throwing warnings. WordPress changed their code and we have now caught up.
  • Fixed issue of files containing "silence is golden" showing up as being changed with no executable content.


  • Fixed security issue of being able to list wordfence Security's own virtual dir on some server configurations.
  • Fixed issue of WF using deprecated function which caused warnings or errors on install.
  • Added link to security alert mailing list on "Scan" page next to manual start scan button and in tour.


  • Fixed issue that caused scans to not complete.
  • Fixed issue that caused scans to launch a large number of child processes due to very short scan timeout.
  • Fixed issue that caused websites that don't know their own hostname to not be able to scan.
  • Added workaround for a bug in Better WP Security breaking Wordfence Security due to their code overwriting the WP version.
  • Optimized the way we calculate max execution time for each process while scanning.


  • Removed wfscan.php script and now using pseudo-ajax calls to fire off scans. Much more reliable.
  • Removed visitor.php script and now using pseudo-ajax calls to log human visits.
  • Added config option to allow admin to specify max execution time (advanced only!!).
  • Fixed issue that caused API calls to fail on MultiSite installs.
  • Fixed issue that caused comments to break on MultiSite installs under certain conditions.
  • Fixed issue that caused incorrect domain to be shown in live traffic view on multi-site installs.
  • Fixed issue where some proxies/firewalls send space delimited IP addresses in HTTP headers and Wordfence Security now handles that.
  • Fixed issue that caused Wordfence Security to capture activation errors of other plugins.
  • Geo IP database update to November 7th edition.


  • Upgrade immediately. Fixes possible XSS vulnerability in Wordfence Security "firewall unlock" form.
  • Also added rate limiting to max of 10 requests per second to the unlock form.


  • Re-releasing to try and fix an issue with the WordPress plugin distro system.


  • Fixed bug that caused malformed URLs to be sent to scanning server which caused errors on some installations.
  • Fixed issue that caused scans to "hang" or stall on larger sites during "Analyzing" phase when we hash files. Sites of arbitrary size can now be scanned.
  • Fixed issue that caused "plugin generated X characters of unexpected output" error during install or upgrade.


  • Fixed errors caused by ini_set being disabled on certain servers.
  • Removed error logging messages in certain cases because some badly configured hosts write these errors to the web browser.
  • Fixed getIP code that was evaluating arrays as strings in some cases.
  • Added error logging so that if there is an activation error, the Wordfence Security will display the actual error to you.
  • Fixed issue that caused scan to output "Could not get the administrator's user ID." when a user has changed their table prefixes under certain conditions.


  • A complete rearchitecture of Wordfence Security scanning to massively improve performance.
  • Our free customers are now 100% back in business. Apologies for the delay, but this was worth the wait.
  • Wordfence Security is now 4X faster for both free and paid customers.
  • Significantly reduced CPU and memory overhead.
  • Significantly reduced network througput when communicating with Wordfence Security scanning servers.
  • Big performance improvement on our own scanning servers which allows us to continue to provide Wordfence Security free for the forseeable future.
  • Upgraded scanning API to version 2.4
  • Upgraded Geo IP database to October version.
  • Moved core, theme, plugin and malware scanning into hashing recursive routine for big performance gain.
  • Removed need for fileQ in hashing routine for reduction in memory usage and reduction in DB write size.
  • Removed send-packet architecture and now processing files locally by fetching comparison data from scanning server instead.
  • Removed wfModTracker - old module that is no longer used.
  • Malware is now scanned by fetching hash prefixes from WF server instead of sending hashes of every file to our server. Much more efficient.
  • Made status messages in summary console a little more user friendly.


  • Fixed dates and times in activity log alert emails and other emails to be in site's local timezone.
  • Added advanced country blocking options which allow bypass if a special URL is hit.
  • Added warning in options page if alert email is not configured under alert checkboxes.
  • Modified scan times to be within 60 minute window after scheduled time to prevent stampede at the top of the hour on our scanning server.
  • Fixed bug on Godaddy and a few other hosts where viewing list of files not in the repo caused error. This was caused by posix functions not being supported on Godaddy and some other hosts.


  • Paid feature: Remote site vulnerability and infection scanning.


  • Moved all attack signatures out of the plugin to prevent Wordfence Security being detected as malicious in a false positive.


  • Improved country blocking to make bulk adding/deleting of countries much easier.
  • Fixed bug that caused Google feed fetcher and other Google UA bots to get blocked if blocking of unverified Googlebots was enabled.
  • Fixed issue where Locked out users were shown having the same expiry time as Blocked IP's.
  • Fixed issue where Locked out users were not shown in the locked out list, but were still locked out if Blocked IP and Locked out expiry was different.
  • Improved performance of whitelisting so if whitelisted, all rules are bypassed.
  • Fixed issue that caused twentyten and twentyeleven themes to be shown as missing core files if they have been removed and theme scanning is enabled.
  • Fixed issue that made it impossible to end the tour for Firefox users.


  • Theme and plugin scanning is now free. Woohoo!
  • Added introductory tour for Wordfence Security.
  • Upgraded to Wordfence Security scanning API version 2.0 to allow free theme and plugin scanning.
  • Fixed two issue with scheduled scanning for premium users that would cause scans to not run or run at wrong times under certain conditions.
  • Added feature to view unknown files on system to help clean badly infected systems. See on scanning page in "Tools" under yellow box.
  • Fixed blocked countries overflowing their container in the user interface.
  • Fixed case where if user is using MySQL >= 5.1.16 and doesn't have the "drop" privilege, they can't truncate the wfFileQueue table and it could grow uncontrollably.
  • Updated to the new Libyan flag.
  • Fixed mysql_ping() reconnection to DB generating warnings.
  • Fixed issue that caused scans to hang. Wordfence Security now processes smaller batches of files before checking if it needs to fork.
  • NOTE: We removed a list of shells we're scanning for because they were yielding false positives on some host scanning software.
  • DNS fix from previous release backed out because it's no longer needed. (We temporarily hardcoded an IP)


  • Emergency release to deal with DNS issue.


  • Fixed SQL error in code that checks if IP blockedTime has expired. Changed column type to signed.
  • Added detection of malicious injected titles with scripts or meta redirects.
  • Fixed bug introduced in previous release that prevents blocked IP's from being blocked.


  • Fixed permanent IP blocking bug which caused permanently blocked IP's to no longer display in the list after some time, even though there were still blocked. (Incorrect SQL query)
  • Fixed "Can't get admin ID" on scan starts for both MU and single site installs.
  • Improved status messages for sites with very large numbers of comments.
  • Fixed bug that caused sites in subdirectories to not be able to view site config or run the memory test on the Wordfence Security "options" page.
  • Fixed database disconnect bug (mysql server has gone away). An additional fix was required to finally squash this bug.
  • Removed the code that prevented you from installing Wordfence Security on Windows. Sorry Windows customers!
  • Improved scheduling so that it is now more reliable.
  • Fixed bug that caused a loop for customers who could not contact the Wordfence Security servers on install.
  • Added helpful message if you get the "can't connect to itself" error message with some additional documentation to help solve this issue.
  • Improved error reporting when Wordfence Security can't connect to the scanning servers. Now features a helpful explanation rather than a generic message.
  • Added Country Geo-Blocking feature for paid customers.
  • Added Scan Scheduling feature for paid customers.


  • Added another fix for "mysql server has gone away" error. Wordfence Security now makes sure the DB is still connected and reconnects if not.
  • Added new detection for encoded malicious code in files.
  • Fixed bug introduced yesterday that prevented permanent blocking of IP's.
  • Improved ability to detect if we're running on Windows (but we don't support Windows yet).
  • Issue intelligent warning if Wordfence Security can't read base WordPress directory.
  • Don't activate Wordfence Security if user is running Windows.
  • Cleaned up errors if a file can't be scanned due to permission restrictions.
  • Improved reporting of which user scan is running as and how we determined who the admin user is.


  • Changed the way we monitor disk space from % to warning on 20 megs and critical on 5 megs remaining. This deals with very large disks in a more rational way. (Thanks Yael M. and Ola A.)
  • We now deal with cases where the $_SERVER variable contains an array instead of string for IP address. It seems that some installations modify the value into an array. (Thanks S.S.)
  • The Wordfence Security DB connection now more reliably changes the mysql timeout for the session to prevent "mysql server has gone away" errors. (Thanks Peter A.)


  • Fixed problem where scan process can't get admin ID.
  • Fixed issue that caused permanent IP's to not be permanent.
  • Fixed SQL error when calculating if IP block has expired.
  • Fixed incorrect calling of is_404 that caused intermittent issues.
  • Fixed basedir warnings when scan tries to scan files it does not have access to.
  • Fixed warning and incorrect calculation of rows in DB.
  • Added ability to get IP from "HTTP_X_REAL_IP" header of a front-end proxy is sending it.
  • Fixed warning about HTTPS element not existing in getRequestedURL()
  • Fixed problem with paid vs free keys getting confused.
  • Fixed error with fetching vulnerability patterns.


  • Fixed bug that caused "Could not get the administrator’s user ID. Scan can’t continue."


  • Fixed bug that caused scan to loop, stop halfway or not start for many sites.
  • Fix bug that caused scan to not start on sites with thousands (over 20,000 in one case) users.
  • Scan start is now faster for sites with large numbers of users.
  • Fix bug that caused scan to get killed when checking passwords on sites with thousands of users.
  • Wordfence Security now intelligently determines how to do a loopback request to kick off a scan.
  • Scan is no longer called with a cron key in HTTP header but uses a query string value to authenticate itself which is more reliable.


  • Improved malware and phishing URL detection.
  • Upgraded to Wordfence Security API version 1.9
  • Fixed issue that caused large files to slow or crash a scan.
  • Added workaround for PHP's broken filesize() function on 32 bit systems.
  • Added an improved test mode for URL scanner for better unit testing on our end.
  • Suppressed warnings issued when a reverse DNS lookup fails.
  • Added improved debug output to becomeAdmin() function in scans to help diagnose scans not starting.


  • Fixed "The key used to start a scan has expired." error and added data to help diagnose future issues like this.
  • Removed HTTPHeaders from wfHits table which was using a lot of disk space and not used much.
  • Removed limiting wfHits table size because it was unreliable.
  • We're now limiting wfHits to 20,000 rows and the rows are much smaller. About 2 to 8 megs.
  • Fixed bug that could have caused install routine to run repeatedly.
  • Fixed typo bug in blocking code that didn't have any impact but was sloppy.
  • Changed wfscan.php message when accessed directly to be more helpful.


  • Detects if the Wordfence Security app (not scanner) is short on memory and requests more
  • Fixes an issue where scan breaks if all scanning options are disabled


  • Issue that caused all core files to show as missing has been fixed.
  • We now handle all API server errors gracefully using exceptions.
  • If your installation didn't activate correctly you now get a friendly message.
  • Removed unused menu_config.php code.
  • The 503 message now tells you why your access to the site has been limited so that admin's can tune firewall rules better.
  • We no longer reuse the WordPress wpdb handle because we get better stability with our own connection.


  • Overall this release is a very important upgrade. It drastically reduces memory usage on systems with large files from hundreds of megs to around 8 megs max memory used per scan.
  • Moved queue of files that get processed to a new DB table to save memory.
  • Reduced max size of tables before we truncate to avoid long DB queries.
  • Reduced max size of wfStatus table from 100,000 rows to 1,000 rows.
  • Introduced feature to kill hung or crashed scans reliably.
  • Made scan locking much more reliable to avoid multiple concurrent scans hogging resources.
  • Debug status messages are no longer written to the DB in non-debug mode.
  • Modified the list of unknown files we receive back from the WF scanning servers to be a packed string rather than an array which is more memory efficient.
  • Added summary at the end of scans to show the peak memory that Wordfence Security used along with server peak memory.
  • Hashes are now progressively sent to Wordfence Security servers during scan to drastically reduce memory usage.
  • Upgraded to Wordfence Security server API version 1.8
  • List of hosts that Wordfence Security URL scanner compiles now uses wfArray which is a very memory efficient packed binary structure.
  • Writes that WF URL scanner makes to the DB are now batched into bulk inserts to reduce load on DB.
  • Fixed bug in wfscan.php (scanning script) that could have caused scans to loop or pick up old data.
  • Massively reduced the number of status messages we log, but kept very verbose logging for debug mode with a warning about DB load.
  • Added summary messages instead of individual file scanning status messages which show files scanned and scan rate.
  • Removed bin2hex and hex2bin conversions for scanning data which were slow, memory heavy and unneeded.
  • Wordfence Security database class will now reuse the WordPress database handle from $wpdb if it can to reduce DB connections.


  • Fixed bug that caused WF to not work when certain DB caching plugins are used and override wpdb object.
  • Fixed Wordfence Security so activity log only shows our own errors unless in debug mode.
  • Wordfence Security now deletes all it's tables and deletes all saved options when you deactivate the plugin.
  • Removed all exit() on error statements. Critical errors are handled more gracefully by writing to the log instead.
  • Fixed a bug that would cause a database loop until running out of memory under certain error conditions.
  • Suppressed useless warnings that occur in environments with basedir set or where functions are disabled for security reasons.
  • Removed redundant check that executed on every request and put it in activation instead.
  • If serialization during scan breaks, exit gracefully instead of looping.
  • Disk space in log is now shown as Gigabytes and formatted nicely.
  • Removed wdie() function which is a little obnoxious. Writing to WF error log instead.
  • Fixed bug where a non-empty but useless HTTP header can break getIP() function.
  • Added useful data to error output if getIP() tells you it can't work on your system.
  • Removed option to start scan in debug because it's no longer possible with a forked scan.
  • Removed option to test process running time on a system because it breaks on most systems and confuses customers.
  • Database connection errors no longer call die() but log an error instead in a way that removes the risk of a logging loop.
  • Removed dropAll.php script because we now clean up tables on deactivate and it's not needed.
  • Updated readme to show that we support 3.4.


  • Fixed registered users not appearing in live traffic.
  • Fixed temp file deletion bug that caused warnings and loops.
  • Fixed issue that caused warning about WORDFENCE_VERSION
  • Fixed Wordfence Security admin area not working under SSL
  • Fixed bug that caused IP addresses of clients to be misinterpreted if there are multiple addresses from chained proxies.
  • Now stripping port numbers from IP's which we weren't doing before.
  • Added check for validity of IP's and report fatal error if it fails because this could lock users out.
  • Improved error reporting including fixing an out of memory error when a specific error condition arose in wfConfig::set()
  • Changed order of tmp dirs to be wordfence/lib protected dir first and then system temp dir. Added uploads as tmp dir for last resort.
  • Malware URL's are now marked in red in alerts so it's obvious what the offending URL in a file is.


  • Added fix for hosts that have max_allowed_packet set too small. We will write a temp file to disk instead if possible.
  • Increased size of status column to 1000 chars


  • Fixed issue with scan scheduling that caused a loop
  • Fixed issue that caused version constant to not be included in scans


  • Added ability to permanently block IP's
  • Added ability to manually block IP's
  • Made Wordfence Security more memory efficient, particularly the forking process.
  • Fixed issue that caused WF to not work on databases with blank passwords.
  • Wordfence Security now stops execution of a DB connection error is encountered.
  • Clear cron jobs if Wordfence Security is uninstalled.
  • Enabled hourly cron for Wordfence security network.
  • Wordfence Security now works if your server doesn't h

Requires: 3.3.1 or higher
Compatible up to: 3.9.2
Last Updated: 2014-8-17
Downloads: 2,623,711


4 stars
4.9 out of 5 stars


32 of 214 support threads in the last two months have been resolved.

Got something to say? Need help?


Not enough data

2 people say it works.
1 person says it's broken.

100,2,2 100,1,1
100,2,2 100,1,1 100,1,1 100,2,2 100,1,1 100,1,1 0,2,0 100,1,1 100,2,2 100,1,1 100,1,1 100,1,1 100,3,3 100,2,2 100,4,4 100,3,3 50,2,1 100,2,2 100,3,3 100,1,1 100,1,1 100,1,1
0,1,0 100,2,2 100,2,2 100,1,1 100,1,1
100,1,1 75,4,3 100,2,2 0,2,0 100,6,6 100,1,1 100,2,2 100,2,2 100,2,2 85,13,11 100,1,1 90,10,9 100,5,5 75,4,3 100,3,3 100,10,10 100,1,1 100,1,1
88,49,43 100,6,6 100,5,5 100,1,1 100,4,4 100,1,1 91,22,20 67,9,6 84,19,16 57,7,4 0,1,0 100,1,1
0,3,0 100,22,22 100,7,7
95,21,20 83,6,5 0,1,0 92,24,22 96,23,22 78,9,7 80,10,8 75,16,12
85,20,17 100,8,8
100,8,8 100,11,11 100,1,1
67,9,6 100,6,6 93,15,14 100,9,9 100,1,1 100,1,1
60,5,3 100,7,7
100,13,13 100,34,34 100,1,1
100,18,18 100,5,5 100,7,7 100,1,1 100,2,2 100,1,1
88,8,7 100,2,2 96,54,52 100,3,3 100,5,5 100,2,2
71,7,5 100,10,10
100,4,4 100,3,3 100,1,1
67,3,2 94,16,15 69,13,9 71,14,10 50,2,1 100,1,1
100,1,1 63,8,5 55,11,6 78,18,14 88,16,14 67,9,6 88,16,14 67,12,8 86,7,6 100,5,5 100,3,3 100,1,1
100,4,4 60,10,6 67,3,2