Plugin Directory

Test out the new Plugin Directory and let us know what you think.

Wordfence Security

Secure your website with the most comprehensive WordPress security plugin. Firewall, malware scan, blocking, live traffic, login security & more.


  • Improvement: Locked out IPs are now enforced at the WAF level to reduce server load.
  • Improvement: Added a "Show more" link to the IP block list and login attempts list.
  • Improvement: Added network data for the top countries blocked list.
  • Improvement: Added a notification when a premium key is installed on one site but registered for another URL.
  • Improvement: Switching tabs in the various pages now updates the page title as well.
  • Improvement: Various styling consistency improvements.
  • Change: Separated the various blocking-related pages out from the Firewall top-level menu into "Blocking".
  • Fix: Improved compatibility with our GeoIP interface.
  • Fix: The updates available notification is refreshed after updates are installed.
  • Fix: The scan notification is refreshed when issues are resolved or ignored.


  • Enhancement: Added Wordfence Dashboard for quick overview of security activity.
  • Improvement: Simplified the UI by revamping menu structure and styling.
  • Fix: Fixed minor issue with REST API user enumeration blocking.
  • Fix: Fixed undefined index notices on password audit page.


  • Improvement: Better reporting for failed brute force login attempts.
  • Change: Reworded setting for ignored IPs in the WAF alert email.
  • Change: Updated support link on scan page.
  • Fix: When a key is in place on multiple sites, it's now possible to downgrade the ones not registered for it.
  • Fix: Addressed an issue where the increased attack rate emails would send repeatedly if the threshold value was missing.
  • Fix: Typo fix in firewall rule 11 name.


  • Improvement: Updated internal GeoIP database.
  • Improvement: Better error handling when a site is unreachable publicly.
  • Fix: Fixed a URL in alert emails that did not correctly detect when sent from a multisite installation.
  • Fix: Addressed an issue where the scan did not alert about a new WordPress version.


  • Improvement: Added support for hiding the username information revealed by the WordPress 4.7 REST API. Thanks Vladimir Smitka.
  • Improvement: Added vulnerability scanning for themes.
  • Improvement: Reduced memory usage by up to 90% when scanning comments.
  • Improvement: Performance improvements for the dashboard widget.
  • Improvement: Added progressive loading of addresses on the blocked IP list.
  • Improvement: The diagnostics page now displays a config reading/writing test.
  • Change: Support for the Falcon cache has been removed.
  • Fix: Better messaging when the WAF rules are manually updated.
  • Fix: The proxy detection check frequency has been reduced and no longer alerts if the server is unreachable.
  • Fix: Adjusted the behavior of parsing the X-Forwarded-For header for better accuracy. Thanks Jason Woods.
  • Fix: Typo fix on the options page.
  • Fix: Scan issue for known core file now shows the correct links.
  • Fix: Links in "unlock" emails now work for IPv6 and IPv4-mapped-IPv6 addresses.
  • Fix: Restricted caching of responses from the Wordfence Security Network.
  • Fix: Fixed a recording issue with Wordfence Security Network statistics.


  • Improvement: WordPress 4.7 improvements for the Web Application Firewall.
  • Improvement: Updated signatures for hash-based malware detection.
  • Improvement: Automatically attempt to detect when a site is behind a proxy and has IP information in a different field.
  • Improvement: Added additional contextual help links.
  • Improvement: Significant performance improvement for determining the connecting IP.
  • Improvement: Better messaging for two-factor recovery codes.
  • Fix: Adjusted message when trying to block an IP in the whitelist.
  • Fix: Error log download links now work on Windows servers.
  • Fix: Avoid running out of memory when viewing very large activity logs.
  • Fix: Fixed warning that could be logged when following an unlock email link.
  • Fix: Tour popups on options page now scroll into view correctly.


  • Improvement: Improved formatting of attack data when it contains binary characters.
  • Improvement: Updated internal GeoIP database.
  • Improvement: Improved the ordering of rules in the malware scan so more specific rules are checked first.
  • Fix: Country blocking redirects are no longer allowed to be cached.
  • Fix: Fixed an issue with 2FA on multisite where the site could report URLs with different schemes depending on the state of plugin loading.


  • Fix: Fixed an issue that could occur on older WordPress versions when processing login attempts


  • Improvement: Scan times for very large sites with huge numbers of files are greatly improved.
  • Improvement: Added a configurable time limit for scans to help reduce overall server load and identify configuration problems.
  • Improvement: Email-based logins are now covered by "Don't let WordPress reveal valid users in login errors".
  • Improvement: Extended rate limiting support to the login page.
  • Fix: Fixed a case where files in the site root with issues could have them added multiple times.
  • Fix: Improved IP detection in the WAF when using an IP detection method that can have multiple values.
  • Fix: Added a safety check for when the database fails to return its max_allowed_packet value.
  • Fix: Added safety checks for when the configuration table migration has failed.
  • Fix: Added a couple rare failed login error codes to brute force detection.
  • Fix: Fixed a sequencing problem when adding detection for bot/human that led to it being called on every request.
  • Fix: Suppressed errors if a file is removed between the start of a scan and later scan stages.
  • Fix: Addressed a problem where the scan exclusions list was not checked correctly in some situations.


  • Improvement: Reworked blocking for IP ranges, country blocking, and direct IP blocking to minimize server impact when under attack.
  • Improvement: Live traffic better indicates the action taken by country blocking when it redirects a visitor.
  • Improvement: Added support for finding server logs to the Diagnostics page to help with troubleshooting.
  • Improvement: Whitelisted StatusCake IP addresses.
  • Improvement: Updated GeoIP database.
  • Improvement: Disabling Wordfence now sends an alert.
  • Improvement: Improved detection for uploaded PHP content in the firewall.
  • Fix: Eliminated memory-related errors resulting from the scan on sites with very large numbers of issues and low memory.
  • Fix: Fixed admin page layout for sites using RTL languages.
  • Fix: Reduced overhead of the dashboard widget.
  • Fix: Improved performance of checking for whitelisted IPs.
  • Fix: Changes to the default plugin hello.php are now detected correctly in scans.
  • Fix: Fixed IPv6 warning in the dashboard widget.


  • Fix: Replaced a slow query in the dashboard widget that could affect sites with very large numbers of users.


  • Improvement: Now performing scanning for PHP code in all uploaded files in real-time.
  • Improvement: Improved handling of bad characters and IPv6 ranges in Advanced Blocking.
  • Improvement: Live traffic and scanning activity now display a paused notice when real-time updates are suspended while in the background.
  • Improvement: The file system scan alerts for files flagged by antivirus software with a '.suspected' extension.
  • Improvement: New alert option to get notified only when logins are from a new location/device.
  • Change: First phase for removing the Falcon cache in place, which will add a notice of its pending removal.
  • Fix: Included country flags for Kosovo and CuraƧao.
  • Fix: Fixed the .htaccess directives used to hide files found by the scanner.
  • Fix: Dashboard widget shows correct status for failed logins by deleted users.
  • Fix: Removed duplicate issues for modified files in the scan results.
  • Fix: Suppressed warning from reverse lookup on IPv6 addresses without valid DNS records.
  • Fix: Fixed file inclusion error with themes lacking a 404 page.
  • Fix: CSS fixes for activity report email.


  • Improvement: Massive performance boost in file system scan.
  • Improvement: Added low resource usage scan option for shared hosts.
  • Improvement: Aggregated login attempts when checking the Wordfence Security Network for brute force attackers to reduce total requests.
  • Improvement: Now displaying scan time in a more readable format rather than total seconds.
  • Improvement: Added PHP7 compatible .htaccess directives to disable code execution within uploads directory.
  • Fix: Added throttling to sync the WAF attack data.
  • Fix: Removed unnecessary single quote in copy containing "IP's".
  • Fix: Fixed rare, edge case where cron key does not match the key in the database.
  • Fix: Fixed bug with regex matching carriage returns in the .htaccess based IP block list.
  • Fix: Fixed scans failing in subdirectory sites when updating malware signatures.
  • Fix: Fixed infinite loop in scan caused by symlinks.
  • Fix: Remove extra slash from "File restored OK" message in scan results.


  • Fix: Replaced calls to json_decode with our own implentation for hosts without the JSON extension enabled.


  • Improvement: Now performing malware scanning on all uploaded files in real-time.
  • Improvement: Added Web Application Firewall activity to Wordfence summary email.
  • Fix: Now using 503 response code in the page displayed when an IP is locked out.
  • Fix: wflogs directory is now correctly removed on uninstall.
  • Fix: Fixed recently introduced bug which caused the Whitelisted 404 URLs feature to no longer work.
  • Fix: Added try/catch to uncaught exception thrown when pinging the API key.
  • Improvement: Improved performance of the Live Traffic page in Firefox.
  • Improvement: Updated GeoIP database.


  • Improvement: Removed file-based config caching, added support for caching via WordPress's object cache.
  • Improvement: Whitelisted Uptime Robot's IP range.
  • Fix: Notify users if suPHP_ConfigPath is in their WAF setup, and prompt to update Extended Protection.
  • Fix: Fixed bug with allowing logins on admin accounts that are not fully activated with invalid 2FA codes when 2FA is required for all admins.
  • Fix: Removed usage of wp_get_sites() which was deprecated in WordPress 4.6.
  • Fix: Fixed PHP notice from Undefined index: url with custom/premium plugins.
  • Improvement: Converted the banned URLs input to a textarea.


  • Improvement: Support downloading a file of 2FA recovery codes.
  • Fix: Fixed PHP Notice: Undefined index: coreUnknown during scans.
  • Improvement: Add note to options page that login security is necessary for 2FA to work.
  • Fix: Fixed WAF false positives introduced with WordPress 4.6.
  • Improvement: Update Geo IP database.


  • Fix: Fixed fatal error on sites running Wordfence 6.1.11 in subdirectory and 6.1.10 or lower in parent directory.
  • Fix: Added a few common files to be excluded from unknown WordPress core file scan.


  • Improvement: Alert on added files to wp-admin, wp-includes.
  • Improvement: 2FA is now available via any authenticator program that accepts TOTP secrets.
  • Fix: Fixed bug with specific Advanced Blocking user-agent patterns causing 500 errors.
  • Improvement: Plugin updates are now only a critical issue if there is a security related fix, and a warning otherwise. A link to the changelog is included.
  • Fix: Added group writable permissions to Firewall's configuration files.
  • Improvement: Changed whitelist entry area to textbox on options page.
  • Fix: Move flags and logo served from wordfence.com over to locally hosted files.
  • Fix: Fixed issues with scan in WordPress 4.6 beta.
  • Fix: Fixed bug where Firewall rules could be missing on some sites running IIS.
  • Improvement: Added browser-based malware signatures for .js, .html files in the malware scan.
  • Fix: Added error suppression to dns_get_record.


  • Fix: Fixed fatal error in the event wflogs is not writable.


  • Fix: Using WP-CLI causes error Undefined index: SERVER_NAME.
  • Improvement: Hooked up restore/delete file scan tools to Filesystem API.
  • Fix: Reworked country blocking authentication check for access to XMLRPC.
  • Improvement: Added option to require cellphone sign-in on all admin accounts.
  • Improvement: Updated IPv6 GeoIP lite data.
  • Fix: Removed suPHP_ConfigPath from WAF installation process.
  • Fix: Prevent author names from being found through /wp-json/oembed.
  • Improvement: Added better solutions for fixing wordfence-waf.php, .user.ini, or .htaccess in scan.
  • Improvement: Added a method to view which files are currently used for WAF and to remove without reinstalling Wordfence.
  • Improvement: Changed rule compilation to use atomic writes.
  • Improvement: Removed security levels from Options page.
  • Improvement: Added option to disable ajaxwatcher (for whitelisting only for Admins) on the front end.


  • Fix: Change wfConfig::set_ser to split large objects into multiple queries.
  • Fix: Fixed bug in multisite with "You do not have sufficient permissions to access this page" error after logging in.
  • Improvement: Update Geo IP database.
  • Fix: Fixed deadlock when NFS is used for WAF file storage, in wfWAFAttackDataStorageFileEngine::addRow().
  • Fix: Added third param to http_build_query for hosts with arg_separator.output set.
  • Improvement: Show admin notice if WAF blocks an admin (mainly needed for ajax requests).
  • Improvement: Clarify error message "Error reading config data, configuration file could be corrupted."
  • Improvement: Added better crawler detection.
  • Improvement: Add currentUserIsNot('administrator') to any generic firewall rules that are not XSS based.
  • Improvement: Update URLs in Wordfence for documentation about LiteSpeed and lockouts.
  • Improvement: Show message on scan results when a result is caused by enabling "Scan images and binary files as if they were executable" or...
  • Fix: Suppressed warning: dns_get_record(): DNS Query failed.
  • Fix: Suppressed warning gzinflate() error in scan logs.
  • Fix: On WAF roadblock page: Warning: urlencode() expects parameter 1 to be string, array given ...
  • Fix: Scheduled update for WAF rules doesn't decrease from 7 days, to 12 hours, when upgrading to a premium account.
  • Improvement: Better message for dashboard widget when no failed logins.


  • Security Fix: Fixed reflected XSS vulnerability: CVSS 6.1 (Medium). Thanks Kacper Szurek.


  • Fix: Fixed bug with 2FA not properly handling email address login.
  • Fix: Show logins/logouts when Live Traffic is disabled.
  • Fix: Fixed bug with PCRE versions < 7.0 (repeated subpattern is too long).
  • Fix: Now able to delete whitelisted URL/params containing ampersands and non-UTF8 characters.
  • Improvement: Reduced 2FA activation code to expire after 30 days.
  • Improvement: Live Traffic now only shows verified Googlebot under Google Crawler filter for new visits.
  • Improvement: Adjusted permissions on Firewall log/config files to be 0640.
  • Fix: Fixed false positive from Maldet in the wfConfig table during the scan.


  • Fix: WordPress language files no longer flagged as changed.
  • Improvement: Accept wildcards in "Immediately block IP's that access these URLs."
  • Fix: Fixed bug when multiple authors have published posts, /?author=N scans show an author archive page.
  • Fix: Fixed issue with IPv6 mapped IPv4 addresses not being treated as IPv4.
  • Improvement: Added WordPress version and various constants to Diagnostics report.
  • Fix: Fixed bug with Windows users unable to save Firewall config.
  • Improvement: Include option for IIS on Windows in Firewall config process, and recommend manual php.ini change only.
  • Fix: Made the 'administrator email address' admin notice dismissable.


  • Fix: Fixed potential bug with 'stored data not found after a fork. Got type: boolean'.
  • Improvement: Added bulk actions and filters to WAF whitelist table.
  • Improvement: Added a check while in learning mode to verify the response is not 404 before whitelising.
  • Fix: Added index to attackLogTime. wfHits trimmed on runInstall now.
  • Fix: Fixed attack data sync for hosts that cannot use wp-cron.
  • Improvement: Use wftest@wordfence.com as the Diagnostics page default email address.
  • Improvement: When WFWAF_ENABLED is set to false to disable the firewall, show this on the Firewall page.
  • Fix: Prevent warnings when $_SERVER is empty.
  • Fix: Bug fix for illegal string offset.
  • Fix: Hooked up multibyte string functions to binary safe equivalents.
  • Fix: Hooked up reverse IP lookup in Live Traffic.
  • Fix: Add the user the web server (or PHP) is currently running as to Diagnostics page.
  • Improvement: Pause Live Traffic after scrolling past the first entry.
  • Improvement: Move "Permanently block all temporarily blocked IP addresses" button to top of blocked IP list.
  • Fix: Added JSON fallback for PHP installations that don't have JSON enabled.


  • Improvement: Added dismiss button to the Wordfence WAF setup admin notice.
  • Fix: Removed .htaccess and .user.ini from publicly accessible config and backup file scan.
  • Fix: Removed the disallow file mods for admins created outside of WordPress.
  • Fix: Fixed bug with 'Hide WordPress version' causing issues with reCAPTCHA.
  • Improvement: Added instructions for NGINX users to restrict access to .user.ini during Firewall configuration.
  • Fix: Fixed bug with multiple API calls to 'get_known_files'.


  • Fix: Fixed fatal error when using a whitelisted IPv6 range and connecting with an IPv6 address.


  • Enhancement: Added Web Application Firewall
  • Enhancement: Added Diagnostics page
  • Enhancement: Added new scans:
    • Admins created outside of WordPress
    • Publicly accessible common (database or wp-config.php) backup files
  • Improvement: Updated Live Traffic with filters and to include blocked requests in the feed.


  • Improvement: Added help callout for compromised sites.
  • Improvement: Updated local GeoIP database.
  • Improvement: Updated local browser data cache to support newer browsers and user-agents.


  • Enhancement: Added automatic whitelisting for Facebook crawlers.
  • Improvement: Added styling to premium callouts.
  • Improvement: Updated local GeoIP database.
  • Improvement: Updated local browser data cache to support newer browsers and user-agents.


  • Improvement: Updated local GeoIP database.
  • Improvement: Updated local browser data cache to support newer browsers and user-agents.


  • Security Fix: Fixed stored XSS vulnerability discovered internally (thanks to Matt Rusnak).
  • Enhancement: Added additional Sucuri scanner IP to our whitelist.


  • Enhancement: Added better handling of Googlebot verification.


  • Fix: Fixed bug with options that are enabled by default but disabled by the user are reset to defaults.


  • Fix: Added check to verify pluggable.php is included before calling wp_hash.


  • Fix: Resolved issue with some admin links not using the network admin URL.
  • Fix: Resolved issue with slashes not being stripped from Advanced Blocking usernames, reasons.
  • Enhancement: Added ability to Block any requests from IPs matching a PTR record.
  • Fix: Updated the GeoIP lib to use the wfUtils::inet_pton functions instead of the PHP default for installs that do not have IPv6 support.
  • Fix: Added help link for whitelisted 404's entry on options page.
  • Fix: Automatically exclude files that crash the scan.
  • Fix: Clear the wfHoover database table after scan is killed.
  • Enhancement: Added notice about false positives when running a scan with HIGH SENSITIVITY enabled.
  • Fix: Removed WordPress version from style and script loaders. Hid the readme.html.
  • Fix: Alert email for "lost password" did not send when the user used their username.
  • Enhancement: Exclude zip files from scans by default, and add that as option under 'Scan image and binary files'.
  • Fix: Fixed edge case where .htaccess became garbled when using Falcon cache.


  • Fix: Resolved issue where 301 redirects count as 404s with throttling applied.
  • Fix: Fixed Falcon .htaccess code writing to .htaccess when 'Immediately block IP's that access these URLs' option is modified.
  • Fix: Fixed issue where filtering posts by author in wp-admin no longer works due to change in /?author=N scan prevention logic.
  • Fix: Fixed issue in Live Traffic where 404s display as 200s.
  • Fix: Resolved issue with throttling logins via XMLRPC are not applied.


  • Fix: Resolved issue with some variations of author=N scans not being caught. Thanks James Golovich.
  • Fix: Updated typo in author=N option.
  • Fix: Resolved issue with Falcon not writing to .htaccess with WP installed in subdirectory.
  • Fix: Added width to logo in activity report email.
  • Fix: Resolved issue with Live Traffic endpoint in cases where WordPress is installed into a subdirectory.
  • Improvement: Optimized database query with in unlocking user email routine.
  • Improvement: Moved firewall logic into 'wp_loaded' hook.


  • Fix: Resolved issue with GoogleBot being erroneously flagged as human in Live Traffic.
  • Fix: Added better handling of human/bot detection.
  • Improvement: Verified humans are flagged via cookie to prevent false positives.


  • Fix: Live Traffic endpoint moved to site root to prevent issues with GoogleBot.


  • Improvement: Updated local GeoIP database.
  • Improvement: Updated local browser data cache to support newer browsers and user-agents.
  • Improvement: Added option to exclude URLs from 404 throttling, and included some common 404s.
  • Improvement: Added new branded logos.
  • Fix: Fixed bug with live traffic ajax call being indexed by Google.


  • Improvement: Updated local GeoIP database to July version.
  • Improvement: Updated local browser data cache to support newer browsers and user-agents.
  • Fix: Hooked up network ranges in CIDR format ( in Whois to support data coming back from whois that includes CIDR network format.
  • Fix: Fixed 2 PHP notices in wfUtils.


  • Improvement: Removed locked out IPs from locked out list when permanently blocking all locked out IPs.
  • Improvement: Added admin-configured blocked IPs and blocked network ranges to import/export.
  • Fix: Fixed PHP warnings in activity report where an array is not returned.
  • Fix: Fixed PHP notice in IP spam check portion of scan.


  • Fix: Fixed bug in Live Traffic where v5 style blocked ranges generated PHP warning breaking the JSON response.
  • Fix: Fixed invalid date bug in Live Traffic: Top Consumers and Top 404s.
  • Fix: Fixed edge case bug with author=N scans redirecting to author archives page.


  • Improvement: Added the local time stamp to 'time since' labels in Live Traffic and Blocked IPs pages.
  • Improvement: Added a check to prompt the admin to download a backup copy of the wp-config.php in the event it's flagged as containing malware.
  • Improvement: Added option in Live Traffic to remove a blocked network range defined in Advanced Blocking in the Live Traffic feed for IPs within that range.
  • Improvement: Added option to permanently block all IPs that are currently temporarily blocked or locked out from the Blocked IPs page.
  • Improvement: Updated local GeoIP database.
  • Fix: Fixed double forward slash in file path in the 'View the File' action of malicious code scan.
  • Fix: Fixed notice in block IP JSON callback.


  • Fix: Fixed bug with Top 5 Logins displaying all failed logins opposed to timeframe set by email frequency.
  • Fix: Fixed bug with /?author=N scan protection not working for authors with no published posts.
  • Improvement: Fixed Wordfence logo width in dashboard widget on smaller screens.
  • Improvement: Added country names to flag icons in widget dashboard.
  • Improvement: Updated issues email to use WordPress' charset instead of ISO-8859-1.
  • Improvement: Added check to see if premium API key is set to auto-renew and send email reminder prior to renewal.
  • Improvement: Updated to API version 2.17.
  • Improvement: Changed auto-renew reminder email to go out 10 days before renewal, 12 days before expiration.


  • Improvement: Handled uncaught exception when noc1 is not available in 2FA.
  • Improvement: Fixed issue with limit-logins mu-plugin on GoDaddy counting first login attempt in 2FA against total allowed login attempts.
  • Fix: Fixed bug with IPs not resolving to countries when printable IP passed to logBlockedIP.
  • Fix: Fixed issue with free users country blocking redirects working after downgrade.
  • Fix: Encoded URL field in country blocking options.
  • Fix: Added a check to verify field has not already been altered prior to calling ALTER in runInstall.
  • Fix: Fixed issue with scan_options method being called after method has been removed.
  • Fix: Fixed bug in scan when dns_get_record fails and error condition was not handled.
  • Fix: Fixed PHP notice when 'Crawler' not included in browser pcap result.


  • Fix: Removed anonymous function to ensure PHP 5.2 compatability.


  • Improvement: Added option to disable SSL verification for hosts that have outdated versions cURL.
  • Improvement: Added default of when $_SERVER['REMOTE_ADDR'] is not set. Helps if you're running WordPress cron from Linux cron.
  • Improvement: Added compatability with Godaddy's MU (must use) limit login plugin and our two factor. Change makes sure you can see the message from Wordfence to enter your cellphone code.
  • Improvement: Added direction: ltr; to admin pages.
  • Improvement: Added focus/blur events to scan activity log ajax to improve server performance.
  • Improvement: Merged wp_option charset and database vulnerability scans to improve performance and make UI more intuitive.
  • Improvement: Opened 'See recent traffic' in a new window from the Live Traffic page.
  • Improvement: Updated browser pcap cache file for compatibility with detecting newer Firefox browsers.
  • Fix: Fixed bug in directories excluded from scans (escaped directory separator).
  • Fix: Updated known files and outdated plugins/themes to use wp_get_themes.
  • Fix: Fixed bug with wfScanEngine where scans forked between scan_database_main and scan_database_finish would not display results of database scan.
  • Fix: Added return false; to wfScan::error_handler to allow default error handler to process error.
  • Fix: Fixed notice with wfUserIPRange::isValidIPv4Range.
  • Fix: Fixed bug with 'Allow HTTPS pages to be cached' setting being unset after saving options.
  • Fix: Fixed a couple of typos and spelling.
  • Fix: Fixed errors upon plugin activation where wfConfig was queried before it was created.
  • Fix: Fixed issue with notices from serializing wordfenceDBScanner and private properties belonging to parent class.


  • Fix: Fix for hosts that don't have IPv6 compiled into PHP (which is rare) we not manually define certain functions.


  • Fix: Fixed an issue with the schema not updating when customers migrate to IPv6 schema to store IP's.
  • Improvement: Added additional safety checks during the schema update.


  • Feature: IPv6 fully supported. This includes whois, range blocking, IPv6 city lookup in live traffic, country blocking and all other security functions. See http://www.wordfence.com/blog/ for more info.
  • Feature: New scanning routine examines the wp_options table for executable code based on a new infection we are seeing that is well hidden.
  • Improvement: Prevent Googlebot from being blocked if user has configured a banned URL and Google tries to crawl it.
  • Improvement: Improved detection for additional Google crawlers especially if an IP PTR resolves to a .googlebot.com domain.
  • Fix: Fixed bug with https:// URLs not allowed in country blocking.
  • Fix: Fixed typos.


  • Fix: Wordfence no longer can appear on sub-sites on multi-site installs, only on the network admin panel.
  • Fix: Wordfence dashboard widget only can appear on network admin dashboard in multi-site installs.
  • Fix: No more multiple scheduled scans on multi-site.
  • Fix: Fixed mixed-protocol warning if you're using SSL and Wordfence - our static assets are loaded without specifying protocol now.
  • Fix: Fixed issue where non-existent users were shown in dashboard widget and email summary as valid users.
  • Fix: Removed /e modifier in preg_replace for Diff_Renderer_Html_Array::formatLines since it is deprecated in PHP 5.5.
  • Fix: Removed ssl_verify => false from wp_remote_post connectivity test since some versions of cURL will throw an error since WordPress uses their own certificate bundle.
  • Fix: Fixed bug with activity report email date range (was one week ahead).
  • Fix: Removed email summary report from cron on deactivation.
  • Fix: Fixed an off-by-one bug in wfDirectoryIterator for maximum total files and max files per directory.
  • Fix: Updated our browser data to fix an issue that caused newer browsers to appear in live traffic with version 0.0.
  • Improvement: Updated the country database used for country blocking to April 2015 version.
  • Improvement: Added an additional check for disabling script execution in the uploads directory that the .htaccess file actually contains our protection code before removing it.
  • Improvement: Paused Live Traffic ajax request when the window/document loses focus to reduce server load.
  • Improvement: Better error handling when making API calls to noc1 to help our support personell help you.
  • Improvement: Added locked out IP's and IP's restricted through advanced blocking to the blocked IP log for dashboard and email summary.
  • Improvement: Excluded whitelisted IP's from dashboard and widget email summary.


  • Fix: Dasboard widget no longer appearing for all users.


  • Fix: Removed .htaccess file the previous release created in wfcache directory that caused problems.


  • Premium Feature: Password Auditing. Audit the strength of your admin and user-level passwords against our GPU based auditing cluster. Easily alert users to weak passwords or force a password change.
  • Feature: Activity email summary. See options page to enable a weekly, bi-weekly or monthly activity summary.
  • Feature: Activity summary dashboard widget.
  • Fix: Fixed bug on plugin activation where the configuration table was being queried before it was created.
  • Improvement: Added .htaccess to wfcache directory.
  • Improvement: Switched to using wp_remote_post for Wordfence cloud API calls to improved SSL support and a more standards based approach.


  • Customers running WP versions older than 3.9 don't support wp_normalize_path(). Added support for older WP versions to fix an error being thrown.


  • Improvement: Updated country blocking database to the newest version (March 2015)
  • Improvement: Added detection for many new samples we received (thanks all!) including a nasty polymorphic infection.
  • Fix: Changed the way we find the plugin directory to fix a possible issue that would cause alerts to return blank plugin names.
  • Fix: Improved Nginx detection so that we don't accidentally detect Nginx if you're running Apache.


  • Feature: You can now block POST requests to your WordPress site that have an empty User-Agent and Referer header. This is a common pattern among badly written brute force bots.
  • Feature: Added cron viewer at bottom of Wordfence options page. The plugin we were using to help diagnose customer issues is broken. Use this instead.
  • Feature: Added DB table viewer at bottom of Wordfence options page. This is a read-only utility to view table names and detailed status. Also for customer diagnostic purposes.
  • Improvement: Code cleanup after in-depth code analysis. Removed unused functions and variables and re-indented selected code.
  • Fix: Fixed issue that appeared after last release where raw HTML tags were appearing in email alerts.
  • Fix: Tour behaved inconsistently under some conditions. Fixed.
  • Fix: Mismatched HTML tags in some presentation code. Fixed.
  • Fix: When fetching theme list the interator had the same name as the array. Fixed.
  • Fix: Detection for malware URLs in comments had a partial description in the issue. Was being overwritten when it should have been appended. Fixed.
  • Fix: Check if dns_get_record() exists before using it to avoid warnings.
  • Fix: If you have the wordfence security network disabled, the _wfVulnScanners table may have grown indefinitely. Fixed so it's regularly truncated.
  • Fix: wordfence::getLog() was private and should be public. Fixed.
  • Fix: Removed warning about _wfsf not being an element of GET params. Usually hidden, but in case something checks error_get_last()


  • Update: Upgraded the geoIP country database to Jan 2015 version.
  • Improvement: Added an option to disable execution of PHP code in the uploads directory as an added level of protection. Under "Other Options" on the Wordfence options page.
  • Improvement: We now email you any malware URLs encountered and they won't be filtered by your spam filter because the URL is included in the alert email as an image.
  • Fix: Fixed an issue that would cause multiple scans to be scheduled if the plugin was disabled and then reenabled.
  • Fix: The name of malicious files detected are now included in the alert email sent containing the issues.


  • Changed FAQ link when locked out and email unlock doesn't work to correct link.
  • Falcon cache now creates files as mode 0644 for improved security.
  • Updated GeoIP database to December 2014 version.




  • IP to Country database updated to November 4th 2014 version.
  • Options export and import now also exports Country Blocking and Scan Schedule configuration.
  • Scans fully documented at docs.wordfence.com. Link on 'Scan' page under heading.
  • Live Traffic fully documented at docs.wordfence.com. Link on Live Traffic page.
  • Falcon Engine/Wordfence Caching fully documented. Link on Performance Setup page.
  • Blocked IPs, locking and throttling fully documented. Link on Blocked IPs page.
  • Cellphone Sign-in fully documented. Link under title on Cellphone sign-in page.
  • Country blocking fully documented. Link on Country blocking page.
  • Scan Scheduling fully documented. Link on Scan Scheduling page under title.
  • Whois and Advanced Blocking documented including how Live Traffic, Whois and Advanced blocking work together.
  • Removed unnecessary text from several menu items and moved into official docs where needed.


  • Added ability to export Wordfence settings and reimport on one or many sites using secure token.
  • Added API function to programatically import Wordfence settings from another WordPress site.
  • Upgraded to Wordfence API version 2.14.


  • Detailed documentation for all options on the Wordfence options page. Launching docs.wordfence.com wiki.
  • Fixed server-side issue where diff'ing certain files would give a blank page or an API error.
  • Removed now unused whois library because we're now using Wordfence API server to get around whois port blocking.


  • Fixed issue that would cause infected files with identical content to only have the first file found show up in scans and the rest would not appear.
  • Whois queries now go via our own server as a workaround for hosting providers who block your web server's access to port 43 preventing you from making a direct whois query.
  • Fixed issue that caused litespeed users to receive multiple warnings about the noabort issue.
  • Added detection for 5 new malware variants. Thanks to Dave M. and others for the samples. Keep them coming folks!
  • Updated Wordfence server API to version 2.12.
  • Added facility at bottom of Wordfence options page to send a test email from your WordPress sytem to check if email sending is working.
  • Suppress LOCK_EX flock() warnings in falcon engine that were being generated by sites that use NFS and don't support flock() or reliable file locking.
  • Updated to the October 2014 version of the Geo IP country DB. (newest edition)


  • Fixed bug that caused country blocking and redirecting to an external URL to not work if the external URL's relative path matched the current page's relative path.
  • Made it clear that country blocking URL's require absolute URL's.


  • Security release. Update immediately. Thanks to Julio Potier.
  • Code hardening including improved sanitization and an additional nonce for unlock email form. Special thanks to Ryan Satterfield for the hard work.
  • Stability of auto-update improved for LiteSpeed customers. We auto-detect if you don't have E=noabort:1 in your .htaccess and give you instructions.
  • Auto-update also disabled now for LiteSpeed customers who don't have E=noabort:1 and you will get an email alert with an explanation.
  • Fixed a bug that may cause you to have advanced blocking patterns disabled with falcon engine enabled that should not be disabled.
  • Removed a benign warning in wfCache.php.
  • Added clarity to the banned URL option on the options page. All URL's must be relative.
  • Added a primary key to the wp_wfStatus table which is required for certain incremental backup plugins and utilities.
  • Fixed advanced country blocking which was not correctly displaying advanced options.
  • Migrated to using wp_kses() for sanitization.
  • Prevent IP spoofing in default Wordfence IP configuration.
  • Change explanations of how Wordfence gets IP's to make it clear which to use to prevent spoofing.
  • Make it clear that the option to have IP's immediately blocked when they access a URL requires relative URL's starting with a forward slash.
  • Whitelist Sucuri's scanning IP addresses which were getting blocked because they triggered Wordfence blocking during a scan.
  • Improved Wordfence's code that acquires the visitor IP to block certain spoofing attacks, be more platform agnostic and deal with visits from private IP's more elegantly.


  • Security release. Upgrade immediately.
  • This release fixes an XSS vunlerability on Wordfence "view all traffic from IP" page.
  • Also fixes a hard to exploit XSS which exists if you have your site as the default site on your web server, falcon enabled and debugging comments enabled.
  • Improves Revolution Slider proteciton.
  • Fixed bypass for fake googlebot blocking.


  • Updated Geo IP country database to newest version (September 2014 edition)
  • Security fix. Improved referrer sanitization in live traffic.
  • Changed scan success messaging for clarity.
  • Fixed minor bug in IP validation which manifested when users use IPv6 to IPv4 translation which produces 255.x.x.x addrs.


  • Protection from the Slider Revolution Plugin arbitrary file download vulnerability announced today. Attempts to download any .php file including wp-config.php are denied.
  • Changed the Wordfence Memory config option's label to make it clearer what the option does.
  • Moved screenshots out of plugin distro directory to reduce plugin payload size.


  • Fix: Users with large lists of blocked IP's (over 2,100) would receive a browser error "Uncaught RangeError: Maximum call stack size exceeded". Fixed.
  • Improvement: Added detection for FOPO obfuscation often used by hackers to obfuscate PHP code. Will detect a range of newer infections. (Server-side code change)


  • Fix: Crawler triggering update cron job threw error about show_message() being redeclared at end of update. Fixed.
  • Fix: Live traffic cities were incorrect and did not match country blocking block effects under certain conditions. Fixed.
  • Fix: If a site database contained a table with dashes in the table name, we would throw an error at the end of every scan. Fixed.
  • Improvement: Upgraded country DB to newest version.
  • Improvement: Changed live traffic geo location caching to be 24 hours instead of a week so that geo DB updates for live traffic on our servers take effect sooner.
  • Improvement: Ignoring .sql files in scans which are usually backups and contain many false positives, unless high sensitivity scanning is enabled.


  • Fix: Option to disable config caching. You can find this new option at the bottom of the Wordfence options page.
  • Note: If you are seeing the "cron key does not match the saved key" error, check the box to disable config caching at the bottom of the Wordfence options page, save and this will fix it.
  • Note: If you are trying to save your Wordfence options and the options keep reverting, enable the "disable config caching" at the bottom of your Wordfence options page, save and this will fix it.


  • Improvement: Wordfence now supports websites behind proxy servers when communicating with the Wordfence API servers.
  • Fix: Removed old image files that were unused.


  • Feature: Country blocking now lets you block login page OR rest of site or any combination. So you can now block the login page only for example.
  • Improvement: Upgraded the country blocking database to the newest version which is July 2014.
  • Improvement: Improved server-side performance for Wordfence scanning.
  • Improvement: Offer the option to keep Wordfence up-to-date automatically.
  • Improvement: If file contains malicious code, include filename in email alert summary info.
  • Fix: Removed strings in readme.txt that were causing false positives in hosts own scanning software.
  • Fix: Prevent lockout email alerts being sent for blank usernames.


  • Fix: Bing crawler was being misidentified as human. Fixed.
  • Fix: Escaping HTML on whois records. Thanks Nikhil Srivastava, TechDefencelabs (http://techdefencelabs.com)


  • Feature: Auto updates for Wordfence! This is a much-request

Requires: 3.9 or higher
Compatible up to: 4.7.2
Last Updated: 2 weeks ago
Active Installs: 1+ million


4.8 out of 5 stars
5 stars 2,791


83 of 429 support threads in the last two months have been marked resolved.

Got something to say? Need help?



18 people say it works.
0 people say it's broken.

100,2,2 100,1,1
100,2,2 100,1,1 100,1,1 100,2,2 100,1,1 100,1,1 0,2,0 100,1,1 100,2,2 100,1,1 100,1,1 100,1,1 100,3,3 100,2,2 100,4,4 100,3,3 50,2,1 100,2,2 100,3,3 100,1,1 100,1,1 100,1,1
0,1,0 100,2,2 100,2,2 100,1,1 100,1,1
100,1,1 75,4,3 100,2,2 0,2,0 100,6,6 100,1,1 100,2,2 100,2,2 100,2,2 85,13,11 100,1,1 90,10,9 100,5,5 75,4,3 100,3,3 100,10,10 100,1,1 100,1,1
88,49,43 100,6,6 100,5,5 100,1,1 100,4,4 100,1,1 91,22,20 67,9,6 84,19,16 57,7,4 0,1,0 100,1,1
0,3,0 100,22,22 100,7,7
95,21,20 83,6,5 0,1,0 92,24,22 96,23,22 78,9,7 80,10,8 75,16,12 100,1,1
85,20,17 100,8,8
100,8,8 100,11,11 100,1,1
67,9,6 100,6,6 93,15,14 100,9,9 100,1,1 100,1,1
60,5,3 100,7,7
100,13,13 100,34,34 100,1,1
100,18,18 100,5,5 100,7,7 100,1,1 100,2,2 100,1,1
88,8,7 100,2,2 96,54,52 100,3,3 100,5,5 100,2,2 0,1,0
71,7,5 100,10,10 100,1,1
100,4,4 100,3,3 100,1,1
67,3,2 94,16,15 69,13,9 71,14,10 50,2,1 100,1,1 0,1,0
100,1,1 63,8,5 55,11,6 78,18,14 88,16,14 67,9,6 88,16,14 67,12,8 86,7,6 100,5,5 100,3,3 100,2,2 100,1,1 100,1,1 100,1,1 100,1,1
100,4,4 60,10,6 40,5,2 89,9,8 100,6,6 100,1,1 100,1,1 100,1,1 100,1,1
70,10,7 100,1,1 100,2,2 93,14,13 100,4,4 95,20,19 100,7,7 100,7,7 100,9,9 100,7,7 100,6,6 100,1,1
95,19,18 100,3,3 0,1,0
100,1,1 100,20,20 100,10,10 100,17,17 100,1,1 100,1,1
100,1,1 100,1,1 88,8,7 100,2,2 90,10,9 100,2,2 100,14,14 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1
80,10,8 67,3,2 67,6,4 50,2,1 100,3,3 82,11,9 100,1,1 100,4,4 100,4,4 100,3,3
100,1,1 100,3,3
88,8,7 100,2,2 75,4,3 0,1,0
100,13,13 100,1,1 92,24,22 100,8,8 67,3,2
100,2,2 88,17,15 100,1,1
100,5,5 100,4,4 100,2,2
91,23,21 100,6,6 100,7,7 80,5,4 100,4,4 100,1,1 100,2,2 100,2,2
45,11,5 69,13,9 85,13,11 60,5,3 100,1,1 100,1,1
67,3,2 78,9,7 100,2,2 100,1,1
100,1,1 100,3,3 100,12,12 89,9,8 94,16,15 50,2,1 100,1,1
100,15,15 94,16,15 100,19,19 82,17,14 100,5,5 100,1,1 100,1,1 73,11,8 100,1,1
100,1,1 100,1,1 100,1,1
100,1,1 100,8,8 100,14,14 100,3,3 100,3,3 100,3,3 100,1,1 100,3,3 100,4,4 100,2,2 100,2,2 100,3,3 100,6,6 100,3,3 100,1,1
100,1,1 100,2,2 100,14,14 71,7,5 100,1,1 100,16,16 100,12,12 100,8,8 100,14,14 100,12,12 85,13,11 100,6,6 75,4,3 100,1,1 100,1,1 0,1,0
100,4,4 100,1,1 100,2,2 100,1,1
100,5,5 100,1,1 92,12,11 100,7,7 100,5,5 100,4,4
93,15,14 100,7,7 100,12,12 100,8,8
100,1,1 80,15,12 100,18,18