WordPress.org
Get WordPress
WordPress.org

Plugin Directory

Vulnerability Monitor for Wordfence Intelligence

Vulnerability Monitor for Wordfence Intelligence

By Interaktiv
Download

Description

Vulnerability Monitor for Wordfence Intelligence helps WordPress administrators identify known security vulnerabilities affecting installed plugins and themes. The plugin regularly checks the Wordfence Intelligence v3 vulnerability feed (supports object-map, array, NDJSON; gzip-aware; memory-safe) and provides alerts when vulnerable software is detected, helping keep WordPress installations secure and up to date. Not affiliated with Wordfence.

This plugin is designed to be:

  • Lightweight – no external SaaS services beyond the official Wordfence feed API.
  • Privacy-friendly – no tracking or telemetry; vulnerability matching happens locally on your site.
  • Memory-safe – supports streaming large NDJSON and gzip feeds without exhausting server memory.
  • Fully configurable – email notifications, severity levels, scheduled scans, and more.

Perfect for agencies, freelancers, and site owners who want proactive security visibility without complexity.

Key Features

  • Scan installed plugins and themes for known vulnerabilities.
  • Supports NDJSON, array JSON, and object-map JSON feed formats.
  • Handles gzip-compressed feeds automatically.
  • Match detection for:
    • severity levels (critical, high, medium, low)
    • patched versions
    • remediation steps
  • Customizable email notifications with templates.
  • Optional scheduled scans (hourly, daily, or custom).
  • “Only notify on new issues” mode.
  • Supports the current Wordfence Intelligence V3 API with API key authentication.
  • Debug mode with detailed logs.
  • No tracking or telemetry.
  • Matching and reporting logic runs locally on your site.

How It Works

The plugin fetches the Wordfence Intelligence feed, streams it in a memory-safe way, and compares each entry with your installed plugins/themes.
You can trigger scans:

  • manually from the WP Admin panel
  • or automatically via the scheduled scan option

The results include severity, details, patched versions, and links to advisories.

External services

This plugin connects to the Wordfence Intelligence vulnerability feed provided by Defiant, Inc. to download vulnerability data used for scans.

The request is sent when you run a manual scan, when a scheduled scan runs, or when the cached feed expires and the plugin needs a fresh copy. The request sends your configured Wordfence API key in the Authorization header and standard web request metadata from your server such as your server IP address and user agent. The plugin does not send your installed plugin/theme inventory, scan results, or site content to Wordfence.

Service provider: Defiant, Inc.
Terms of Service: https://www.wordfence.com/terms-of-service/
Privacy Policy: https://www.wordfence.com/privacy-policy/

Installation

  1. Upload vulnerability-monitor-for-wordfence-intelligence to the /wp-content/plugins/ directory.
  2. Activate the plugin through the Plugins menu.
  3. Open Vulnerability Monitor for Wordfence Intelligence in the WordPress admin sidebar.
  4. Configure notification email, Wordfence API key, and preferred severity levels.
  5. (Optional) Enable scheduled scans.

FAQ

Does this plugin send my data to external servers?

The plugin fetches the Wordfence Intelligence feed from Wordfence.
It does not upload your installed plugin/theme inventory or scan results to Wordfence.

Does it slow down my website?

No. All scans are manual or scheduled via WP-Cron.
Normal visitors are never affected.

Do I need a Wordfence account?

Yes. Wordfence Intelligence V3 requires an API key from your Wordfence account.
You can create it after signing in at the Integrations page in your Wordfence.com account.

Does this plugin store a default API key or email address?

No. The plugin does not ship with any embedded API key or hardcoded email address.
By default it uses your site’s existing admin_email setting until you change it.

Does this replace Wordfence?

No. This plugin is not a firewall.
It is a lightweight vulnerability monitor.

Can I customize the email template?

Yes! Both subject and body support placeholders like {site}, {count}, {time}, {list_html}.

Can agencies use this on client websites?

Absolutely. That’s one of the primary use cases.

Reviews

There are no reviews for this plugin.

Contributors & Developers

“Vulnerability Monitor for Wordfence Intelligence” is open source software. The following people have contributed to this plugin.

Contributors

Translate “Vulnerability Monitor for Wordfence Intelligence” into your language.

Interested in development?

Browse the code, check out the SVN repository, or subscribe to the development log by RSS.

Changelog

1.3.9

  • Stored scan result and operational status options with autoload disabled to reduce unnecessary front-end option loading.

1.3.8

  • Replaced inline admin CSS and JavaScript with properly enqueued assets.
  • Documented the Wordfence external service usage, data flow, and policy links in the readme.
  • Renamed generic runtime identifiers to stronger wfim-prefixed names to reduce conflict risk.

1.3.7

  • Renamed the public plugin package and release metadata for the new WordPress.org naming requirements.
  • Updated the public slug, text domain, and bundled archive structure to match the new plugin name.

1.3.6

  • Optimized feed matching so scans no longer re-scan the full installed plugin and theme lists for every feed item.
  • Reduced the risk of 30-second timeouts on larger Wordfence Intelligence v3 feeds.

1.3.5

  • Updated release metadata for the WordPress 7.0 compatibility check.
  • Bumped the packaged plugin version to 1.3.5.

1.3.4

  • Added an admin confirmation notice after sending a test email.
  • Improved test email feedback so successful sends are visible immediately in settings.

1.3.3

  • Fixed WordPress.org Plugin Check findings in the admin UI and packaging metadata.
  • Aligned plugin headers and readme requirements for WordPress.org submission.
  • Cleaned the release package and removed development-only warnings.

1.3.2

  • Distributed scheduled scans across sites using a stable per-site offset, reducing simultaneous Wordfence API requests.
  • Re-aligned existing scheduled scans to the new staggered timing after settings updates and plugin load.

1.3.1

  • Added detailed diagnostics for Wordfence feed fetch failures, including HTTP 429 rate-limit hints.
  • Preserved debug logs for failed scans so API error details remain visible in Scan Summary.

1.3.0

  • Added operational alert emails for scan failures, overdue scheduled scans, and fatal plugin errors.
  • Added recovery emails when scanning starts working again.
  • Added throttling to reduce repeat alert spam.

1.2.1

  • Improved the settings UX by moving the API key directly below the feed URL and removing the misleading “optional” label.

1.2.0

  • Migrated the default vulnerability feed from Wordfence V2 to V3.
  • Automatically upgrades the legacy V2 endpoint to the V3 endpoint in plugin settings.
  • Shows a clear admin error when the required Wordfence API key is missing.

1.1.0

  • Fixed send_only_new email logic so only genuinely new findings trigger notifications.
  • Added feed caching based on the configured cache TTL.
  • Made scheduled/manual scan failures return gracefully instead of terminating abruptly.
  • Fixed the deactivation modal stylesheet.

1.0

  • Initial public release.

Meta

Ratings

No reviews have been submitted yet.

Your review

See all reviews

Contributors

Support

Got something to say? Need help?

View support forum

Donate

Would you like to support the advancement of this plugin?

Donate to this plugin