Search Over 30,000 FREE Plugins from the Official WordPress Plugin Directory Repository

Wordfence Security

Secure your website with the most comprehensive WordPress security plugin. Firewall, malware scan, blocking, live traffic, login security & more.


WordPress security is all we do. Secure your WordPress website with Wordfence. Powered by the constantly updated Threat Defense Feed, our Web Application Firewall stops you from getting hacked. Wordfence Scan leverages the same proprietary feed, alerting you quickly in the event your site is compromised. Our Live Traffic view gives you real-time visibility into traffic and hack attempts on your WordPress website. A deep set of additional tools round out the most complete WordPress security solution available.

With over 22 million downloads, Wordfence is the most popular WordPress security plugin available. Wordfence Security is 100% free and open source. We also offer a Premium API key that gives you Premium Support, Country Blocking, Scheduled Scans, Password Auditing, real-time updates to the Threat Defense Feed, two-factor authentication, and we even check if your website IP address is being used to Spamvertize. Click here to sign-up for Wordfence Premium now or simply install Wordfence free and start protecting your website.

You can find our official documentation at and our Frequently Asked Questions on our support portal at We are also active in our community support forums on if you are one of our free users. Our Premium Support Ticket System is at Learn about WordPress security at

This is a brief introductory video for Wordfence:

Wordfence Security is Multi-Site compatible and includes Cellphone Sign-in which permanently secures your WordPress website from brute force hacks.


WordPress Firewall

  • Web Application Firewall stops you from getting hacked by identifying malicious traffic, blocking attackers before they can access your website.
  • Threat Defense Feed automatically updates firewall rules that protect you from the latest threats. Premium members receive the real-time version.
  • Block common WordPress security threats like fake Googlebots, malicious scans from hackers and botnets.

Blocking Features

  • Real-time blocking of known attackers. If another site using Wordfence is attacked and blocks the attacker, your site is automatically protected.
  • Block entire malicious networks. Includes advanced IP and Domain WHOIS to report malicious IP's or networks and block entire networks using the firewall. Report WordPress security threats to network owner.
  • Rate limit or block WordPress security threats like aggressive crawlers, scrapers and bots doing security scans for vulnerabilities in your site.
  • Choose whether you want to block or throttle users and robots who break your WordPress security rules.
  • Premium users can also block countries and schedule scans for specific times and a higher frequency.

WordPress Login Security

  • Sign-in using your password and your cellphone to vastly improve login security. This is called Two Factor Authentication and is used by banks, government agencies and military world-wide for highest security authentication.
  • Enforce strong passwords among your administrators, publishers and users. Improve login security.
  • Checks the strength of all user and admin passwords to enhance login security.
  • Includes login security to lock out brute force hacks and to stop WordPress from revealing info that will compromise WordPress security.

Security Scanning

  • Scans for the HeartBleed vulnerability - included in the free scan for all users.
  • Scans core files, themes and plugins against repository versions to check their integrity. Verify security of your source.
  • See how files have changed. Optionally repair changed files that are security threats.
  • Scans for signatures of over 44,000 known malware variants that are known WordPress security threats.
  • Scans for many known backdoors that create security holes including C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx and many many more.
  • Continuously scans for malware and phishing URL's including all URLs on the Google Safe Browsing List in all your comments, posts and files that are security threats.
  • Scans for heuristics of backdoors, trojans, suspicious code and other security issues.

Monitoring Features

  • See all your traffic in real-time, including robots, humans, 404 errors, logins and logouts and who is consuming most of your content. Enhances your situational awareness of which security threats your site is facing.
  • A real-time view of all traffic including automated bots that often constitute security threats that Javascript analytics packages never show you.
  • Real-time traffic includes reverse DNS and city-level geolocation. Know which geographic area security threats originate from.
  • Monitor your DNS security for unauthorized DNS changes.
  • Monitors disk space which is related to security because many DDoS attacks attempt to consume all disk space to create denial of service.

Multi-Site WordPress Security

  • Wordfence Security for multi-site also scans all posts and comments across all blogs from one admin panel.
  • WordPress Multi-Site (or WordPress MU in the older parlance) compatible.

IPv6 Compatible

  • Fully IPv6 compatible including all whois lookup, location, blocking and security functions.

Major Theme and Plugins Supported

  • Includes support for other major plugins and themes like WooCommerce.

Free Learning Center

The Wordfence WordPress security plugin is full-featured and constantly updated by our team to incorporate the latest security features and to hunt for the newest security threats to your WordPress website.

Author Wordfence
Contributors mmaunder
Tags antivirus, block hackers, country blocking, firewall, login security, malware, secure, security, security plugin, Web application firewall, wordpress security
  1. wordfence screenshot 1

    The dashboard of Wordfene Security where you can get a quick overview of any important notifications and attacks your site has been protected from.

  2. wordfence screenshot 2

    The Web Application Firewall of Wordfence Security where you can configure your protection level and view which vulnerabilities you're protected from.

  3. wordfence screenshot 3

    The scan page of Wordfence Security where you can see a summary, manage security issues and do a manual security scan.

  4. wordfence screenshot 4

    The Live Traffic view of Wordfence Security where you can see real-time activity on your site.

  5. wordfence screenshot 5

    The "Blocked IPs" page where you can manage blocked IPs, locked out IPs and see recently throttled IPs that violated security rules.

  6. wordfence screenshot 6

    The basic view of Wordfence Security options. There is very little to configure other than your alert email address and security level.

  7. wordfence screenshot 7

    If you're technically minded, this is the under-the-hood view of Wordfence Security options where you can fine-tune your security settings.

Secure your website using the following steps to install Wordfence:

  1. Install Wordfence Security automatically or by uploading the ZIP file.
  2. Activate the security plugin through the 'Plugins' menu in WordPress.
  3. Wordfence WordPress Security is now activated. Go to the scan menu and start your first security scan. Scheduled security scanning will also be enabled.
  4. Once your first scan has completed a list of security threats will appear. Go through them one by one to secure your site.
  5. Visit the Wordfence Security options page to enter your email address so that you can receive email security alerts.
  6. Optionally change your security level or adjust the advanced options to set individual security scanning and protection options for your site.
  7. Click the "Live Traffic" menu option to watch your site activity in real-time. Situational awareness is an important part of website security.

To install the Wordfence WordPress security plugin on WordPress Multi-Site installations:

  1. Install Wordfence Security via the plugin directory or by uploading the ZIP file.
  2. Network Activate Wordfence Security. This step is important because until you network activate it, your sites will see the plugin option on their plugins menu. Once activated that option dissapears.
  3. Now that Wordfence is network activated it will appear on your Network Admin menu. Wordfence Security will not appear on any individual site's menu.
  4. Go to the "Scan" menu and start your first security scan.
  5. Wordfence Security will do a security scan of all files in your WordPress installation including those in the blogs.dir directory of your individual sites.
  6. Live Traffic will appear for ALL sites in your network. If you have a heavily trafficked system you may want to disable live traffic which will stop logging to the DB.
  7. Firewall rules and login rules apply to the WHOLE system. So if you fail a login on and it counts as 2 failures. Crawler traffic is counted between blogs, so if you hit three sites in the network, all the hits are totalled and that counts as the rate you're accessing the system.


  • Improvement: Locked out IPs are now enforced at the WAF level to reduce server load.
  • Improvement: Added a "Show more" link to the IP block list and login attempts list.
  • Improvement: Added network data for the top countries blocked list.
  • Improvement: Added a notification when a premium key is installed on one site but registered for another URL.
  • Improvement: Switching tabs in the various pages now updates the page title as well.
  • Improvement: Various styling consistency improvements.
  • Change: Separated the various blocking-related pages out from the Firewall top-level menu into "Blocking".
  • Fix: Improved compatibility with our GeoIP interface.
  • Fix: The updates available notification is refreshed after updates are installed.
  • Fix: The scan notification is refreshed when issues are resolved or ignored.


  • Enhancement: Added Wordfence Dashboard for quick overview of security activity.
  • Improvement: Simplified the UI by revamping menu structure and styling.
  • Fix: Fixed minor issue with REST API user enumeration blocking.
  • Fix: Fixed undefined index notices on password audit page.


  • Improvement: Better reporting for failed brute force login attempts.
  • Change: Reworded setting for ignored IPs in the WAF alert email.
  • Change: Updated support link on scan page.
  • Fix: When a key is in place on multiple sites, it's now possible to downgrade the ones not registered for it.
  • Fix: Addressed an issue where the increased attack rate emails would send repeatedly if the threshold value was missing.
  • Fix: Typo fix in firewall rule 11 name.


  • Improvement: Updated internal GeoIP database.
  • Improvement: Better error handling when a site is unreachable publicly.
  • Fix: Fixed a URL in alert emails that did not correctly detect when sent from a multisite installation.
  • Fix: Addressed an issue where the scan did not alert about a new WordPress version.


  • Improvement: Added support for hiding the username information revealed by the WordPress 4.7 REST API. Thanks Vladimir Smitka.
  • Improvement: Added vulnerability scanning for themes.
  • Improvement: Reduced memory usage by up to 90% when scanning comments.
  • Improvement: Performance improvements for the dashboard widget.
  • Improvement: Added progressive loading of addresses on the blocked IP list.
  • Improvement: The diagnostics page now displays a config reading/writing test.
  • Change: Support for the Falcon cache has been removed.
  • Fix: Better messaging when the WAF rules are manually updated.
  • Fix: The proxy detection check frequency has been reduced and no longer alerts if the server is unreachable.
  • Fix: Adjusted the behavior of parsing the X-Forwarded-For header for better accuracy. Thanks Jason Woods.
  • Fix: Typo fix on the options page.
  • Fix: Scan issue for known core file now shows the correct links.
  • Fix: Links in "unlock" emails now work for IPv6 and IPv4-mapped-IPv6 addresses.
  • Fix: Restricted caching of responses from the Wordfence Security Network.
  • Fix: Fixed a recording issue with Wordfence Security Network statistics.


  • Improvement: WordPress 4.7 improvements for the Web Application Firewall.
  • Improvement: Updated signatures for hash-based malware detection.
  • Improvement: Automatically attempt to detect when a site is behind a proxy and has IP information in a different field.
  • Improvement: Added additional contextual help links.
  • Improvement: Significant performance improvement for determining the connecting IP.
  • Improvement: Better messaging for two-factor recovery codes.
  • Fix: Adjusted message when trying to block an IP in the whitelist.
  • Fix: Error log download links now work on Windows servers.
  • Fix: Avoid running out of memory when viewing very large activity logs.
  • Fix: Fixed warning that could be logged when following an unlock email link.
  • Fix: Tour popups on options page now scroll into view correctly.


  • Improvement: Improved formatting of attack data when it contains binary characters.
  • Improvement: Updated internal GeoIP database.
  • Improvement: Improved the ordering of rules in the malware scan so more specific rules are checked first.
  • Fix: Country blocking redirects are no longer allowed to be cached.
  • Fix: Fixed an issue with 2FA on multisite where the site could report URLs with different schemes depending on the state of plugin loading.


  • Fix: Fixed an issue that could occur on older WordPress versions when processing login attempts


  • Improvement: Scan times for very large sites with huge numbers of files are greatly improved.
  • Improvement: Added a configurable time limit for scans to help reduce overall server load and identify configuration problems.
  • Improvement: Email-based logins are now covered by "Don't let WordPress reveal valid users in login errors".
  • Improvement: Extended rate limiting support to the login page.
  • Fix: Fixed a case where files in the site root with issues could have them added multiple times.
  • Fix: Improved IP detection in the WAF when using an IP detection method that can have multiple values.
  • Fix: Added a safety check for when the database fails to return its max_allowed_packet value.
  • Fix: Added safety checks for when the configuration table migration has failed.
  • Fix: Added a couple rare failed login error codes to brute force detection.
  • Fix: Fixed a sequencing problem when adding detection for bot/human that led to it being called on every request.
  • Fix: Suppressed errors if a file is removed between the start of a scan and later scan stages.
  • Fix: Addressed a problem where the scan exclusions list was not checked correctly in some situations.


  • Improvement: Reworked blocking for IP ranges, country blocking, and direct IP blocking to minimize server impact when under attack.
  • Improvement: Live traffic better indicates the action taken by country blocking when it redirects a visitor.
  • Improvement: Added support for finding server logs to the Diagnostics page to help with troubleshooting.
  • Improvement: Whitelisted StatusCake IP addresses.
  • Improvement: Updated GeoIP database.
  • Improvement: Disabling Wordfence now sends an alert.
  • Improvement: Improved detection for uploaded PHP content in the firewall.
  • Fix: Eliminated memory-related errors resulting from the scan on sites with very large numbers of issues and low memory.
  • Fix: Fixed admin page layout for sites using RTL languages.
  • Fix: Reduced overhead of the dashboard widget.
  • Fix: Improved performance of checking for whitelisted IPs.
  • Fix: Changes to the default plugin hello.php are now detected correctly in scans.
  • Fix: Fixed IPv6 warning in the dashboard widget.


  • Fix: Replaced a slow query in the dashboard widget that could affect sites with very large numbers of users.


  • Improvement: Now performing scanning for PHP code in all uploaded files in real-time.
  • Improvement: Improved handling of bad characters and IPv6 ranges in Advanced Blocking.
  • Improvement: Live traffic and scanning activity now display a paused notice when real-time updates are suspended while in the background.
  • Improvement: The file system scan alerts for files flagged by antivirus software with a '.suspected' extension.
  • Improvement: New alert option to get notified only when logins are from a new location/device.
  • Change: First phase for removing the Falcon cache in place, which will add a notice of its pending removal.
  • Fix: Included country flags for Kosovo and Curaçao.
  • Fix: Fixed the .htaccess directives used to hide files found by the scanner.
  • Fix: Dashboard widget shows correct status for failed logins by deleted users.
  • Fix: Removed duplicate issues for modified files in the scan results.
  • Fix: Suppressed warning from reverse lookup on IPv6 addresses without valid DNS records.
  • Fix: Fixed file inclusion error with themes lacking a 404 page.
  • Fix: CSS fixes for activity report email.


  • Improvement: Massive performance boost in file system scan.
  • Improvement: Added low resource usage scan option for shared hosts.
  • Improvement: Aggregated login attempts when checking the Wordfence Security Network for brute force attackers to reduce total requests.
  • Improvement: Now displaying scan time in a more readable format rather than total seconds.
  • Improvement: Added PHP7 compatible .htaccess directives to disable code execution within uploads directory.
  • Fix: Added throttling to sync the WAF attack data.
  • Fix: Removed unnecessary single quote in copy containing "IP's".
  • Fix: Fixed rare, edge case where cron key does not match the key in the database.
  • Fix: Fixed bug with regex matching carriage returns in the .htaccess based IP block list.
  • Fix: Fixed scans failing in subdirectory sites when updating malware signatures.
  • Fix: Fixed infinite loop in scan caused by symlinks.
  • Fix: Remove extra slash from "File restored OK" message in scan results.


  • Fix: Replaced calls to json_decode with our own implentation for hosts without the JSON extension enabled.


  • Improvement: Now performing malware scanning on all uploaded files in real-time.
  • Improvement: Added Web Application Firewall activity to Wordfence summary email.
  • Fix: Now using 503 response code in the page displayed when an IP is locked out.
  • Fix: wflogs directory is now correctly removed on uninstall.
  • Fix: Fixed recently introduced bug which caused the Whitelisted 404 URLs feature to no longer work.
  • Fix: Added try/catch to uncaught exception thrown when pinging the API key.
  • Improvement: Improved performance of the Live Traffic page in Firefox.
  • Improvement: Updated GeoIP database.


  • Improvement: Removed file-based config caching, added support for caching via WordPress's object cache.
  • Improvement: Whitelisted Uptime Robot's IP range.
  • Fix: Notify users if suPHP_ConfigPath is in their WAF setup, and prompt to update Extended Protection.
  • Fix: Fixed bug with allowing logins on admin accounts that are not fully activated with invalid 2FA codes when 2FA is required for all admins.
  • Fix: Removed usage of wp_get_sites() which was deprecated in WordPress 4.6.
  • Fix: Fixed PHP notice from Undefined index: url with custom/premium plugins.
  • Improvement: Converted the banned URLs input to a textarea.


  • Improvement: Support downloading a file of 2FA recovery codes.
  • Fix: Fixed PHP Notice: Undefined index: coreUnknown during scans.
  • Improvement: Add note to options page that login security is necessary for 2FA to work.
  • Fix: Fixed WAF false positives introduced with WordPress 4.6.
  • Improvement: Update Geo IP database.


  • Fix: Fixed fatal error on sites running Wordfence 6.1.11 in subdirectory and 6.1.10 or lower in parent directory.
  • Fix: Added a few common files to be excluded from unknown WordPress core file scan.


  • Improvement: Alert on added files to wp-admin, wp-includes.
  • Improvement: 2FA is now available via any authenticator program that accepts TOTP secrets.
  • Fix: Fixed bug with specific Advanced Blocking user-agent patterns causing 500 errors.
  • Improvement: Plugin updates are now only a critical issue if there is a security related fix, and a warning otherwise. A link to the changelog is included.
  • Fix: Added group writable permissions to Firewall's configuration files.
  • Improvement: Changed whitelist entry area to textbox on options page.
  • Fix: Move flags and logo served from over to locally hosted files.
  • Fix: Fixed issues with scan in WordPress 4.6 beta.
  • Fix: Fixed bug where Firewall rules could be missing on some sites running IIS.
  • Improvement: Added browser-based malware signatures for .js, .html files in the malware scan.
  • Fix: Added error suppression to dns_get_record.


  • Fix: Fixed fatal error in the event wflogs is not writable.


  • Fix: Using WP-CLI causes error Undefined index: SERVER_NAME.
  • Improvement: Hooked up restore/delete file scan tools to Filesystem API.
  • Fix: Reworked country blocking authentication check for access to XMLRPC.
  • Improvement: Added option to require cellphone sign-in on all admin accounts.
  • Improvement: Updated IPv6 GeoIP lite data.
  • Fix: Removed suPHP_ConfigPath from WAF installation process.
  • Fix: Prevent author names from being found through /wp-json/oembed.
  • Improvement: Added better solutions for fixing wordfence-waf.php, .user.ini, or .htaccess in scan.
  • Improvement: Added a method to view which files are currently used for WAF and to remove without reinstalling Wordfence.
  • Improvement: Changed rule compilation to use atomic writes.
  • Improvement: Removed security levels from Options page.
  • Improvement: Added option to disable ajaxwatcher (for whitelisting only for Admins) on the front end.


  • Fix: Change wfConfig::set_ser to split large objects into multiple queries.
  • Fix: Fixed bug in multisite with "You do not have sufficient permissions to access this page" error after logging in.
  • Improvement: Update Geo IP database.
  • Fix: Fixed deadlock when NFS is used for WAF file storage, in wfWAFAttackDataStorageFileEngine::addRow().
  • Fix: Added third param to http_build_query for hosts with arg_separator.output set.
  • Improvement: Show admin notice if WAF blocks an admin (mainly needed for ajax requests).
  • Improvement: Clarify error message "Error reading config data, configuration file could be corrupted."
  • Improvement: Added better crawler detection.
  • Improvement: Add currentUserIsNot('administrator') to any generic firewall rules that are not XSS based.
  • Improvement: Update URLs in Wordfence for documentation about LiteSpeed and lockouts.
  • Improvement: Show message on scan results when a result is caused by enabling "Scan images and binary files as if they were executable" or...
  • Fix: Suppressed warning: dns_get_record(): DNS Query failed.
  • Fix: Suppressed warning gzinflate() error in scan logs.
  • Fix: On WAF roadblock page: Warning: urlencode() expects parameter 1 to be string, array given ...
  • Fix: Scheduled update for WAF rules doesn't decrease from 7 days, to 12 hours, when upgrading to a premium account.
  • Improvement: Better message for dashboard widget when no failed logins.


  • Security Fix: Fixed reflected XSS vulnerability: CVSS 6.1 (Medium). Thanks Kacper Szurek.


  • Fix: Fixed bug with 2FA not properly handling email address login.
  • Fix: Show logins/logouts when Live Traffic is disabled.
  • Fix: Fixed bug with PCRE versions < 7.0 (repeated subpattern is too long).
  • Fix: Now able to delete whitelisted URL/params containing ampersands and non-UTF8 characters.
  • Improvement: Reduced 2FA activation code to expire after 30 days.
  • Improvement: Live Traffic now only shows verified Googlebot under Google Crawler filter for new visits.
  • Improvement: Adjusted permissions on Firewall log/config files to be 0640.
  • Fix: Fixed false positive from Maldet in the wfConfig table during the scan.


  • Fix: WordPress language files no longer flagged as changed.
  • Improvement: Accept wildcards in "Immediately block IP's that access these URLs."
  • Fix: Fixed bug when multiple authors have published posts, /?author=N scans show an author archive page.
  • Fix: Fixed issue with IPv6 mapped IPv4 addresses not being treated as IPv4.
  • Improvement: Added WordPress version and various constants to Diagnostics report.
  • Fix: Fixed bug with Windows users unable to save Firewall config.
  • Improvement: Include option for IIS on Windows in Firewall config process, and recommend manual php.ini change only.
  • Fix: Made the 'administrator email address' admin notice dismissable.


  • Fix: Fixed potential bug with 'stored data not found after a fork. Got type: boolean'.
  • Improvement: Added bulk actions and filters to WAF whitelist table.
  • Improvement: Added a check while in learning mode to verify the response is not 404 before whitelising.
  • Fix: Added index to attackLogTime. wfHits trimmed on runInstall now.
  • Fix: Fixed attack data sync for hosts that cannot use wp-cron.
  • Improvement: Use as the Diagnostics page default email address.
  • Improvement: When WFWAF_ENABLED is set to false to disable the firewall, show this on the Firewall page.
  • Fix: Prevent warnings when $_SERVER is empty.
  • Fix: Bug fix for illegal string offset.
  • Fix: Hooked up multibyte string functions to binary safe equivalents.
  • Fix: Hooked up reverse IP lookup in Live Traffic.
  • Fix: Add the user the web server (or PHP) is currently running as to Diagnostics page.
  • Improvement: Pause Live Traffic after scrolling past the first entry.
  • Improvement: Move "Permanently block all temporarily blocked IP addresses" button to top of blocked IP list.
  • Fix: Added JSON fallback for PHP installations that don't have JSON enabled.


  • Improvement: Added dismiss button to the Wordfence WAF setup admin notice.
  • Fix: Removed .htaccess and .user.ini from publicly accessible config and backup file scan.
  • Fix: Removed the disallow file mods for admins created outside of WordPress.
  • Fix: Fixed bug with 'Hide WordPress version' causing issues with reCAPTCHA.
  • Improvement: Added instructions for NGINX users to restrict access to .user.ini during Firewall configuration.
  • Fix: Fixed bug with multiple API calls to 'get_known_files'.


  • Fix: Fixed fatal error when using a whitelisted IPv6 range and connecting with an IPv6 address.


  • Enhancement: Added Web Application Firewall
  • Enhancement: Added Diagnostics page
  • Enhancement: Added new scans:
    • Admins created outside of WordPress
    • Publicly accessible common (database or wp-config.php) backup files
  • Improvement: Updated Live Traffic with filters and to include blocked requests in the feed.


  • Improvement: Added help callout for compromised sites.
  • Improvement: Updated local GeoIP database.
  • Improvement: Updated local browser data cache to support newer browsers and user-agents.


  • Enhancement: Added automatic whitelisting for Facebook crawlers.
  • Improvement: Added styling to premium callouts.
  • Improvement: Updated local GeoIP database.
  • Improvement: Updated local browser data cache to support newer browsers and user-agents.


  • Improvement: Updated local GeoIP database.
  • Improvement: Updated local browser data cache to support newer browsers and user-agents.


  • Security Fix: Fixed stored XSS vulnerability discovered internally (thanks to Matt Rusnak).
  • Enhancement: Added additional Sucuri scanner IP to our whitelist.


  • Enhancement: Added better handling of Googlebot verification.


  • Fix: Fixed bug with options that are enabled by default but disabled by the user are reset to defaults.


  • Fix: Added check to verify pluggable.php is included before calling wp_hash.


  • Fix: Resolved issue with some admin links not using the network admin URL.
  • Fix: Resolved issue with slashes not being stripped from Advanced Blocking usernames, reasons.
  • Enhancement: Added ability to Block any requests from IPs matching a PTR record.
  • Fix: Updated the GeoIP lib to use the wfUtils::inet_pton functions instead of the PHP default for installs that do not have IPv6 support.
  • Fix: Added help link for whitelisted 404's entry on options page.
  • Fix: Automatically exclude files that crash the scan.
  • Fix: Clear the wfHoover database table after scan is killed.
  • Enhancement: Added notice about false positives when running a scan with HIGH SENSITIVITY enabled.
  • Fix: Removed WordPress version from style and script loaders. Hid the readme.html.
  • Fix: Alert email for "lost password" did not send when the user used their username.
  • Enhancement: Exclude zip files from scans by default, and add that as option under 'Scan image and binary files'.
  • Fix: Fixed edge case where .htaccess became garbled when using Falcon cache.


  • Fix: Resolved issue where 301 redirects count as 404s with throttling applied.
  • Fix: Fixed Falcon .htaccess code writing to .htaccess when 'Immediately block IP's that access these URLs' option is modified.
  • Fix: Fixed issue where filtering posts by author in wp-admin no longer works due to change in /?author=N scan prevention logic.
  • Fix: Fixed issue in Live Traffic where 404s display as 200s.
  • Fix: Resolved issue with throttling logins via XMLRPC are not applied.


  • Fix: Resolved issue with some variations of author=N scans not being caught. Thanks James Golovich.
  • Fix: Updated typo in author=N option.
  • Fix: Resolved issue with Falcon not writing to .htaccess with WP installed in subdirectory.
  • Fix: Added width to logo in activity report email.
  • Fix: Resolved issue with Live Traffic endpoint in cases where WordPress is installed into a subdirectory.
  • Improvement: Optimized database query with in unlocking user email routine.
  • Improvement: Moved firewall logic into 'wp_loaded' hook.


  • Fix: Resolved issue with GoogleBot being erroneously flagged as human in Live Traffic.
  • Fix: Added better handling of human/bot detection.
  • Improvement: Verified humans are flagged via cookie to prevent false positives.


  • Fix: Live Traffic endpoint moved to site root to prevent issues with GoogleBot.


  • Improvement: Updated local GeoIP database.
  • Improvement: Updated local browser data cache to support newer browsers and user-agents.
  • Improvement: Added option to exclude URLs from 404 throttling, and included some common 404s.
  • Improvement: Added new branded logos.
  • Fix: Fixed bug with live traffic ajax call being indexed by Google.


  • Improvement: Updated local GeoIP database to July version.
  • Improvement: Updated local browser data cache to support newer browsers and user-agents.
  • Fix: Hooked up network ranges in CIDR format ( in Whois to support data coming back from whois that includes CIDR network format.
  • Fix: Fixed 2 PHP notices in wfUtils.


  • Improvement: Removed locked out IPs from locked out list when permanently blocking all locked out IPs.
  • Improvement: Added admin-configured blocked IPs and blocked network ranges to import/export.
  • Fix: Fixed PHP warnings in activity report where an array is not returned.
  • Fix: Fixed PHP notice in IP spam check portion of scan.


  • Fix: Fixed bug in Live Traffic where v5 style blocked ranges generated PHP warning breaking the JSON response.
  • Fix: Fixed invalid date bug in Live Traffic: Top Consumers and Top 404s.
  • Fix: Fixed edge case bug with author=N scans redirecting to author archives page.


  • Improvement: Added the local time stamp to 'time since' labels in Live Traffic and Blocked IPs pages.
  • Improvement: Added a check to prompt the admin to download a backup copy of the wp-config.php in the event it's flagged as containing malware.
  • Improvement: Added option in Live Traffic to remove a blocked network range defined in Advanced Blocking in the Live Traffic feed for IPs within that range.
  • Improvement: Added option to permanently block all IPs that are currently temporarily blocked or locked out from the Blocked IPs page.
  • Improvement: Updated local GeoIP database.
  • Fix: Fixed double forward slash in file path in the 'View the File' action of malicious code scan.
  • Fix: Fixed notice in block IP JSON callback.


  • Fix: Fixed bug with Top 5 Logins displaying all failed logins opposed to timeframe set by email frequency.
  • Fix: Fixed bug with /?author=N scan protection not working for authors with no published posts.
  • Improvement: Fixed Wordfence logo width in dashboard widget on smaller screens.
  • Improvement: Added country names to flag icons in widget dashboard.
  • Improvement: Updated issues email to use WordPress' charset instead of ISO-8859-1.
  • Improvement: Added check to see if premium API key is set to auto-renew and send email reminder prior to renewal.
  • Improvement: Updated to API version 2.17.
  • Improvement: Changed auto-renew reminder email to go out 10 days before renewal, 12 days before expiration.


  • Improvement: Handled uncaught exception when noc1 is not available in 2FA.
  • Improvement: Fixed issue with limit-logins mu-plugin on GoDaddy counting first login attempt in 2FA against total allowed login attempts.
  • Fix: Fixed bug with IPs not resolving to countries when printable IP passed to logBlockedIP.
  • Fix: Fixed issue with free users country blocking redirects working after downgrade.
  • Fix: Encoded URL field in country blocking options.
  • Fix: Added a check to verify field has not already been altered prior to calling ALTER in runInstall.
  • Fix: Fixed issue with scan_options method being called after method has been removed.
  • Fix: Fixed bug in scan when dns_get_record fails and error condition was not handled.
  • Fix: Fixed PHP notice when 'Crawler' not included in browser pcap result.


  • Fix: Removed anonymous function to ensure PHP 5.2 compatability.


  • Improvement: Added option to disable SSL verification for hosts that have outdated versions cURL.
  • Improvement: Added default of when $_SERVER['REMOTE_ADDR'] is not set. Helps if you're running WordPress cron from Linux cron.
  • Improvement: Added compatability with Godaddy's MU (must use) limit login plugin and our two factor. Change makes sure you can see the message from Wordfence to enter your cellphone code.
  • Improvement: Added direction: ltr; to admin pages.
  • Improvement: Added focus/blur events to scan activity log ajax to improve server performance.
  • Improvement: Merged wp_option charset and database vulnerability scans to improve performance and make UI more intuitive.
  • Improvement: Opened 'See recent traffic' in a new window from the Live Traffic page.
  • Improvement: Updated browser pcap cache file for compatibility with detecting newer Firefox browsers.
  • Fix: Fixed bug in directories excluded from scans (escaped directory separator).
  • Fix: Updated known files and outdated plugins/themes to use wp_get_themes.
  • Fix: Fixed bug with wfScanEngine where scans forked between scan_database_main and scan_database_finish would not display results of database scan.
  • Fix: Added return false; to wfScan::error_handler to allow default error handler to process error.
  • Fix: Fixed notice with wfUserIPRange::isValidIPv4Range.
  • Fix: Fixed bug with 'Allow HTTPS pages to be cached' setting being unset after saving options.
  • Fix: Fixed a couple of typos and spelling.
  • Fix: Fixed errors upon plugin activation where wfConfig was queried before it was created.
  • Fix: Fixed issue with notices from serializing wordfenceDBScanner and private properties belonging to parent class.


  • Fix: Fix for hosts that don't have IPv6 compiled into PHP (which is rare) we not manually define certain functions.


  • Fix: Fixed an issue with the schema not updating when customers migrate to IPv6 schema to store IP's.
  • Improvement: Added additional safety checks during the schema update.


  • Feature: IPv6 fully supported. This includes whois, range blocking, IPv6 city lookup in live traffic, country blocking and all other security functions. See for more info.
  • Feature: New scanning routine examines the wp_options table for executable code based on a new infection we are seeing that is well hidden.
  • Improvement: Prevent Googlebot from being blocked if user has configured a banned URL and Google tries to crawl it.
  • Improvement: Improved detection for additional Google crawlers especially if an IP PTR resolves to a domain.
  • Fix: Fixed bug with https:// URLs not allowed in country blocking.
  • Fix: Fixed typos.


  • Fix: Wordfence no longer can appear on sub-sites on multi-site installs, only on the network admin panel.
  • Fix: Wordfence dashboard widget only can appear on network admin dashboard in multi-site installs.
  • Fix: No more multiple scheduled scans on multi-site.
  • Fix: Fixed mixed-protocol warning if you're using SSL and Wordfence - our static assets are loaded without specifying protocol now.
  • Fix: Fixed issue where non-existent users were shown in dashboard widget and email summary as valid users.
  • Fix: Removed /e modifier in preg_replace for Diff_Renderer_Html_Array::formatLines since it is deprecated in PHP 5.5.
  • Fix: Removed ssl_verify => false from wp_remote_post connectivity test since some versions of cURL will throw an error since WordPress uses their own certificate bundle.
  • Fix: Fixed bug with activity report email date range (was one week ahead).
  • Fix: Removed email summary report from cron on deactivation.
  • Fix: Fixed an off-by-one bug in wfDirectoryIterator for maximum total files and max files per directory.
  • Fix: Updated our browser data to fix an issue that caused newer browsers to appear in live traffic with version 0.0.
  • Improvement: Updated the country database used for country blocking to April 2015 version.
  • Improvement: Added an additional check for disabling script execution in the uploads directory that the .htaccess file actually contains our protection code before removing it.
  • Improvement: Paused Live Traffic ajax request when the window/document loses focus to reduce server load.
  • Improvement: Better error handling when making API calls to noc1 to help our support personell help you.
  • Improvement: Added locked out IP's and IP's restricted through advanced blocking to the blocked IP log for dashboard and email summary.
  • Improvement: Excluded whitelisted IP's from dashboard and widget email summary.


  • Fix: Dasboard widget no longer appearing for all users.


  • Fix: Removed .htaccess file the previous release created in wfcache directory that caused problems.


  • Premium Feature: Password Auditing. Audit the strength of your admin and user-level passwords against our GPU based auditing cluster. Easily alert users to weak passwords or force a password change.
  • Feature: Activity email summary. See options page to enable a weekly, bi-weekly or monthly activity summary.
  • Feature: Activity summary dashboard widget.
  • Fix: Fixed bug on plugin activation where the configuration table was being queried before it was created.
  • Improvement: Added .htaccess to wfcache directory.
  • Improvement: Switched to using wp_remote_post for Wordfence cloud API calls to improved SSL support and a more standards based approach.


  • Customers running WP versions older than 3.9 don't support wp_normalize_path(). Added support for older WP versions to fix an error being thrown.


  • Improvement: Updated country blocking database to the newest version (March 2015)
  • Improvement: Added detection for many new samples we received (thanks all!) including a nasty polymorphic infection.
  • Fix: Changed the way we find the plugin directory to fix a possible issue that would cause alerts to return blank plugin names.
  • Fix: Improved Nginx detection so that we don't accidentally detect Nginx if you're running Apache.


  • Feature: You can now block POST requests to your WordPress site that have an empty User-Agent and Referer header. This is a common pattern among badly written brute force bots.
  • Feature: Added cron viewer at bottom of Wordfence options page. The plugin we were using to help diagnose customer issues is broken. Use this instead.
  • Feature: Added DB table viewer at bottom of Wordfence options page. This is a read-only utility to view table names and detailed status. Also for customer diagnostic purposes.
  • Improvement: Code cleanup after in-depth code analysis. Removed unused functions and variables and re-indented selected code.
  • Fix: Fixed issue that appeared after last release where raw HTML tags were appearing in email alerts.
  • Fix: Tour behaved inconsistently under some conditions. Fixed.
  • Fix: Mismatched HTML tags in some presentation code. Fixed.
  • Fix: When fetching theme list the interator had the same name as the array. Fixed.
  • Fix: Detection for malware URLs in comments had a partial description in the issue. Was being overwritten when it should have been appended. Fixed.
  • Fix: Check if dns_get_record() exists before using it to avoid warnings.
  • Fix: If you have the wordfence security network disabled, the _wfVulnScanners table may have grown indefinitely. Fixed so it's regularly truncated.
  • Fix: wordfence::getLog() was private and should be public. Fixed.
  • Fix: Removed warning about _wfsf not being an element of GET params. Usually hidden, but in case something checks error_get_last()


  • Update: Upgraded the geoIP country database to Jan 2015 version.
  • Improvement: Added an option to disable execution of PHP code in the uploads directory as an added level of protection. Under "Other Options" on the Wordfence options page.
  • Improvement: We now email you any malware URLs encountered and they won't be filtered by your spam filter because the URL is included in the alert email as an image.
  • Fix: Fixed an issue that would cause multiple scans to be scheduled if the plugin was disabled and then reenabled.
  • Fix: The name of malicious files detected are now included in the alert email sent containing the issues.


  • Changed FAQ link when locked out and email unlock doesn't work to correct link.
  • Falcon cache now creates files as mode 0644 for improved security.
  • Updated GeoIP database to December 2014 version.




  • IP to Country database updated to November 4th 2014 version.
  • Options export and import now also exports Country Blocking and Scan Schedule configuration.
  • Scans fully documented at Link on 'Scan' page under heading.
  • Live Traffic fully documented at Link on Live Traffic page.
  • Falcon Engine/Wordfence Caching fully documented. Link on Performance Setup page.
  • Blocked IPs, locking and throttling fully documented. Link on Blocked IPs page.
  • Cellphone Sign-in fully documented. Link under title on Cellphone sign-in page.
  • Country blocking fully documented. Link on Country blocking page.
  • Scan Scheduling fully documented. Link on Scan Scheduling page under title.
  • Whois and Advanced Blocking documented including how Live Traffic, Whois and Advanced blocking work together.
  • Removed unnecessary text from several menu items and moved into official docs where needed.


  • Added ability to export Wordfence settings and reimport on one or many sites using secure token.
  • Added API function to programatically import Wordfence settings from another WordPress site.
  • Upgraded to Wordfence API version 2.14.


  • Detailed documentation for all options on the Wordfence options page. Launching wiki.
  • Fixed server-side issue where diff'ing certain files would give a blank page or an API error.
  • Removed now unused whois library because we're now using Wordfence API server to get around whois port blocking.


  • Fixed issue that would cause infected files with identical content to only have the first file found show up in scans and the rest would not appear.
  • Whois queries now go via our own server as a workaround for hosting providers who block your web server's access to port 43 preventing you from making a direct whois query.
  • Fixed issue that caused litespeed users to receive multiple warnings about the noabort issue.
  • Added detection for 5 new malware variants. Thanks to Dave M. and others for the samples. Keep them coming folks!
  • Updated Wordfence server API to version 2.12.
  • Added facility at bottom of Wordfence options page to send a test email from your WordPress sytem to check if email sending is working.
  • Suppress LOCK_EX flock() warnings in falcon engine that were being generated by sites that use NFS and don't support flock() or reliable file locking.
  • Updated to the October 2014 version of the Geo IP country DB. (newest edition)


  • Fixed bug that caused country blocking and redirecting to an external URL to not work if the external URL's relative path matched the current page's relative path.
  • Made it clear that country blocking URL's require absolute URL's.


  • Security release. Update immediately. Thanks to Julio Potier.
  • Code hardening including improved sanitization and an additional nonce for unlock email form. Special thanks to Ryan Satterfield for the hard work.
  • Stability of auto-update improved for LiteSpeed customers. We auto-detect if you don't have E=noabort:1 in your .htaccess and give you instructions.
  • Auto-update also disabled now for LiteSpeed customers who don't have E=noabort:1 and you will get an email alert with an explanation.
  • Fixed a bug that may cause you to have advanced blocking patterns disabled with falcon engine enabled that should not be disabled.
  • Removed a benign warning in wfCache.php.
  • Added clarity to the banned URL option on the options page. All URL's must be relative.
  • Added a primary key to the wp_wfStatus table which is required for certain incremental backup plugins and utilities.
  • Fixed advanced country blocking which was not correctly displaying advanced options.
  • Migrated to using wp_kses() for sanitization.
  • Prevent IP spoofing in default Wordfence IP configuration.
  • Change explanations of how Wordfence gets IP's to make it clear which to use to prevent spoofing.
  • Make it clear that the option to have IP's immediately blocked when they access a URL requires relative URL's starting with a forward slash.
  • Whitelist Sucuri's scanning IP addresses which were getting blocked because they triggered Wordfence blocking during a scan.
  • Improved Wordfence's code that acquires the visitor IP to block certain spoofing attacks, be more platform agnostic and deal with visits from private IP's more elegantly.


  • Security release. Upgrade immediately.
  • This release fixes an XSS vunlerability on Wordfence "view all traffic from IP" page.
  • Also fixes a hard to exploit XSS which exists if you have your site as the default site on your web server, falcon enabled and debugging comments enabled.
  • Improves Revolution Slider proteciton.
  • Fixed bypass for fake googlebot blocking.


  • Updated Geo IP country database to newest version (September 2014 edition)
  • Security fix. Improved referrer sanitization in live traffic.
  • Changed scan success messaging for clarity.
  • Fixed minor bug in IP validation which manifested when users use IPv6 to IPv4 translation which produces 255.x.x.x addrs.


  • Protection from the Slider Revolution Plugin arbitrary file download vulnerability announced today. Attempts to download any .php file including wp-config.php are denied.
  • Changed the Wordfence Memory config option's label to make it clearer what the option does.
  • Moved screenshots out of plugin distro directory to reduce plugin payload size.


  • Fix: Users with large lists of blocked IP's (over 2,100) would receive a browser error "Uncaught RangeError: Maximum call stack size exceeded". Fixed.
  • Improvement: Added detection for FOPO obfuscation often used by hackers to obfuscate PHP code. Will detect a range of newer infections. (Server-side code change)


  • Fix: Crawler triggering update cron job threw error about show_message() being redeclared at end of update. Fixed.
  • Fix: Live traffic cities were incorrect and did not match country blocking block effects under certain conditions. Fixed.
  • Fix: If a site database contained a table with dashes in the table name, we would throw an error at the end of every scan. Fixed.
  • Improvement: Upgraded country DB to newest version.
  • Improvement: Changed live traffic geo location caching to be 24 hours instead of a week so that geo DB updates for live traffic on our servers take effect sooner.
  • Improvement: Ignoring .sql files in scans which are usually backups and contain many false positives, unless high sensitivity scanning is enabled.


  • Fix: Option to disable config caching. You can find this new option at the bottom of the Wordfence options page.
  • Note: If you are seeing the "cron key does not match the saved key" error, check the box to disable config caching at the bottom of the Wordfence options page, save and this will fix it.
  • Note: If you are trying to save your Wordfence options and the options keep reverting, enable the "disable config caching" at the bottom of your Wordfence options page, save and this will fix it.


  • Improvement: Wordfence now supports websites behind proxy servers when communicating with the Wordfence API servers.
  • Fix: Removed old image files that were unused.


  • Feature: Country blocking now lets you block login page OR rest of site or any combination. So you can now block the login page only for example.
  • Improvement: Upgraded the country blocking database to the newest version which is July 2014.
  • Improvement: Improved server-side performance for Wordfence scanning.
  • Improvement: Offer the option to keep Wordfence up-to-date automatically.
  • Improvement: If file contains malicious code, include filename in email alert summary info.
  • Fix: Removed strings in readme.txt that were causing false positives in hosts own scanning software.
  • Fix: Prevent lockout email alerts being sent for blank usernames.


  • Fix: Bing crawler was being misidentified as human. Fixed.
  • Fix: Escaping HTML on whois records. Thanks Nikhil Srivastava, TechDefencelabs (


  • Feature: Auto updates for Wordfence! This is a much-request

Secure your website with Wordfence.

Visit our documentation website which includes feature descriptions, common solutions and comprehensive help.

How does Wordfence Security protect sites from attackers?

The WordPress security plugin provides the best protection available for your website. Powered by the constantly updated Threat Defense Feed, WordFence Firewall stops you from getting hacked. Wordfence Scan leverages the same proprietary feed, alerting you quickly in the event your site is compromised. The Live Traffic view gives you real-time visibility into traffic and hack attempts on your website. A deep set of additional tools round out the most comprehensive WordPress security solution available.

How will I be alerted if my site has a security problem?

Wordfence Security sends security alerts via email. Once you install Wordfence Security, you will configure a list of email addresses where security alerts will be sent. When you receive a security alert, make sure you deal with it promptly to ensure your site stays secure.

Do I need a security plugin like Wordfence if I’m using a cloud based firewall (WAF)?

Wordfence provides true endpoint security for your WordPress website. Unlike cloud based firewalls, Wordfence executes within the WordPress environment, giving it knowledge like whether the user is signed in, their identity and what access level they have. Wordfence uses the user’s access level in more than 80% of the firewall rules it uses to protect WordPress websites. Learn more about the Cloud WAF identity problem here. Additionally, cloud based firewalls can be bypassed, leaving your site exposed to attackers. Because Wordfence is an integral part of the endpoint (your WordPress website), it can’t be bypassed. Learn more about the Cloud WAF bypass problem here. To fully protect the investment you’ve made in your website you need to employ a defense in depth approach to security. Wordfence takes this approach.

What differentiates Wordfence from other WordPress Security plugins?

  • Wordfence security provides a WordPress Firewall developed specifically for WordPress and blocks attackers looking for vulnerabilities on your site. The Firewall is powered by our Threat Defense Feed which is continually updated as new threats emerge. Premium customers receive updates in real-time.
  • Wordfence Security verifies your website source code integrity against the official WordPress repository and shows you the changes.
  • Wordfence Security scans check all your files, comments and posts for URLs in Google's Safe Browsing list. We are the only plugin to offer this very important security enhancement.
  • Wordfence Security scans do not consume large amounts of your bandwidth because all security scans happen on your web server which makes them very fast.
  • Wordfence Security fully supports WordPress Multi-Site which means you can security scan every blog in your Multi-Site installation with one click.
  • Wordfence Security includes Two-Factor authentication, the most secure way to stop brute force attackers in their tracks.
  • Wordfence Security fully supports IPv6 including giving you the ability to look up the location of IPv6 addresses, block IPv6 ranges, detect IPv6 country and do a whois lookup on IPv6 addresses and more.

Will Wordfence slow down my website?

No. Wordfence Security is extremely fast and uses techniques like caching its own configuration data to avoid database lookups and blocking malicious attacks that would slow down your site.

What if my site has already been hacked?

Wordfence Security is able to repair core files, themes and plugins on sites where security is already compromised. You can follow this guide on how to clean a hacked website using Wordfence. However, please note that site security can not be assured unless you do a full reinstall if your site has been hacked. We recommend you only use Wordfence Security to get your site into a running state in order to recover the data you need to do a full reinstall. If you need help repairing a hacked site, we offer an affordable, high-quality site cleaning service that includes a Premium key for a year.

Does Wordfence Security support IPv6?

Yes. We fully support IPv6 with all security functions including country blocking, range blocking, city lookup, whois lookup and all other security functions. If you are not running IPv6, Wordfence will work great on your site too. We are fully compatible with both IPv4 and IPv6 whether you run both or only one addressing scheme.

Does Wordfence Security support Multi-Site installations?

Yes. WordPress Multi-Site is fully supported. Using Wordfence Security you can scan every blog in your network for malware with one click. If one of your customers posts a page or post with a known malware URL that threatens your whole domain with being blacklisted by Google, we will alert you in the next scan.

What support options are available for Wordfence users?

Providing excellent customer service is very important to us. We offer help to all our customers whether you are using the Premium or free version of Wordfence Security. For help with the free version, you can post in our forum where we have dedicated staff responding to questions. If you need faster or more in-depth help, Premium customers can submit a support ticket to our Premium support team.

Where can I learn more about WordPress security?

Designed for every skill level, The WordPress Security Learning Center is dedicated to deepening users’ understanding of security best practices by providing free access to entry-level articles, in-depth articles, videos, industry survey results, graphics and more.

Version 6.3.1

Requires WordPress version: 3.9 or higher

Compatible up to: 4.7.2

Last Updated 07 Feb 2017

Date Added: 21 Apr 2012

Plugin Homepage


4.8 stars
2986 ratings


Not Enough Data

Works: 0
Broken: 0