Plugin Directory

Wordfence Security

The Wordfence WordPress security plugin provides free enterprise-class WordPress security, protecting your website from hacks and malware.


  • Fix: Fixed bug with options that are enabled by default but disabled by the user are reset to defaults.


  • Fix: Added check to verify pluggable.php is included before calling wp_hash.


  • Fix: Resolved issue with some admin links not using the network admin URL.
  • Fix: Resolved issue with slashes not being stripped from Advanced Blocking usernames, reasons.
  • Enhancement: Added ability to Block any requests from IPs matching a PTR record.
  • Fix: Updated the GeoIP lib to use the wfUtils::inet_pton functions instead of the PHP default for installs that do not have IPv6 support.
  • Fix: Added help link for whitelisted 404's entry on options page.
  • Fix: Automatically exclude files that crash the scan.
  • Fix: Clear the wfHoover database table after scan is killed.
  • Enhancement: Added notice about false positives when running a scan with HIGH SENSITIVITY enabled.
  • Fix: Removed WordPress version from style and script loaders. Hid the readme.html.
  • Fix: Alert email for "lost password" did not send when the user used their username.
  • Enhancement: Exclude zip files from scans by default, and add that as option under 'Scan image and binary files'.
  • Fix: Fixed edge case where .htaccess became garbled when using Falcon cache.


  • Fix: Resolved issue where 301 redirects count as 404s with throttling applied.
  • Fix: Fixed Falcon .htaccess code writing to .htaccess when 'Immediately block IP's that access these URLs' option is modified.
  • Fix: Fixed issue where filtering posts by author in wp-admin no longer works due to change in /?author=N scan prevention logic.
  • Fix: Fixed issue in Live Traffic where 404s display as 200s.
  • Fix: Resolved issue with throttling logins via XMLRPC are not applied.


  • Fix: Resolved issue with some variations of author=N scans not being caught. Thanks James Golovich.
  • Fix: Updated typo in author=N option.
  • Fix: Resolved issue with Falcon not writing to .htaccess with WP installed in subdirectory.
  • Fix: Added width to logo in activity report email.
  • Fix: Resolved issue with Live Traffic endpoint in cases where WordPress is installed into a subdirectory.
  • Improvement: Optimized database query with in unlocking user email routine.
  • Improvement: Moved firewall logic into 'wp_loaded' hook.


  • Fix: Resolved issue with GoogleBot being erroneously flagged as human in Live Traffic.
  • Fix: Added better handling of human/bot detection.
  • Improvement: Verified humans are flagged via cookie to prevent false positives.


  • Fix: Live Traffic endpoint moved to site root to prevent issues with GoogleBot.


  • Improvement: Updated local GeoIP database.
  • Improvement: Updated local browser data cache to support newer browsers and user-agents.
  • Improvement: Added option to exclude URLs from 404 throttling, and included some common 404s.
  • Improvement: Added new branded logos.
  • Fix: Fixed bug with live traffic ajax call being indexed by Google.


  • Improvement: Updated local GeoIP database to July version.
  • Improvement: Updated local browser data cache to support newer browsers and user-agents.
  • Fix: Hooked up network ranges in CIDR format ( in Whois to support data coming back from whois that includes CIDR network format.
  • Fix: Fixed 2 PHP notices in wfUtils.


  • Improvement: Removed locked out IPs from locked out list when permanently blocking all locked out IPs.
  • Improvement: Added admin-configured blocked IPs and blocked network ranges to import/export.
  • Fix: Fixed PHP warnings in activity report where an array is not returned.
  • Fix: Fixed PHP notice in IP spam check portion of scan.


  • Fix: Fixed bug in Live Traffic where v5 style blocked ranges generated PHP warning breaking the JSON response.
  • Fix: Fixed invalid date bug in Live Traffic: Top Consumers and Top 404s.
  • Fix: Fixed edge case bug with author=N scans redirecting to author archives page.


  • Improvement: Added the local time stamp to 'time since' labels in Live Traffic and Blocked IPs pages.
  • Improvement: Added a check to prompt the admin to download a backup copy of the wp-config.php in the event it's flagged as containing malware.
  • Improvement: Added option in Live Traffic to remove a blocked network range defined in Advanced Blocking in the Live Traffic feed for IPs within that range.
  • Improvement: Added option to permanently block all IPs that are currently temporarily blocked or locked out from the Blocked IPs page.
  • Improvement: Updated local GeoIP database.
  • Fix: Fixed double forward slash in file path in the 'View the File' action of malicious code scan.
  • Fix: Fixed notice in block IP JSON callback.


  • Fix: Fixed bug with Top 5 Logins displaying all failed logins opposed to timeframe set by email frequency.
  • Fix: Fixed bug with /?author=N scan protection not working for authors with no published posts.
  • Improvement: Fixed Wordfence logo width in dashboard widget on smaller screens.
  • Improvement: Added country names to flag icons in widget dashboard.
  • Improvement: Updated issues email to use WordPress' charset instead of ISO-8859-1.
  • Improvement: Added check to see if premium API key is set to auto-renew and send email reminder prior to renewal.
  • Improvement: Updated to API version 2.17.
  • Improvement: Changed auto-renew reminder email to go out 10 days before renewal, 12 days before expiration.


  • Improvement: Handled uncaught exception when noc1 is not available in 2FA.
  • Improvement: Fixed issue with limit-logins mu-plugin on GoDaddy counting first login attempt in 2FA against total allowed login attempts.
  • Fix: Fixed bug with IPs not resolving to countries when printable IP passed to logBlockedIP.
  • Fix: Fixed issue with free users country blocking redirects working after downgrade.
  • Fix: Encoded URL field in country blocking options.
  • Fix: Added a check to verify field has not already been altered prior to calling ALTER in runInstall.
  • Fix: Fixed issue with scan_options method being called after method has been removed.
  • Fix: Fixed bug in scan when dns_get_record fails and error condition was not handled.
  • Fix: Fixed PHP notice when 'Crawler' not included in browser pcap result.


  • Fix: Removed anonymous function to ensure PHP 5.2 compatability.


  • Improvement: Added option to disable SSL verification for hosts that have outdated versions cURL.
  • Improvement: Added default of when $_SERVER['REMOTE_ADDR'] is not set. Helps if you're running WordPress cron from Linux cron.
  • Improvement: Added compatability with Godaddy's MU (must use) limit login plugin and our two factor. Change makes sure you can see the message from Wordfence to enter your cellphone code.
  • Improvement: Added direction: ltr; to admin pages.
  • Improvement: Added focus/blur events to scan activity log ajax to improve server performance.
  • Improvement: Merged wp_option charset and database vulnerability scans to improve performance and make UI more intuitive.
  • Improvement: Opened 'See recent traffic' in a new window from the Live Traffic page.
  • Improvement: Updated browser pcap cache file for compatibility with detecting newer Firefox browsers.
  • Fix: Fixed bug in directories excluded from scans (escaped directory separator).
  • Fix: Updated known files and outdated plugins/themes to use wp_get_themes.
  • Fix: Fixed bug with wfScanEngine where scans forked between scan_database_main and scan_database_finish would not display results of database scan.
  • Fix: Added return false; to wfScan::error_handler to allow default error handler to process error.
  • Fix: Fixed notice with wfUserIPRange::isValidIPv4Range.
  • Fix: Fixed bug with 'Allow HTTPS pages to be cached' setting being unset after saving options.
  • Fix: Fixed a couple of typos and spelling.
  • Fix: Fixed errors upon plugin activation where wfConfig was queried before it was created.
  • Fix: Fixed issue with notices from serializing wordfenceDBScanner and private properties belonging to parent class.


  • Fix: Fix for hosts that don't have IPv6 compiled into PHP (which is rare) we not manually define certain functions.


  • Fix: Fixed an issue with the schema not updating when customers migrate to IPv6 schema to store IP's.
  • Improvement: Added additional safety checks during the schema update.


  • Feature: IPv6 fully supported. This includes whois, range blocking, IPv6 city lookup in live traffic, country blocking and all other security functions. See http://www.wordfence.com/blog/ for more info.
  • Feature: New scanning routine examines the wp_options table for executable code based on a new infection we are seeing that is well hidden.
  • Improvement: Prevent Googlebot from being blocked if user has configured a banned URL and Google tries to crawl it.
  • Improvement: Improved detection for additional Google crawlers especially if an IP PTR resolves to a .googlebot.com domain.
  • Fix: Fixed bug with https:// URLs not allowed in country blocking.
  • Fix: Fixed typos.


  • Fix: Wordfence no longer can appear on sub-sites on multi-site installs, only on the network admin panel.
  • Fix: Wordfence dashboard widget only can appear on network admin dashboard in multi-site installs.
  • Fix: No more multiple scheduled scans on multi-site.
  • Fix: Fixed mixed-protocol warning if you're using SSL and Wordfence - our static assets are loaded without specifying protocol now.
  • Fix: Fixed issue where non-existent users were shown in dashboard widget and email summary as valid users.
  • Fix: Removed /e modifier in preg_replace for Diff_Renderer_Html_Array::formatLines since it is deprecated in PHP 5.5.
  • Fix: Removed ssl_verify => false from wp_remote_post connectivity test since some versions of cURL will throw an error since WordPress uses their own certificate bundle.
  • Fix: Fixed bug with activity report email date range (was one week ahead).
  • Fix: Removed email summary report from cron on deactivation.
  • Fix: Fixed an off-by-one bug in wfDirectoryIterator for maximum total files and max files per directory.
  • Fix: Updated our browser data to fix an issue that caused newer browsers to appear in live traffic with version 0.0.
  • Improvement: Updated the country database used for country blocking to April 2015 version.
  • Improvement: Added an additional check for disabling script execution in the uploads directory that the .htaccess file actually contains our protection code before removing it.
  • Improvement: Paused Live Traffic ajax request when the window/document loses focus to reduce server load.
  • Improvement: Better error handling when making API calls to noc1 to help our support personell help you.
  • Improvement: Added locked out IP's and IP's restricted through advanced blocking to the blocked IP log for dashboard and email summary.
  • Improvement: Excluded whitelisted IP's from dashboard and widget email summary.


  • Fix: Dasboard widget no longer appearing for all users.


  • Fix: Removed .htaccess file the previous release created in wfcache directory that caused problems.


  • Premium Feature: Password Auditing. Audit the strength of your admin and user-level passwords against our GPU based auditing cluster. Easily alert users to weak passwords or force a password change.
  • Feature: Activity email summary. See options page to enable a weekly, bi-weekly or monthly activity summary.
  • Feature: Activity summary dashboard widget.
  • Fix: Fixed bug on plugin activation where the configuration table was being queried before it was created.
  • Improvement: Added .htaccess to wfcache directory.
  • Improvement: Switched to using wp_remote_post for Wordfence cloud API calls to improved SSL support and a more standards based approach.


  • Customers running WP versions older than 3.9 don't support wp_normalize_path(). Added support for older WP versions to fix an error being thrown.


  • Improvement: Updated country blocking database to the newest version (March 2015)
  • Improvement: Added detection for many new samples we received (thanks all!) including a nasty polymorphic infection.
  • Fix: Changed the way we find the plugin directory to fix a possible issue that would cause alerts to return blank plugin names.
  • Fix: Improved Nginx detection so that we don't accidentally detect Nginx if you're running Apache.


  • Feature: You can now block POST requests to your WordPress site that have an empty User-Agent and Referer header. This is a common pattern among badly written brute force bots.
  • Feature: Added cron viewer at bottom of Wordfence options page. The plugin we were using to help diagnose customer issues is broken. Use this instead.
  • Feature: Added DB table viewer at bottom of Wordfence options page. This is a read-only utility to view table names and detailed status. Also for customer diagnostic purposes.
  • Improvement: Code cleanup after in-depth code analysis. Removed unused functions and variables and re-indented selected code.
  • Fix: Fixed issue that appeared after last release where raw HTML tags were appearing in email alerts.
  • Fix: Tour behaved inconsistently under some conditions. Fixed.
  • Fix: Mismatched HTML tags in some presentation code. Fixed.
  • Fix: When fetching theme list the interator had the same name as the array. Fixed.
  • Fix: Detection for malware URLs in comments had a partial description in the issue. Was being overwritten when it should have been appended. Fixed.
  • Fix: Check if dns_get_record() exists before using it to avoid warnings.
  • Fix: If you have the wordfence security network disabled, the _wfVulnScanners table may have grown indefinitely. Fixed so it's regularly truncated.
  • Fix: wordfence::getLog() was private and should be public. Fixed.
  • Fix: Removed warning about _wfsf not being an element of GET params. Usually hidden, but in case something checks error_get_last()


  • Update: Upgraded the geoIP country database to Jan 2015 version.
  • Improvement: Added an option to disable execution of PHP code in the uploads directory as an added level of protection. Under "Other Options" on the Wordfence options page.
  • Improvement: We now email you any malware URLs encountered and they won't be filtered by your spam filter because the URL is included in the alert email as an image.
  • Fix: Fixed an issue that would cause multiple scans to be scheduled if the plugin was disabled and then reenabled.
  • Fix: The name of malicious files detected are now included in the alert email sent containing the issues.


  • Changed FAQ link when locked out and email unlock doesn't work to correct link.
  • Falcon cache now creates files as mode 0644 for improved security.
  • Updated GeoIP database to December 2014 version.




  • IP to Country database updated to November 4th 2014 version.
  • Options export and import now also exports Country Blocking and Scan Schedule configuration.
  • Scans fully documented at docs.wordfence.com. Link on 'Scan' page under heading.
  • Live Traffic fully documented at docs.wordfence.com. Link on Live Traffic page.
  • Falcon Engine/Wordfence Caching fully documented. Link on Performance Setup page.
  • Blocked IPs, locking and throttling fully documented. Link on Blocked IPs page.
  • Cellphone Sign-in fully documented. Link under title on Cellphone sign-in page.
  • Country blocking fully documented. Link on Country blocking page.
  • Scan Scheduling fully documented. Link on Scan Scheduling page under title.
  • Whois and Advanced Blocking documented including how Live Traffic, Whois and Advanced blocking work together.
  • Removed unnecessary text from several menu items and moved into official docs where needed.


  • Added ability to export Wordfence settings and reimport on one or many sites using secure token.
  • Added API function to programatically import Wordfence settings from another WordPress site.
  • Upgraded to Wordfence API version 2.14.


  • Detailed documentation for all options on the Wordfence options page. Launching docs.wordfence.com wiki.
  • Fixed server-side issue where diff'ing certain files would give a blank page or an API error.
  • Removed now unused whois library because we're now using Wordfence API server to get around whois port blocking.


  • Fixed issue that would cause infected files with identical content to only have the first file found show up in scans and the rest would not appear.
  • Whois queries now go via our own server as a workaround for hosting providers who block your web server's access to port 43 preventing you from making a direct whois query.
  • Fixed issue that caused litespeed users to receive multiple warnings about the noabort issue.
  • Added detection for 5 new malware variants. Thanks to Dave M. and others for the samples. Keep them coming folks!
  • Updated Wordfence server API to version 2.12.
  • Added facility at bottom of Wordfence options page to send a test email from your WordPress sytem to check if email sending is working.
  • Suppress LOCK_EX flock() warnings in falcon engine that were being generated by sites that use NFS and don't support flock() or reliable file locking.
  • Updated to the October 2014 version of the Geo IP country DB. (newest edition)


  • Fixed bug that caused country blocking and redirecting to an external URL to not work if the external URL's relative path matched the current page's relative path.
  • Made it clear that country blocking URL's require absolute URL's.


  • Security release. Update immediately. Thanks to Julio Potier.
  • Code hardening including improved sanitization and an additional nonce for unlock email form. Special thanks to Ryan Satterfield for the hard work.
  • Stability of auto-update improved for LiteSpeed customers. We auto-detect if you don't have E=noabort:1 in your .htaccess and give you instructions.
  • Auto-update also disabled now for LiteSpeed customers who don't have E=noabort:1 and you will get an email alert with an explanation.
  • Fixed a bug that may cause you to have advanced blocking patterns disabled with falcon engine enabled that should not be disabled.
  • Removed a benign warning in wfCache.php.
  • Added clarity to the banned URL option on the options page. All URL's must be relative.
  • Added a primary key to the wp_wfStatus table which is required for certain incremental backup plugins and utilities.
  • Fixed advanced country blocking which was not correctly displaying advanced options.
  • Migrated to using wp_kses() for sanitization.
  • Prevent IP spoofing in default Wordfence IP configuration.
  • Change explanations of how Wordfence gets IP's to make it clear which to use to prevent spoofing.
  • Make it clear that the option to have IP's immediately blocked when they access a URL requires relative URL's starting with a forward slash.
  • Whitelist Sucuri's scanning IP addresses which were getting blocked because they triggered Wordfence blocking during a scan.
  • Improved Wordfence's code that acquires the visitor IP to block certain spoofing attacks, be more platform agnostic and deal with visits from private IP's more elegantly.


  • Security release. Upgrade immediately.
  • This release fixes an XSS vunlerability on Wordfence "view all traffic from IP" page.
  • Also fixes a hard to exploit XSS which exists if you have your site as the default site on your web server, falcon enabled and debugging comments enabled.
  • Improves Revolution Slider proteciton.
  • Fixed bypass for fake googlebot blocking.


  • Updated Geo IP country database to newest version (September 2014 edition)
  • Security fix. Improved referrer sanitization in live traffic.
  • Changed scan success messaging for clarity.
  • Fixed minor bug in IP validation which manifested when users use IPv6 to IPv4 translation which produces 255.x.x.x addrs.


  • Protection from the Slider Revolution Plugin arbitrary file download vulnerability announced today. Attempts to download any .php file including wp-config.php are denied.
  • Changed the Wordfence Memory config option's label to make it clearer what the option does.
  • Moved screenshots out of plugin distro directory to reduce plugin payload size.


  • Fix: Users with large lists of blocked IP's (over 2,100) would receive a browser error "Uncaught RangeError: Maximum call stack size exceeded". Fixed.
  • Improvement: Added detection for FOPO obfuscation often used by hackers to obfuscate PHP code. Will detect a range of newer infections. (Server-side code change)


  • Fix: Crawler triggering update cron job threw error about show_message() being redeclared at end of update. Fixed.
  • Fix: Live traffic cities were incorrect and did not match country blocking block effects under certain conditions. Fixed.
  • Fix: If a site database contained a table with dashes in the table name, we would throw an error at the end of every scan. Fixed.
  • Improvement: Upgraded country DB to newest version.
  • Improvement: Changed live traffic geo location caching to be 24 hours instead of a week so that geo DB updates for live traffic on our servers take effect sooner.
  • Improvement: Ignoring .sql files in scans which are usually backups and contain many false positives, unless high sensitivity scanning is enabled.


  • Fix: Option to disable config caching. You can find this new option at the bottom of the Wordfence options page.
  • Note: If you are seeing the "cron key does not match the saved key" error, check the box to disable config caching at the bottom of the Wordfence options page, save and this will fix it.
  • Note: If you are trying to save your Wordfence options and the options keep reverting, enable the "disable config caching" at the bottom of your Wordfence options page, save and this will fix it.


  • Improvement: Wordfence now supports websites behind proxy servers when communicating with the Wordfence API servers.
  • Fix: Removed old image files that were unused.


  • Feature: Country blocking now lets you block login page OR rest of site or any combination. So you can now block the login page only for example.
  • Improvement: Upgraded the country blocking database to the newest version which is July 2014.
  • Improvement: Improved server-side performance for Wordfence scanning.
  • Improvement: Offer the option to keep Wordfence up-to-date automatically.
  • Improvement: If file contains malicious code, include filename in email alert summary info.
  • Fix: Removed strings in readme.txt that were causing false positives in hosts own scanning software.
  • Fix: Prevent lockout email alerts being sent for blank usernames.


  • Fix: Bing crawler was being misidentified as human. Fixed.
  • Fix: Escaping HTML on whois records. Thanks Nikhil Srivastava, TechDefencelabs (http://techdefencelabs.com)


  • Feature: Auto updates for Wordfence! This is a much-requested feature by our power admin's. Enable the "Update Wordfence automatically when a new version is released" option on the Wordfence options page.
  • Fix: Security fix. Thanks to Narendra Bhati from Suma Soft.


  • Feature: You can now specify one or more URL's that if accessed will cause the IP to immediately be blocked. See below "Other Options" for the new feature.
  • Improvement: Added additional debugging info when cron key does not match saved key to help diagnose any problems.
  • Improvement: New Issues email now contains site URL rather than just hostname to help identify subdirectory sites.
  • Improvement: Upgraded the country blocking database to the newest version which is June 2014.
  • Fix: Some browser versions were being reported as 0.0. Updated browser detection.


  • Improvement: WooCommerce now officially supported out of the box.
  • Feature: Added the wordfence:doNotCache() function that you can call in your themes and plugins to prevent caching of items.
  • Fix: Fixed the warning appearing in lib/wfUtils.php about a scalar being treated as an array which appeared in 5.0.9.
  • Fix: Failed logins were not being logged for non-existent usernames that were set to immediatelly block. Fixed.
  • Fix: Removed several warnings/notices that would appear when WP_DEBUG is enabled.
  • Fix: Added default character set to .htaccess which fixes garbled international characters being served from cache on sites with no default apache charset.


  • Feature: (Premium) Advanced Comment Spam Filter. Checks comment source IP, author URL and hosts and IP's in body against additional spam lists.
  • Feature: (Premium) Check if your site is being Spamvertised i.e. your domain is being included in spam emails. Usually indicates you've been hacked.
  • Feature: (Premium) Check if your website IP is generating spam. Checks against spam lists if your IP is a known source of spam.
  • Improvement: Cache clearing errors are nown shown with clear explanations.
  • Improvement: Added lightweight stats logging internally in preparation for displaying them on the admin UI in the next release.
  • Fix: If a non-existent user tries to sign in it is not logged in the live logins tab. Fixed.
  • Fix: Removed warning "Trying to get property of non-object" that would occur under certain conditions.
  • Fix: Removed call to is_404() which was not having any effect and would issue a warning if debug mode is enabled.
  • Fix: Check if CURL is installed as part of connectivity test.


  • Feature: Support for Jetpack Mobile Theme in Falcon Caching engine. Regular pages are cached, mobile pages are served direct to browser.
  • Improvement: Pages that are less than 1000 bytes will not be cached. The avg web page size in 2014 is 1246,000 bytes. Anything less than 1000 bytes is usually an error.
  • Improvement: Wordfence will now request 128M on hosts instead of 64M where memory in php.ini is set too low.
  • Fix: Wordfence was caching 404's under certain conditions. Fixed.
  • Fix: Nginx/FastCGI users would sometimes receive an error about not being able to edit .htaccess. Fixed.


  • Feature: Immediately block IP if hacker tries any of the following usernames. (Comma separated list that you can specify on the Wordfence options page)
  • Feature: Exclude exact URL's from caching. Specifically, this allows you to exclude the home page which was not possible before.
  • Feature: Exclude browsers or partial browser matches and specific cookies from caching.
  • Fix: Fixed issue where /.. dirs would be included in certain scandir operations.
  • Fix: logHuman function was not analyzing user-agent strings correctly which would allow some crawlers that execute JS to be logged as humans.
  • Fix: Removed ob_end_clean warnings about empty buffers when a human is being logged.
  • Fix: Removed warning in lib/wfCache.php caused by unset $_SERVER['QUERY_STRING'] when we check it.
  • Fix: Fixed "logged out as ''" blank username logout messages.
  • Fix: Improved security of config cache by adding a PHP header to file that we strip. Already secure because we have a .htaccess denying access, but more is better.
  • Fix: Falcon Engine option to clear Falcon cache when a post scheduled to be published in future is published.
  • Fix: Fixed Heartbleed scans hanging.


  • Feature: Prevent discovery of usernames through '?/author=N' scans. New option under login security which you can enable.
  • Fix: Introduced new global hash whitelist on our servers that drastically reduces false positives in all scans especially theme and plugin scans.
  • Fix: Fixed issue that corrupted .htaccess because stat cache would store file size and cause filesize() to report incorrect size when reading/writing .htaccess.
  • Fix: Fixed LiteSpeed issue where Falcon Engine would not serve cached pages under LiteSpeed and LiteSpeed warned about unknown server variable in .htaccess.
  • Fix: Fixed issue where Wordfence Security Network won't block known bad IP after first login attempt if "Don't let WordPress reveal valid users in login errors" option is not enabled.
  • Fix: Sites installed under a directory would sometimes see Falcon not serving cached docs.
  • Fix: If you are a premium customer and you have 2FA enabled and your key expires, fixed issue that may have caused you to get locked out.
  • Improvement: If your Premium API key now expires, we simply downgrade you to free scanning and continue rather than disabling Wordfence.
  • Improvement: Email warnings a few days before your Premium key expires so you have a chance to upgrade for uninterrupted service.


  • Fix: Removed mysql_real_escape_string because it’s deprecated. Using WP’s internal escape.
  • Fix: Wordfence issues list would be deleted halfway through scan under certain conditions.
  • Fix: Connection tester would generate php error under certain conditions.


  • Feature: We now scan for the infamous heartbleed openssl vulnerability using a non-intrusive scan method safe for production servers.
  • Improvement: We now check if .htaccess is writable and if not we give you rules to manually enable Falcon.
  • Improvement: Once Falcon is enabled, if we can’t write to .htaccess, we fall back to PHP based IP blocking.
  • Feature: You can now clear pages and posts from the cache on the list-posts page under each item or on their edit pages next to the Update button.
  • Fix: We now support sites who use a root URI but store their files and .htaccess in a subdirectory of the web root.
  • Fix: Added an additional filter to prevent crawlers like Bing who execute javascript from being logged as humans.
  • Fix: Changed the extension of the backup .htaccess to be .txt to avoid anti-virus software alerting on a download with .com extension. [Props to Scott N. for catching this]


  • Removed ability to disable XML-RPC. The feature broke many mobile apps and other remote services.


  • Fix: Issue that caused users running WordPress in debug mode to see a is_404 warning message.
  • Fix: Issue that caused Call to undefined function wp_get_current_user warning.
  • Fix: Issue that caused caching to not work on sites using subdirectories.
  • Fix: Issue that caused SQL errors to periodically appear about wfPerfLog table.
  • Fix: Issue that caused warnings about array elements not being declared.


  • To see a video introduction of Falcon Engine included with Wordfence 5, please watch this video
  • SUMMARY: This is a major release which includes Falcon Engine which provides the fastest WordPress caching available today. It also includes many other improvements and fixes. Upgrade immediatelly to get a massive performance boost for your site, many new features and fixes.
  • Feature: Falcon Engine provides the fastest caching algorithm for WordPress. Get up to a 50x site speedup now when you use Wordfence.
  • Feature: PHP based caching as an alternative to Falcon.
  • Feature: IP, browser and IP range blocking is now done using .htaccess if Falcon Engine is enabled providing a big performance boost.
  • Feature: Falcon and PHP caching includes ability to exclude URL patterns from cache along with cache management.
  • Feature: Disable XML-RPC in WordPress to prevent your site from being used as a drone in a DDoS attack.
  • Feature: Option to disable Wordfence cookies from being sent.
  • Feature: Option to start all scans using the remote start-scan option. This may fix some customers who can’t start scans.
  • Feature: Falcon Engine includes the ability to block IP ranges using .htaccess. We take your ranges and convert them into CIDR compatible .htaccess lines that very efficiently block the ranges you’ve specified. Another great performance improvement.
  • Feature: If user disables permalinks we automatically disable Falcon Engine caching.
  • Feature: Before you enable Falcon Engine we make you download a backup of your .htaccess file just in case.
  • Improvement: Real-time traffic monitoring loads asynchronously to provide a faster user experience.
  • Improvement: All Wordfence configuration variables are now cached on disk rather than repeatedly looked up on the database providing a big performance improvement.
  • Improvement: Updated browser detection algorithms for new browsers.
  • Improvement: Updated country GeoIP database to the April edition.
  • Improvement: Improved performance by only loading routines required for logged in users if they have a login cookie. No DB lookup required.
  • Improvement: Added on-off switches to top of live traffic to make it easy to turn on/off.
  • Improvement: Removed marketing message from Wordfence email alerts.
  • Improvement: Added ability to exclude files from scan that match patterns. Multiple excludes using wildcards allowed.
  • Improvement: Improved performance by moving all actions that would only be used by a logged in user to be set up using add_action if the user actually has a login cookie.
  • Fix: Added a throttle to prevent identical email alerts being sent repeatedly.
  • Fix: Changed order of IP blocking and alerting code to prevent multiple email alerts being sent in a race condition.
  • Fix: Cleaned up legacy code including removing all array_push statements.
  • Fix: Added try/catch block to fileTooBig() function when we encounter files that we can’t seek on and that throw an IO error to prevent scans from crashing.
  • Fix: Resolved issue that may have caused wfhits table to grow continuously on some sites.
  • Fix: Ensured that runInstall() isn’t called multiple times.
  • Fix: Moved register_activation_hook to only be called if the user has a login cookie and has a likelihood of being actually logged in as admin. Performance improvement.
  • Fix: Added doEarlyAccessLogging routine to move logging before caching so we can have both.
  • Fix: Removed the “update LOW_PRIORITY” sql statement when updating wfHits which was intended to speed up MySQL performance but may have actually caused queries to queue up and slow things down.
  • Fix: Whitelisted IP’s are no longer put through two factor authentication as one would expect.
  • Fix: Changed our wp_enqueue_script calls to add a ‘wf’ prefix to our script names so that another plugin doesn’t cause our scripts to not load.
  • Fix: Removed code that would cause all alerts to be turned on for some users under certain conditions.
  • Fix: Automatically excluding backup files and log files from URL scans to reduce false positives on referring URLs in logs and backups.


  • Improvement: Added "high sensitivity" scanning which catches evals with other bad functions but may give false positives. Not enabled by default.
  • Fix: Removed code that caused error message during scan initialization.
  • Fix: IP to number conversation code had a problem with IP's with a single 0 in them. Bug was introduced in 4.0.2.
  • Fix: Very fast attacks would generate a lot of email alerts due to race condition. Fixed.


  • Feature: Ability to bulk repair or delete files when cleaning a site.
  • Feature: You can now limit the number of emails per hour that Wordfence sends.
  • Feature: You can now scan image files as if they are executables when cleaning a site. See the option under scanning options.
  • Feature: New connectivity test for wp_remote_post to our servers.
  • Feature: New detection for backdoors that were previously missed in scans.
  • Improvement: Added a link to the Wordfence admin URL for a site when an email alert is received.
  • Improvement: Removed "buy premium" message from the alert emails which was causing confusion and irritation.
  • Improvement: Improved private address detection by making it faster and adding all private subnets, not just RFC1918 nets.
  • Improvement: Switched to wp_remote_get for triggering scans instead of wp_remote_post()
  • Improvement: Added some more verbose debugging for scan starts when in debug mode.
  • Improvement: No longer include private addresses when checking malware URL's and scanning IP's.
  • Improvement: Added code to disable Wordfence if WordPress is installing.
  • Fix: Text change because not all "scan" buttons are blue.
  • Fix: Removed URL from wfBrowscapCache.php which was causing false positives during scans.
  • Fix: Fixed SQL bug that triggered when we logged a vulnerability scan.
  • Fix: IP range blocks where a digit is preceded by a '0' char will no longer generate an error.
  • Fix: The getIP() routine will no longer use the IP closest to a visitor in network topology if that IP is a private address and behind a proxy.


  • Real-time WordPress Security Network Launched.
  • If another site is attacked and blocks the attacker, your site also blocks the attacker. Shared data among Wordfence sites.
  • See our home page on http://www.wordfence.com for a live map of attacks being blocked. Then blog about us!!
  • Fixed bug where wfBrowscapCache.php is reported as malicious.
  • Big improvement in scanning speed and efficiency of URL's and IP addresses.
  • Fixed preg_replace() warning by using newer preg_replace_callback() func.


  • Fixed issue that caused Wordfence security to not log 404's.
  • Made 404's more visible on the live traffic page.
  • Fixed panel width that was too narrow for WP 3.8 on live traffic and issues pages.
  • Report hack attempts to Wordfence Security scanning server for DDoS protection.
  • Remind admin if security alert email is blank and tour is closed.
  • Updated links to new Wordfence Security support website at support.wordfence.com.
  • Made Wordfence Security paid-users-only message a little more user friendly.


  • Fix: Fixed issue that caused certain Wordfence Security login functions to not work. Was a PHP 5.4 vs older version incompatability issue.
  • Updated GeoIP location database to new version for country blocking.
  • Fix: Resolved issue that caused the Issues that Wordfence Security found to not be displayed in some cases.
  • Updated Wordfence Security to WordPress 3.8 Compatability.


  • Fix: We now truncate the wfHoover table after scans to save disk space on servers with huge numbers of URLs in files.
  • Fix: isStrongPasswd function was being called statically but not declared as static.
  • Fix: Improved error reporting when we can't connect to Wordfence Security API servers.
  • Fix: Fixed code that was causing an error log warning when we read the requested URL.
  • Fix: Disable and clear cellphone sign-in if you downgrade to free from paid to prevent lockouts.


  • Fixed issue that caused cellphone sign-in to not work with PHP version 5.4 or greater.
  • Fixed conflict with other plugins that also use the Whois PHP library.
  • Fixed an unsanitized user-agent string.
  • Added new malware signatures for string rot13 heuristics.
  • Updated compatibility to 3.7.


  • Fixed issue that caused scheduled scans to run even if disabled.
  • Fixed display bug when signin fails.


  • Fixed issue that caused Human traffic to not be logged in Wordfence Security live traffic view.


  • Removed Wordfence Security .htaccess because it doesn't offer any security functionality and increases incompatibility.
  • Fixed spelling errors.
  • Added check to see if HTTP_USER_AGENT server variable is defined before using it to suppress large number of warnings on some sites.
  • Changed the way we call admin_url to the correct syntax.
  • Correctly escaped HTML on error messages.
  • Fixed issue that generated non-compliant query string.
  • Updated GeoIP database to newest version.


  • Updated GeoIP database for country blocking security.
  • Fixed bug in Wordfence Security where we called reverseLookup in wfUtils statically and it's a non-static method. Thanks Juliette.
  • Removed characters that are invalid in an IP address or domain from the Whois facility to improve security.
  • Prevent users from creating 1 character passwords to improve security.
  • Fixed issue that caused an invalid variable to be used in an error message and improved Wordfence Security temporary file implementation for get_ser/ser_ser functions. Thanks R.P.
  • Fixed issue that caused IP to output as integer in status msg. Not security related but display issue.
  • Declared Wordfence Security reverseLookup function as static to remove warning.
  • Fixed returnARr syntax error in Wordfence Security class.
  • Note, there is no Wordfence Security version 3.8.2.


  • Added Cellphone Sign-in (Two Factor Authentication) for paid Wordfence Security members. Stop brute-force attacks permanently! See new "Cellphone Sign-in" menu option.
  • Added ability to enforce strong passwords using Wordfence Security when accounts are created or users change their password. See Wordfence Security 'options' page under 'Login Security Options'.
  • Added new backdoor/malware signatures to Wordfence Security scanning including detection for spamming scripts, youtube spam scripts and a new attack shell.
  • Fixed issue: Under some conditions, files not part of core or a known theme or plugin would be excluded from a Wordfence Security scan.
  • Fixes from Juliette R. F. Remove warnings for unset variables. Fix options 'save' spinner spinning infinitely on some platforms. Removed redundant error handling code in Wordfence Security.
  • Added ability to downgrade a paid Wordfence Security license to free.


  • Fixed issue that caused locked out IP's to not appear, or to appear with incorrect "locked out until" time.


  • Moved global firewall, login security and live traffic options to top of options page.
  • Made it clear that if you have Wordfence Security firewall disabled, IP's won't be blocked, country blocking won't work and advanced blocking won't work with warnings on each page.


  • Fixed JS error in Wordfence Security that occurs occasionally when users are viewing Wordfence Security activity log in real-time.
  • New Feature: Prevent users registering 'admin' username if it doesn't exist to improve security. Recommended if you've deleted 'admin'. Enable on 'options' page.
  • Check if Wordfence Security GeoIP library is already declared for all functions. Fixes Fatal error: Cannot redeclare geoip_country_code_by_name.
  • Fixed a Wordfence Security compatibility issue with sites and hosts using Varnish front-end cache to ensure legit users don't get blocked. Added two HTTP no-cache and Expires headers.
  • Fixed bug when using Wordfence Security Advanced User-Agent blocking with certain patterns this would appear: Warning: preg_match() [function.preg-match]: Unknown modifier
  • Vastly improved speed of Wordfence Security Advanced User-Agent blocking security feature. No longer using regex but still support wildcards using fnmatch()
  • We now support usernames with spaces in the list of users to ignore in the live traffic config on 'options' page.
  • Improved language in status messages to avoid confusion. Changed "unrecognized files" to "additional files" to describe non-core/theme/plugin files.


  • Fixed bug in Wordfence Security that caused IP range blocking to not block.
  • Fixed bug that caused unblocking a permanently blocked IP t

Requires: 3.9 or higher
Compatible up to: 4.3.1
Last Updated: 2 months ago
Active Installs: 1+ million


4.9 out of 5 stars
5 stars 2,345


273 of 345 support threads in the last two months have been resolved.

Got something to say? Need help?



22 people say it works.
2 people say it's broken.

100,2,2 100,1,1
100,2,2 100,1,1 100,1,1 100,2,2 100,1,1 100,1,1 0,2,0 100,1,1 100,2,2 100,1,1 100,1,1 100,1,1 100,3,3 100,2,2 100,4,4 100,3,3 50,2,1 100,2,2 100,3,3 100,1,1 100,1,1 100,1,1
0,1,0 100,2,2 100,2,2 100,1,1 100,1,1
100,1,1 75,4,3 100,2,2 0,2,0 100,6,6 100,1,1 100,2,2 100,2,2 100,2,2 85,13,11 100,1,1 90,10,9 100,5,5 75,4,3 100,3,3 100,10,10 100,1,1 100,1,1
88,49,43 100,6,6 100,5,5 100,1,1 100,4,4 100,1,1 91,22,20 67,9,6 84,19,16 57,7,4 0,1,0 100,1,1
0,3,0 100,22,22 100,7,7
95,21,20 83,6,5 0,1,0 92,24,22 96,23,22 78,9,7 80,10,8 75,16,12 100,1,1
85,20,17 100,8,8
100,8,8 100,11,11 100,1,1
67,9,6 100,6,6 93,15,14 100,9,9 100,1,1 100,1,1
60,5,3 100,7,7
100,13,13 100,34,34 100,1,1
100,18,18 100,5,5 100,7,7 100,1,1 100,2,2 100,1,1
88,8,7 100,2,2 96,54,52 100,3,3 100,5,5 100,2,2 0,1,0
71,7,5 100,10,10 100,1,1
100,4,4 100,3,3 100,1,1
67,3,2 94,16,15 69,13,9 71,14,10 50,2,1 100,1,1
100,1,1 63,8,5 55,11,6 78,18,14 88,16,14 67,9,6 88,16,14 67,12,8 86,7,6 100,5,5 100,3,3 100,2,2 100,1,1 100,1,1 100,1,1 100,1,1
100,4,4 60,10,6 40,5,2 89,9,8 100,6,6 100,1,1 100,1,1 100,1,1 100,1,1
70,10,7 100,1,1 100,2,2 93,14,13 100,4,4 95,20,19 100,7,7 100,7,7 100,9,9 100,7,7 100,6,6 100,1,1
95,19,18 100,3,3 0,1,0
100,1,1 100,20,20 100,10,10 100,17,17 100,1,1 100,1,1
100,1,1 100,1,1 88,8,7 100,2,2 90,10,9 100,2,2 100,14,14 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1 100,1,1
80,10,8 67,3,2 67,6,4 50,2,1 100,3,3 82,11,9 100,1,1 100,4,4 100,4,4 100,3,3
100,1,1 100,3,3
88,8,7 100,2,2 75,4,3
100,13,13 100,1,1 92,24,22