Wordfence Security – Firewall, Malware Scan, and Login Security

Descrição

O FIREWALL E A VARREDURA DE SEGURANÇA MAIS POPULAR DO WORDPRESS

A segurança do WordPress requer uma equipe de analistas dedicados que pesquisam as últimas variantes de malware e explorações do WordPress, transformando-as em regras de firewall e assinaturas de malware e liberando-as para os clientes em tempo real. O Wordfence é amplamente reconhecido como a equipe de pesquisa de segurança número um do WordPress no mundo. Nosso plugin fornece um conjunto abrangente de recursos de segurança, e a pesquisa de nossa equipe é o que alimenta nosso plugin e fornece o nível de segurança pelo qual somos conhecidos.

No Wordfence, a segurança do WordPress não é uma divisão do nosso negócio – a segurança do WordPress é tudo o que fazemos. Empregamos uma equipe global de resposta a incidentes dedicada 24 horas por dia, que fornece aos nossos clientes prioritários um tempo de resposta de 1 hora para qualquer incidente de segurança. O sol nunca se põe em nossa equipe de segurança global e administramos uma plataforma sofisticada de inteligência de ameaças para agregar, analisar e produzir pesquisas de segurança inovadoras sobre as mais recentes ameaças de segurança.

O Wordfence Security inclui um firewall de proteção aos endpoints e varredura de malware que foram construídos do zero para proteger o WordPress. Nosso feed de defesa contra ameaças arma o Wordfence com as mais recentes regras de firewall, assinaturas de malware e endereços IP maliciosos necessários para manter seu site seguro. Composto por um grupo de recursos adicionais, o Wordfence é a mais completa solução de segurança disponível para WordPress.

FIREWALL DO WORDPRESS

  • O firewall de aplicação web identifica e bloqueia tráfego malicioso. Construído e mantido por uma grande equipe focada 100% na segurança do WordPress.
  • [Premium] Atualizações de assinatura de malware e regras de firewall em tempo real por meio do feed de defesa contra ameaças (a versão gratuita é atrasada em 30 dias).
  • [Premium] A lista de bloqueios de IP em tempo real bloqueia todas as solicitações dos IPs mais maliciosos, protegendo seu site e reduzindo a carga.
  • Protege seu site no endpoint, permitindo uma integração profunda com o WordPress. Ao contrário das alternativas em nuvem, não quebra a criptografia, não pode ser contornado e não pode vazar dados.
  • A varredura de malware integrada bloqueia solicitações que incluem código ou conteúdo malicioso.
  • Proteção contra ataques de força bruta, limitando as tentativas de acesso.

VARREDURA DE SEGURANÇA DO WORDPRESS

  • A varredura de malware verifica arquivos básicos, temas e plugins em busca de malwares, URLs ruins, backdoors, spam de SEO, redirecionamentos maliciosos e injeções de código.
  • [Premium] Atualizações de assinatura de malware em tempo real por meio do feed de defesa contra ameaças (a versão gratuita é atrasada em 30 dias).
  • Compara seus arquivos básicos, temas e plugins com o que está no repositório do WordPress.org, verificando sua integridade e relatando quaisquer alterações para você.
  • Repara arquivos que foram alterados, substituindo-os por uma versão original e imaculada. Exclua todos os arquivos estranhos facilmente pela interface do Wordfence.
  • Verifica seu site em busca de vulnerabilidades de segurança conhecidas e alerta sobre quaisquer problemas. Também alerta sobre possíveis problemas de segurança quando um plugin é encerrado ou abandonado.
  • Verifica a segurança do seu conteúdo verificando o conteúdo dos arquivos, posts e comentários em busca de URLs perigosos e conteúdo suspeito.
  • [Premium] Verifica se seu site ou endereço IP está em alguma lista de bloqueios por atividade maliciosa, gerando spam ou outra questão de segurança.

SEGURANÇA DE ACESSO

  • Autenticação de dois fatores (2FA), uma das formas mais seguras de autenticação de sistema remoto disponível por meio de qualquer aplicativo ou serviço autenticador baseado em TOTP.
  • CAPTCHA na página de acesso impede robôs de acessar.
  • Desative ou adicione 2FA ao XML-RPC.
  • Bloqueie o acesso de administradores usando senhas sabidamente comprometidas.

WORDFENCE CENTRAL

  • O Wordfence Central é um meio poderoso e eficiente de gerenciar a segurança de vários sites em um único lugar.
  • Avalie, de modo eficiente, o status de segurança de todos os seus sites em uma olhada. Veja descobertas detalhadas de segurança sem sair do Wordfence Central.
  • Modelos poderosos facilitam a configuração do Wordfence.
  • Alertas altamente configuráveis podem ser enviados por e-mail, SMS ou Slack. Melhore a proporção de sinal-ruído aproveitando as opções de nível de gravidade e uma opção de resumo diário.
  • Rastreie e alerte eventos de segurança importantes, incluindo acessos de administradores, uso de senha violada e picos de atividade de ataque.
  • Grátis para usar em sites ilimitados.

FERRAMENTAS DE SEGURANÇA

  • Com o tráfico ao vivo, monitore visitas e tentativas de invasão que não são mostrados em outros pacotes analíticos, tudo em tempo real, incluindo origem, endereço IP, horário e o tempo gasto em seu site.
  • Bloqueie atacantes por IP ou construa regras avançadas baseadas em faixas de IP, nome de host, agente do usuário e origem.
  • Bloqueio por país disponível com o Wordfence Premium.

Imagens de tela

  • O painel apresenta uma visão geral da segurança do seu site, incluindo notificações, estatísticas de ataque e status do recurso Wordfence.
  • O firewall protege seu site de tipos comuns de ataques e vulnerabilidades de segurança conhecidas.
  • A varredura de segurança do Wordfence permite que você saiba se seu site foi comprometido e alerta você para outros problemas de segurança que precisam ser corrigidos.
  • O Wordfence é altamente configurável, com um amplo conjunto de opções disponíveis para cada recurso. As opções de varredura de nível alto são mostradas acima.
  • Os recursos de proteção contra força bruta protegem você contra ataques de adivinhação de senha.
  • Bloqueie invasores por IP, país, intervalo de IP, nome de host, navegador ou referenciador.
  • A visualização do tráfego ao vivo do Wordfence mostra a atividade em tempo real em seu site, incluindo tráfego de robôs e tentativas de exploração.
  • Leve a segurança de acesso para o próximo nível com a autenticação de dois fatores.
  • Acessar é fácil com o 2FA do Wordfence.

Instalação

Proteja seu site usando as seguintes etapas para instalar o Wordfence:

  1. Instale o Wordfence automaticamente ou enviando o arquivo ZIP.
  2. Ative o Wordfence através do menu “plugins” do WordPress. O Wordfence agora está ativado.
  3. Vá para o menu de varredura e inicie sua primeira varredura. A varredura agendada também será ativada.
  4. Uma vez que sua primeira varredura tenha sido concluída, uma lista de ameaças de segurança aparecerá. Revise uma por uma para proteger seu site.
  5. Visite a página de opções do Wordfence para digitar seu endereço de e-mail e receber alertas de segurança por e-mail.
  6. Opcionalmente, mude seu nível de segurança ou ajuste as opções avançadas para definir opções de proteção e proteção de segurança individuais para o seu site.
  7. Clique na opção de menu “Tráfego ao vivo” para assistir a atividade do seu site em tempo real. A consciência situacional é uma parte importante da segurança do site.

Para instalar o Wordfence em instalações WordPress multisite:

  1. Instale o Wordfence Security através do diretório do plugin ou enviando o arquivo ZIP.
  2. Ativação de rede do Wordfence. Esta etapa é importante porque até que você o ative na rede, seus sites verão a opção de plugin em seu menu de plugins. Uma vez ativada, essa opção desaparece.
  3. Agora que o Wordfence está ativado em rede, ele aparecerá no menu Painel da rede. O Wordfence não aparecerá no menu de nenhum site individual.
  4. Vá até o menu “Varredura” e inicie sua primeira varredura.
  5. O Wordfence fará uma varredura de todos os arquivos da instalação do WordPress, incluindo aqueles no diretório blogs.dir de seus sites individuais.
  6. O tráfego ao vivo aparecerá para TODOS os sites da sua rede. Se você tiver um sistema com muito tráfego, você pode desativar o tráfego ao vivo, o que interromperá o registro no banco de dados.
  7. As regras de firewall e de acesso se aplicam a TODO o sistema. Portanto, se você falhar no acesso em site1.example.com e site2.example.com, isso contará como 2 falhas. O tráfego do rastreador é contado entre blogs, portanto, se você acessar três sites na rede, todos os acessos serão totalizados e isso contará como a taxa de acesso ao sistema.

FAQ

Visite nosso site para acessar nossa documentação oficial que inclui descrições de ferramenta de segurança, soluções comuns e ajuda completa.

Como o Wordfence Security protege sites de atacantes?

O plugin de segurança do WordPress fornece a melhor proteção disponível para seu site. Alimentado pelo feed de defesa de aAmeaças constantemente atualizado, o Firewall do WordFence impede que você seja invadido. A varredura do Wordfence aproveita o mesmo feed proprietário, alertando-o rapidamente no caso de seu site estar comprometido. A visualização do tráfego ao vivo oferece visibilidade em tempo real das tentativas de tráfego e invasão em seu site. Um conjunto profundo de ferramentas adicionais completa a solução de segurança mais abrangente do WordPress disponível.

Quais recursos o Wordfence Premium ativa?

Oferecemos uma chave de API Premium que fornece atualizações em tempo real para o feed de defesa contra ameaças, que inclui uma lista de bloqueio de IP em tempo real, regras de firewall e assinaturas de malware. Suporte premium, bloqueio de país, verificações mais frequentes e verificações de spam e publicidade de spam também estão incluídos. Clique aqui para se inscrever no Wordfence Premium agora ou simplesmente instale o Wordfence gratuitamente e comece a proteger seu site.

Como o firewall de WordPress do Wordfence protege sites?

  • O firewall de aplicativos da web do Wordfence impede você de ser hackeado identificando o tráfego malicioso e bloqueando os atacantes antes que eles possam acessar seu site.
  • O feed de defesa contra ameaças atualiza automaticamente as regras de firewall que protegem você das últimas ameaças. Membros Premium recebem a versão em tempo real.
  • Bloqueie ameaças de segurança comuns do WordPress como robôs do Google falsos, varreduras maliciosas de hackers e botnets.

Quais verificações a varredura de segurança do WordPress oferece?

  • Verifica arquivos básicos, temas e plugins em comparação com as versões do repositório do WordPress.org para conferir sua integridade. Verifique a segurança da sua fonte.
  • Veja como os arquivos mudaram. Opcionalmente, restaure arquivos alterados que são ameaças de segurança.
  • Verifica as assinaturas de mais de 44.000 variantes de malware conhecidas que são ameaças de segurança conhecidas do WordPress.
  • Verifica muitos backdoors conhecidos que criam falhas de segurança, incluindo C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx e muitos mais.
  • Verifica continuamente malware e URLs de phishing, incluindo todos os URLs da lista de navegação segura do Google em todos os seus comentários, posts e arquivos que são ameaças à segurança.
  • Verifica heurísticas de backdoors, trojans, códigos suspeitos e outros problemas de segurança.

Quais recursos de monitoramento de segurança o Wordfence inclui?

  • Veja todo o seu tráfego em tempo real, incluindo robôs, humanos, erros 404, acessos e saídas e quem está consumindo maior parte de seu conteúdo. Melhore sua percepção situacional que quais ameaças de segurança seu site está enfrentando.
  • Uma visualização em tempo real de todo o tráfego, incluindo bots automatizados que muitas vezes constituem ameaças à segurança que os pacotes de análise Javascript nunca mostram.
  • O tráfego em tempo real inclui DNS reverso e geolocalização ao nível da cidade. Saiba de quais áreas geográficas as ameaças de segurança são originadas.
  • Monitora o espaço em disco que está relacionado à segurança porque muitos ataques DDoS tentam consumir todo o espaço em disco para criar a negação de serviço.

Quais recursos de segurança de acesso estão incluídos?

  • Veja todo o seu tráfego em tempo real, incluindo robôs, humanos, erros 404, acessos e saídas e quem está consumindo maior parte de seu conteúdo. Melhore sua percepção situacional que quais ameaças de segurança seu site está enfrentando.
  • Uma visualização em tempo real de todo o tráfego, incluindo bots automatizados que muitas vezes constituem ameaças à segurança que os pacotes de análise Javascript nunca mostram.
  • O tráfego em tempo real inclui DNS reverso e geolocalização ao nível da cidade. Saiba de quais áreas geográficas as ameaças de segurança são originadas.
  • Monitora o espaço em disco que está relacionado à segurança porque muitos ataques DDoS tentam consumir todo o espaço em disco para criar a negação de serviço.

Como serei alertado se meu site tiver um problema de segurança?

O Wordfence envia alertas de segurança via e-mail. Depois de instalar o Wordfence, você irá configurar uma lista de endereços de e-mail para onde os alertas de segurança serão enviados.
Quando você receber um alerta de segurança, certifique-se de lidar com isso imediatamente, para garantir que seu site permaneça seguro.

Preciso de um plugin de segurança como Wordfence se estiver usando um firewall baseado em nuvem (WAF)?

O Wordfence fornece uma verdadeira segurança de endpoint para seu site WordPress. Ao contrário dos firewalls baseados em nuvem, o Wordfence é executado no ambiente WordPress, fornecendo informações sobre se o usuário está conectado, sua identidade e qual nível de acesso ele possui. O Wordfence usa o nível de acesso do usuário em mais de 80% das regras de firewall que usa para proteger sites WordPress. Saiba mais sobre o problema de identidade de firewalls baseados em nuvem aqui. Além disso, os firewalls baseados em nuvem podem ser contornados, deixando seu site exposto a invasores. Como o Wordfence é parte integrante do endpoint (seu site WordPress), ele não pode ser ignorado. Saiba mais sobre o esse problema aqui. Para proteger totalmente o investimento que você fez em seu site, você precisa empregar uma abordagem de defesa profunda à segurança. O Wordfence adota essa abordagem.

Quais recursos de bloqueio o Wordfence inclui?

  • Bloqueio em tempo real de invasores conhecidos. Se outro site usando o Wordfence for atacado e bloquear o invasor, seu site será protegido automaticamente.
  • Bloqueie todas as redes maliciosas. Inclui verificações WHOIS avançados de IP e domínio para denunciar IPs ou redes maliciosas e bloquear redes inteiras usando o firewall. Informe as ameaças de segurança do WordPress ao proprietário da rede.
  • Limite ou bloqueie ameaças de segurança do WordPress, como rastreadores agressivos, scrapers e robôs que fazem verificações de segurança em busca de vulnerabilidades em seu site.
  • Escolha se deseja bloquear ou limitar usuários e robôs que quebram suas regras de segurança do WordPress.
  • Os usuários premium também podem bloquear países e agendar varreduras para horários específicos e com maior frequência.

O que diferencia o Wordfence de outros plugins de segurança do WordPress?

  • A segurança do Wordfence fornece um firewall desenvolvido especificamente para WordPress e bloqueia invasores que procuram vulnerabilidades em seu site. O firewall é alimentado pelo nosso feed de defesa contra ameaças que é atualizado continuamente à medida que surgem novas ameaças. Os clientes premium recebem atualizações em tempo real.
  • O Wordfence verifica a integridade do código-fonte do seu website comparando com o repositório oficial do WordPress e mostra as mudanças.
  • As varreduras do Wordfence verificam todos os seus arquivos, comentários e posts em busca de URLs na lista de navegação segura do Google. Nós somos o único plugin que oferece esse aprimoramento de segurança muito importante.
  • As varreduras do Wordfence não consomem grandes quantidades de sua largura de banda porque todas as varreduras de segurança ocorrem em seu servidor web, o que as torna muito rápidas.
  • O Wordfence suporta totalmente o multisite do WordPress, o que significa que você pode verificar todos os blogs em sua instalação multisite com um clique.
  • O Wordfence Security inclui autenticação de dois fatores, a maneira mais segura de impedir atacantes de força bruta em suas trilhas.
  • O Wordfence suporta totalmente IPv6, incluindo a capacidade de pesquisar a localização de endereços IPv6, bloquear intervalos IPv6, detectar países IPv6 e fazer uma pesquisa whois em endereços IPv6 e muito mais.

O Wordfence deixará meu site lento?

Não. O Wordfence Security é extremamente rápido e usa técnicas como armazenar em cache seus próprios dados de configuração para evitar pesquisas no banco de dados e bloquear ataques maliciosos que tornariam seu site lento.

O que fazer se meu site já foi invadido?

O Wordfence Security é capaz de reparar arquivos básicos, temas e plugins em sites onde a segurança já está comprometida. Você pode seguir este guia sobre como limpar um site invadido usando Wordfence. Se você estiver limpando seu próprio site após uma invasão, observe que a segurança do site não pode ser garantida a menos que você faça uma reinstalação completa se seu site estiver comprometido. Recomendamos que você use apenas o Wordfence Security para colocar seu site em estado de execução, a fim de recuperar os dados necessários para fazer uma reinstalação completa. Se precisar de ajuda com um problema de segurança, confira o Wordfence Care, que oferece suporte prático de nossa equipe, inclusive para lidar com um site invadido. Para sites de missão crítica, confira o Wordfence Response.

O Wordfence Security suporta o IPv6?

Sim. Nós suportamos completamente o IPv6 com todas as funções de segurança, incluindo bloqueio de país, bloqueio de faixa, pesquisa de cidade, pesquisa de whois e todas as outras funções de segurança. Se você não estiver executando o IPv6, o Wordfence também funcionará em seu site. Nós somos totalmente compatíveis com IPv4 e IPv6 se você executa ambos ou apenas um esquema de endereçamento.

O Wordfence Security suporta instalações multisite?

Sim. O multisite do WordPress é totalmente compatível. Usando o Wordfence, você pode verificar se há malware em todos os blogs da sua rede com um clique. Se um de seus clientes publicar uma página ou um post com algum URL de malware conhecido que ameace todo o seu domínio de ser colocado na lista de bloqueio do Google, alertaremos você na próxima verificação.

Que opções de suporte estão disponíveis para os usuários do Wordfence?

Oferecer um excelente atendimento ao cliente é muito importante para nós. Nossos usuários gratuitos recebem suporte voluntário em nossos fóruns de suporte. Os clientes do Wordfence Premium recebem suporte pago baseado em chamados. Os clientes do Wordfence Care recebem suporte prático, incluindo ajuda com incidentes de segurança e uma auditoria de segurança anual. Os clientes do Wordfence Response recebem suporte 24/7/365 de nossa equipe de resposta a incidentes, com tempo de resposta de 1 hora e um máximo de 24 horas para resolver um problema de segurança.

Onde posso aprender mais sobre segurança no WordPress?

Projetado para cada nível de habilidade, O Centro de Aprendizagem do WordPress Security é dedicado a aprofundar a compreensão dos usuários sobre as melhores práticas de segurança, fornecendo gratuitamente acesso a artigos de nível básico, artigos detalhados, vídeos, resultados da pesquisa da indústria, gráficos e muito mais.

Onde posso encontrar os termos de uso e a política de privacidade do Wordfence?

Estão disponíveis no nosso site: Termos de Uso e Política de Privacidade

Avaliações

27 fevereiro, 2024
Fiyatlandırması gereksiz bahalı bi eklenti dolar kuru ülkemizde yüksek olduğundan coğu eklentinin pro sürümü gereksiz pahalı bazı eklenti üreticileri ülkeye göre fiyat veriyor.. sizinde aynısını yapmanızı öneririrm 🙂
27 fevereiro, 2024 1 resposta
Even though I wish I could pay the full version, the free one works great to keep our site as secure as possible. It does require manual efforts but we would be in a terrible situation without this plug-in. Thank you for your work well-done.
26 fevereiro, 2024 1 resposta
I love everything about the free version of this plugin. SIteground has a very robust product now too but I use them both. WF has a bit more granular reporting, and more levers to flip to protect your site.
25 fevereiro, 2024 1 resposta
I just have to share my amazing experience with WordFence and their WordFence Care program. Before subscribing to this service, my website was in a disastrous state, hacked. Their responsiveness and ability to swiftly resolve issues have left me thoroughly impressed. The exchanges I've had with their team have been incredibly insightful and helpful. Although I don't typically leave reviews, I felt compelled to share my positive experience this time around. WordFence has truly exceeded my expectations in assisting me, and I couldn't be happier with the results. Thank you so much for the exceptional service and the nice people I spoke with.
25 fevereiro, 2024 1 resposta
They were good but now every update is worse. Currently they are spamming with activation although you install free license they continue to spam you and block your wp with popups.
Leia todas as 4.041 avaliações

Colaboradores e desenvolvedores

“Wordfence Security – Firewall, Malware Scan, and Login Security” é um software com código aberto. As seguintes pessoas contribuíram para este plugin.

Colaboradores

“Wordfence Security – Firewall, Malware Scan, and Login Security” foi traduzido para 17 localizações. Agradecemos aos tradutores por suas contribuições.

Traduzir “Wordfence Security – Firewall, Malware Scan, and Login Security” para o seu idioma.

Interessado no desenvolvimento?

Navegue pelo código, dê uma olhada no repositório SVN ou assine o registro de desenvolvimento via RSS.

Registro de alterações

7.11.3 – February 15, 2024

  • Fix: Fixed an issue with sites containing invalid Wordfence Central site data where they could throw an error when viewing Wordfence pages

7.11.2 – February 14, 2024

  • Improvement: Enhanced the vulnerability scan to check and alert for WordPress core vulnerabilities and to adjust the severity of the scan result based on findings or available updates
  • Improvement: Updated the bundled GeoIP database
  • Improvement: Increased compatibility of brute force protection with plugins that override the normal login flow and omit traditional hooks
  • Change: Adjusted the behavior of automatic quick scans to schedule themselves further away from full scans
  • Fix: Added detection for a site being linked to a non-matching Wordfence Central record (e.g., when cloning the database to a staging site)
  • Fix: Streamlined the license and terms of use installation flow to avoid unnecessary prompting
  • Fix: Fixed an issue where user profiles with a selected locale different from the site itself could end up loading the site’s locale instead

7.11.1 – January 2, 2024

  • Improvement: Added “.env” to the files checked for “Scan for publicly accessible configuration, backup, or log files”
  • Improvement: Provided better descriptive text for the option “Block IPs who send POST requests with blank User-Agent and Referer”
  • Improvement: The diagnostics page now displays the contents of any auto_prepend_file .htaccess/.user.ini block for troubleshooting
  • Fix: Fixed an issue where a login lockout on a WooCommerce login form could fail silently
  • Fix: The scan result for abandoned plugins no longer states it has been removed from wordpress.org if it is still listed
  • Fix: Addressed an exception parsing date information in non-repo plugins that have a bad last_updated value
  • Fix: The URL scanner no longer generates a log warning when matching a potential URL fragment that ends up not being a valid URL

7.11.0 – November 28, 2023

  • Improvement: Added new functionality for trusted proxy presets to support proxies such as Amazon CloudFront, Ezoic, and Quic.cloud
  • Improvement: WAF rule and malware signature updates are now signed with SHA-256 as well for hosts that no longer build SHA1 support
  • Improvement: Updated the bundled trusted CA certificates
  • Change: The WAF will no longer attempt to fetch rule or blocklist updates when run via WP-CLI
  • Fix: Removed uses of SQL_CALC_FOUND_ROWS, which is deprecated as of MySQL 8.0.17
  • Fix: Fixed an issue where final scan summary counts in some instances were not sent to Central
  • Fix: Fixed a deprecation notice for get_class in PHP 8.3.0
  • Fix: Corrected an output error in the connectivity section of Diagnostics in text mode

7.10.7 – November 6, 2023

  • Fix: Compatibility fix for WordPress 6.4 on the login page styling

7.10.6 – October 30, 2023

  • Fix: Addressed an issue with multisite installations when the wp_options tables had different encodings/collations

7.10.5 – October 23, 2023

  • Improvement: Updated the bundled GeoIP database
  • Improvement: Added detection for Cloudflare reverse proxies blocking callbacks to the site
  • Change: Files are no longer excluded from future scans if a previous scan stopped during their processing
  • Fix: Added handling for the pending WordPress 6.4 change that removes $wpdb->use_mysqli
  • Fix: The WAF MySQLi storage engine will now work correctly when either DB_COLLATE or DB_CHARSET are not defined
  • Fix: Added additional error handling to Central calls to better handle request failures or conflicts
  • Fix: Addressed a warning that would occur if a non-repo plugin update hook did not provide a last updated date
  • Fix: Fixed an error in PHP 8 that could occur if the time correction offset was not numeric
  • Fix: 2FA AJAX calls now use an absolute path rather than a full URL to avoid CORS issues on sites that do not canonicalize www and non-www requests
  • Fix: Addressed a race condition where multiple concurrent hits on multisite could trigger overlapping role sync tasks
  • Fix: Improved performance when viewing the user list on large multisites
  • Fix: Fixed a UI bug where an invalid code on 2FA activation would leave the activate button disabled
  • Fix: Reverted a change on error modals to bring back the additional close button for better accessibility

7.10.4 – September 25, 2023

  • Improvement: “Admin created outside of WordPress” scan results may now be reviewed and approved
  • Improvement: The WAF storage engine may now be specified by setting the environmental variable “WFWAF_STORAGE_ENGINE”
  • Improvement: Detect when a plugin or theme with a custom update handler is broken and blocking update version checks
  • Alteração: suporte obsoleto para versões do WordPress inferiores a 4.7.0
  • Alteração: excluir erros de análise de um arquivo de regras compilado danificado do relatório
  • Correção: suprimir avisos de PHP relacionados ao carregamento de regras ao executar WP-CLI
  • Correção: Corrigido um problema com o cron do monitor de varredura que poderia deixá-lo funcionando desnecessariamente

7.10.3 – July 31, 2023

  • Improvement: Updated GeoIP database
  • Fix: Added missing text domain to translation function call
  • Fix: Corrected inconsistent styling of switch controls
  • Change: Made MySQLi storage engine the default for Flywheel hosted sites

7.10.2 – July 17, 2023

  • Fix: Prevented bundled sodium_compat library from conflicting with versions included with older WordPress versions

7.10.1 – July 12, 2023

  • Improvement: Added support for processing arrays of files in the WAF
  • Improvement: Refactored security event processing to send events in bulk
  • Improvement: Updated bundled sodium_compat and random_compat libraries
  • Fix: Prevented deprecation warning caused by dynamic property creation
  • Fix: Added translation support for additional strings
  • Change: Adjusted Wordfence registration UI

7.10.0 – June 21, 2023

  • Improvement: Added translation support for strings from login security plugin
  • Improvement: Added translator notes regarding word order and hidden text
  • Improvement: Added translation support for additional strings
  • Improvement: Prevented scans from failing if unreadable directories are encountered
  • Improvement: Added help link to IPv4 scan option
  • Improvement: Updated scan result text to clarify meaning of plugins removed from wordpress.org
  • Improvement: Made “Increased Attack Rate” emails actionable
  • Improvement: Updated GeoIP database
  • Improvement: Updated JavaScript libraries
  • Fix: Corrected IPv6 address expansion
  • Fix: Ensured long request payloads for malicious requests are recorded in live traffic
  • Fix: Prevented “commands out of sync” database error messages when the database connection has failed
  • Fix: Prevented rare JSON encoding issues from breaking free license registration
  • Fix: Prevented PHP notice from being logged when request parameter is missing
  • Fix: Prevented deprecation warning in PHP 8.1
  • Change: Moved detection for old TimThumb files to malware signature
  • Change: Moved translation file from .po to .pot
  • Change: Renamed “Macedonia” to “North Macedonia, Republic of”

7.9.3 – May 31, 2023

  • Improvement: Added exception handling to prevent WAF errors from being fatal
  • Fix: Corrected error caused by method call on null in WAF
  • Change: Deprecated support for PHP 5.5 and 5.6, ended support for PHP 5.3 and 5.4
  • Change: Specified WAF version parameter when requesting firewall rules

7.9.2 – March 27, 2023

  • Improvement: The vulnerability severity score (CVSS) is now shown with any vulnerability findings from the scanner
  • Improvement: Changed several links during initial setup to open in a new window/tab so it doesn’t interrupt installation
  • Change: Removed the non-https callback test to the Wordfence servers
  • Fix: Fixed an error on PHP 8 that could occur when checking for plugin updates and another plugin has a broken hook
  • Fix: Added a check for disabled functions when generating support diagnostics to avoid an error on PHP 8
  • Fix: Prevent double-clicking when activating 2FA to avoid an “already set up” error

7.9.1 – March 1, 2023

  • Improvement: Further improved performance when viewing 2FA settings and hid user counts by default on sites with many users
  • Fix: Adjusted style inclusion and usage to prevent missing icons
  • Fix: Avoided using the ctype extension as it may not be enabled
  • Fix: Prevented fatal errors caused by malformed Central keys

7.9.0 – February 14, 2023

  • Improvement: Added 2FA management shortcode and WooCommerce account integration
  • Improvement: Improved performance when viewing 2FA settings on sites with many users
  • Improvement: Updated GeoIP database
  • Fix: Ensured Captcha and 2FA scripts load on WooCommerce when activated on a sub-site in multisite
  • Fix: Prevented reCAPTCHA logo from being obscured by some themes
  • Fix: Enabled wfls_registration_blocked_message filter support for WooCommerce integration

7.8.2 – December 13, 2022

  • Fix: Releasing same changes as 7.8.1, due to wordpress.org error

7.8.1 – December 13, 2022

  • Improvement: Added more granualar data deletion options to deactivation prompt
  • Improvement: Allowed accessing diagnostics prior to completing registration
  • Fix: Prevented installation prompt from displaying when a license key is already installed but the alert email address has been removed

7.8.0 – November 28, 2022

  • Improvement: Added feedback when login form is submitted with 2FA
  • Fix: Restored click support on login button when using 2FA with WooCommerce
  • Fix: Corrected display issue with reCAPTCHA score history graph
  • Fix: Prevented errors on PHP caused by corrupted login timestamps
  • Fix: Prevented deprecation notices on PHP 8.2 related to dynamic properties
  • Change: Updated Wordfence registration workflow

7.7.1 – October 4, 2022

  • Fix: Prevented scan resume attempts from repeating indefinitely when the initial scan stage fails

7.7.0 – October 3, 2022

  • Improvement: Added configurable scan resume functionality to prevent scan failures on sites with intermittent connectivity issues
  • Improvement: Added new scan result for vulnerabilities found in plugins that do not have patched versions available via WordPress.org
  • Improvement: Implemented stand-alone MMDB reader for IP address lookups to prevent plugin conflicts and support additional PHP versions
  • Improvement: Added option to disable looking up IP address locations via the Wordfence API
  • Improvement: Prevented successful logins from resetting brute force counters
  • Improvement: Clarified IPv6 diagnostic
  • Improvement: Included maximum number of days in live traffic option text
  • Fix: Made timezones consistent on firewall page
  • Fix: Added “Use only IPv4 to start scans” option to search
  • Fix: Prevented deprecation notices on PHP 8.1 when emailing the activity log
  • Fix: Prevented warning on PHP 8 related to process owner diagnostic
  • Fix: Prevented PHP Code Sniffer false positive related to T_BAD_CHARACTER
  • Fix: Removed unsupported beta feed option

7.6.2 – September 19, 2022

  • Improvement: Hardened 2FA login flow to reduce exposure in cases where an attacker is able to obtain privileged information from the database

7.6.1 – September 6, 2022

  • Fix: Prevented XSS that would have required admin privileges to exploit (CVE-2022-3144)

7.6.0 – July 28, 2022

  • Improvement: Added option to start scans using only IPv4
  • Improvement: Added diagnostic for internal IPv6 connectivity to site
  • Improvement: Added AUTOMATIC_UPDATER_DISABLED diagnostic
  • Improvement: Updated password strength check
  • Improvement: Added support for scanning plugin/theme files in when using the WP_CONTENT_DIR/WP_PLUGIN_DIR constants
  • Improvement: Updated GeoIP database
  • Improvement: Made DISABLE_WP_CRON diagnostic more clear
  • Improvement: Added “Hostname” to Live Traffic message displayed for hostname blocking
  • Improvement: Improved compatibility with Flywheel hosting
  • Improvement: Adopted semantic versioning
  • Improvement: Added support for dynamic cookie redaction patterns when logging requests
  • Fix: Prevented scanned paths from being displayed as skipped in rare cases
  • Fix: Corrected indexed files count in scan messages
  • Fix: Prevented overlapping AJAX requests when viewing Live Traffic on slower servers
  • Fix: Corrected WP_DEBUG_DISPLAY diagnostic
  • Fix: Prevented extraneous warnings caused by DNS resolution failures
  • Fix: Corrected display issue with Save/Cancel buttons on All Options page
  • Fix: Prevented errors caused by WHOIS searches for invalid values

7.5.11 – June 14, 2022

  • Improvement: Added option to toggle display of last login column on WP Users page
  • Improvement: Improved autocomplete support for 2FA code on Apple devices
  • Improvement: Prevented Batcache from caching block pages
  • Improvement: Updated GeoIP database
  • Fix: Prevented extraneous scan results when non-existent paths are configured using UPLOADS and related constants
  • Fix: Corrected issue that prevented reCAPTCHA scores from being recorded
  • Fix: Prevented invalid JSON setting values from triggering fatal errors
  • Fix: Made text domains consistent for translation support
  • Fix: Clarified that allowlisted IP addresses also bypass reCAPTCHA

7.5.10 – May 17, 2022

  • Improvement: Improved scan support for sites with non-standard directory structures
  • Improvement: Increased accuracy of executable PHP upload detection
  • Improvement: Addressed various deprecation notices with PHP 8.1
  • Improvement: Improved handling of invalidated license keys
  • Fix: Corrected lost password redirect URL when used with WooCommerce
  • Fix: Prevented errors when live traffic data exceeds database column length
  • Fix: Prevented bulk password resets from locking out admins
  • Fix: Corrected issue that prevented saving country blocking settings in certain cases
  • Change: Updated copyright information

7.5.9 – March 22, 2022

  • Improvement: Updated GeoIP database
  • Improvement: Removed blocking data update logic in order to reduce timeouts
  • Improvement: Increased timeout value for API calls in order to reduce timeouts
  • Improvement: Clarified notification count on Wordfence menu
  • Improvement: Improved scan compatibility with WooCommerce
  • Improvement: Added messaging when application passwords are disabled
  • Fix: Prevented warnings and errors when constants are defined based on the value of other constants in wp-config.php
  • Fix: Corrected redundant escaping that prevented viewing or repairing files in scan results

7.5.8 – February 1, 2022

  • Launch of Wordfence Care and Wordfence Response

7.5.7 – November 22, 2021

  • Improvement: Made preliminary changes for compatibility with PHP 8.1
  • Change: Added GPLv3 license and updated EULA

7.5.6 – October 18, 2021

  • Fix: Prevented login errors with WooCommerce integration when manual username entry is enabled on the WooCommerce registration form
  • Fix: Corrected theme incompatibilities with WooCommerce integration

7.5.5 – August 16, 2021

  • Improvement: Enhanced accessibility
  • Improvement: Replaced regex in scan log with signature ID
  • Improvement: Updated Knockout JS dependency to version 3.5.1
  • Improvement: Removed PHP 8 compatibility notice
  • Improvement: Added NTP status for Login Security to Diagnostics
  • Improvement: Updated plugin headers for compatibility with WordPress 5.8
  • Improvement: Updated Nginx documentation links to HTTPS
  • Improvement: Updated IP address geolocation database
  • Improvement: Expanded WAF SQL syntax support
  • Improvement: Added optional constants to configure WAF database connection
  • Improvement: Added support for matching punycode domain names
  • Improvement: Updated Wordfence install count
  • Improvement: Deprecated support for WordPress versions older than 4.4.0
  • Improvement: Added warning messages when blocking U.S.
  • Improvement: Added MYSQLI_CLIENT_SSL support to WAF database connection
  • Improvement: Added 2FA and reCAPTCHA support for WooCommerce login and registration forms
  • Improvement: Added option to require 2FA for any role
  • Improvement: Added logic to automatically disable NTP after repeated failures and option to manually disable NTP
  • Improvement: Updated reCAPTCHA setup note
  • Fix: Prevented issue where country blocking changes are not saved
  • Fix: Corrected string placeholder
  • Fix: Added missing text domain to translation calls
  • Fix: Corrected warning about sprintf arguments on Central setup page
  • Fix: Prevented lost password functionality from revealing valid logins

7.5.4 – June 7, 2021

  • Fix: Resolve conflict with woocommerce-gateway-amazon-payments-advanced plugin

7.5.3 – May 10, 2021

  • Improvement: Expanded WAF capabilities including better JSON and user permission handling
  • Improvement: Switched to relative paths in WAF auto_prepend file to increase portability
  • Improvement: Eliminated unnecessary calls to Wordfence servers
  • Fix: Prevented errors on PHP 8.0 when disk_free_space and/or disk_total_space are included in disabled_functions
  • Fix: Fixed PHP notices caused by unexpected plugin version data
  • Fix: Gracefully handle unexpected responses from Wordfence servers
  • Fix: Time field now displays correctly on “See Recent Traffic” overlay
  • Fix: Corrected typo on Diagnostics page
  • Fix: Corrected IP counts on activity report
  • Fix: Added missing line break in scan result emails
  • Fix: Sending test activity report now provides success/failure response
  • Fix: Reduced SQLi false positives caused by comma-separated strings
  • Fix: Fixed JS error when resolving last scan result

7.5.2 – March 24, 2021

  • Fix: Fixed fatal error on single-sites running WordPress <4.9.

7.5.1 – March 24, 2021

  • Fix: Fixed fatal error when viewing the Login Security settings page from an allowlisted IP.

7.5.0 – March 24, 2021

  • Improvement: Translation-readiness: All user-facing strings are now run through WordPress’s i18n functions.
  • Improvement: Remove legacy admin functions no longer used within the UI.
  • Improvement: Local GeoIP database update.
  • Improvement: Remove Lynwood IP range from allowlist, and add new AWS IP range.
  • Fix: Fixed bug with unlocking a locked out IP without correctly resetting its failure counters.
  • Fix: Sites using deleted premium licenses correctly revert to free license behavior.
  • Fix: When enabled, cookies are now set for the correct roles on previously used devices.
  • Fix: WAF cron jobs are now skipped when running on the CLI.
  • Fix: PHP 8.0 compatibility – prevent syntax error when linting files.
  • Fix: Fixed issue where PHP 8 notice sometimes cannot be dismissed.

7.4.14 – December 3, 2020

  • Improvement: Added option to disable application passwords.
  • Improvement: Updated site cleaning callout with 1-year guarantee.
  • Improvement: Upgraded sodium_compat library to 1.13.0.
  • Improvement: Replaced the terms whitelist and blacklist with allowlist and blocklist.
  • Improvement: Made a number of WordPress 5.6 and jQuery 3.x compatibility improvements.
  • Improvement: Made a number of PHP8 compatilibility improvements.
  • Improvement: Added dismissable notice informing users of possible PHP8 compatibility issues.

7.4.12 – October 21, 2020

  • Improvement: Initial integration of i18n in Wordfence.
  • Improvement: Prevent Wordfence from loading under <PHP 5.3.
  • Melhoria: banco de dados GeoIP atualizado.
  • Improvement: Prevented wildcard from running/saving for scan’s excluded files pattern.
  • Improvement: Included Wordfence Login Security tables in diagnostics missing table list.
  • Fix: Removed new scan issues when WordPress update occurs mid-scan.
  • Fix: Specified category when saving whitelistedServiceIPs to WAF storage engine.
  • Fix: Removed localhost IP for auto-update email alerts.
  • Fix: Fixed broken message in Live Traffic with MySQLi storage engine for blocklisted hits.
  • Fix: Removed optional parameter values for PHP 8 compatibility.

7.4.11 – August 27, 2020

  • Improvement: Added diagnostic debug button to clear Wordfence Central connection data from the database.
  • Improvement: Added help documentation links to modified plugin/theme file scan results.
  • Fix: Prevent file system scan from following symlinks to root.
  • Fix: Cleared pending plugin/theme update scan results and notification when a plugin/theme is auto-updated.
  • Fix: Added check for when site is disconnected on Central’s end, but not in the plugin.

7.4.10 – August 5, 2020

  • Improvement: Prevent author sitemap from leaking usernames in WordPress >= 5.5.0.
  • Fix: Prevent Wordfence auto-update from running if the user has enabled auto-update through WordPress.
  • Fix: Added default permission_callback params to Wordfence Central REST routes.
  • Fix: Fixed missing styling on WAF optimization admin notice.

7.4.9 – July 8, 2020

  • Improvement: Added list of known malicious usernames to suspicious administrator scan.
  • Improvement: Added ability for the WAF to determine if a given plugin/theme/core version is installed.
  • Improvement: Added a feature to export a diagnostics report.
  • Improvement: Add php_errorlog to the list of downloadable logs in diagnostics.
  • Improvement: Added a prompt to allow user to download a backup prior to repairing files.
  • Improvement: Prevent scan from failing when the home URL has changed and the key is no longer valid.
  • Improvement: Deprecated PHP 5.3, and ended PHP 5.2 support by prevent auto-update from running on older versions.
  • Fix: Fixed issue where WAF mysqli storage engine cannot find credentials if wflogs/ does not exist.
  • Fix: Changed capability checked to read WP REST API users endpoint when “Prevent discovery of usernames through …” is enabled.
  • Fix: Prevented duplicate queries for wordfenceCentralConnected wfconfig value.
  • Fix: Prevented custom wp-content or other directories from appearing in “skipped paths” scan result, even when scanned.
  • Fix: Login Attempts dashboard widget “Show more” link is not visible when long usernames and IPs cause wrapping.
  • Fix: Fix typo in the readme.

7.4.8 – June 16, 2020

  • Fix: Fixed issue with fatal errors encountered during activation under certain conditions.

7.4.7 – April 23, 2020

  • Melhoria: banco de dados local atualizado de GeoIP.
  • Improvement: Better messaging when selecting restrictive rate limits.
  • Improvement: Scan result emails now include the count of issues that were found again.
  • Improvement: Resolved scan issues will now email again if they reoccur.
  • Improvement: Added the state/province name when applicable to geolocation displays in Live Traffic.
  • Improvement: New blocking page design to better inform blocked visitors on how to resolve the block.
  • Improvement: Custom WP_CONTENT_DIR, WP_PLUGIN_DIR, and UPLOADS path constants will now get scanned correctly.
  • Improvement: Added TLS connection failure detection to brute force reporting and checking and a corresponding backoff period.
  • Fix: Fixed an issue where a bad cron record could interfere with automatic WAF rule updates.
  • Fix: Fixed a PHP warning that could occur if a bad response was received while updating an IP list.
  • Fix: The new user tour and onboarding flow will now work correctly on the 2FA page.

7.4.6 – February 12, 2020

  • Improvement: Enhanced the detection ability of the WAF for SQLi attacks.
  • Improvement: Updated the bundled GeoIP database.
  • Improvement: Modified some country names in the block configuration to align with those shown in Live Traffic.
  • Change: Moved the skipped files scan check to the Server State category.
  • Fix: Fixed an issue where after scrolling on the Live Traffic page, updates would no longer automatically load.
  • Fix: Modified the number of login records kept to align better with Live Traffic so they’re trimmed around the same time.

7.4.5 – January 15, 2020

  • Improvement: Improved WAF coverage for an Infinite WP authentication bypass vulnerability.

7.4.4 – January 14, 2020

  • Fix: Fixed a UI issue where the scan summary status marker for malware didn’t always match the findings.

7.4.3 – January 13, 2020

  • Improvement: Added WAF coverage for an Infinite WP authentication bypass vulnerability.
  • Improvement: The malicious URL scan now includes protocol-relative URLs (e.g., //example.com)
  • Improvement: Malware signatures are now better applied to large files read in multiple passes.
  • Improvement: Added a scan issue that will appear when one or more paths are skipped due to scan settings excluding them.
  • Changed: AJAX endpoints now send the application/json Content-Type header.
  • Changed: Updated text on scan issues for plugins removed from wordpress.org to better indicate possible reasons.
  • Changed: Added compatibility messaging for reCAPTCHA when WooCommerce is active.
  • Fixed: Added missing $wp_query->set_404() call when outputting a 404 page on a custom action.
  • Fixed: Fixed the logout username display in Live Traffic broken by a change in WordPress 5.3.
  • Fixed: Improved the response callback used for the WAF status check during extended protection installation.
  • Fixed: The “Require 2FA for all administrators” notice is now automatically dismissed if an administrator sets up 2FA.

7.4.2 – December 3, 2019

  • Improvement: Increased performance of IP CIDR range comparisons.
  • Improvement: Added parameter signature to remote scanning for better validation during forking.
  • Change: Removed duplicate browser label in Live Traffic.
  • Fix: Added compensation for PHP 7.4 deprecation notice with get_magic_quotes_gpc.
  • Fix: Fixed potential notice in dashboard widget when no updates are found.
  • Fix: Updated JS hashing library to compensate for a variable name collision that could occur.
  • Fix: Fixed an issue where certain symlinks could cause a scan to erroneously skip files.
  • Fix: Fixed PHP memory test for newer PHP versions whose optimizations prevented it from allocating memory as desired.

7.4.1 – November 6, 2019

  • Improvement: Updated the bundled GeoIP database.
  • Improvement: Minor changes to ensure compatibility with PHP 7.4.
  • Improvement: Updated the WHOIS lookup for better reliability.
  • Improvement: Added better diagnostic data when the WAF MySQL storage engine is active.
  • Improvement: Improved the messaging when switching between premium and free licenses.
  • Change: Deprecated DNS changes scan.
  • Change: The plugin will no longer email alerts when Central is managing them.
  • Fix: Added error suppression to ignore_user_abort calls to silence it on hosts with it disabled.
  • Fix: Improved path generation to better avoid outputting extra slashes in URLs.
  • Fix: Applied a length limit to malware reporting to avoid failures due to large content size.

7.4.0 – August 22, 2019

  • Improvement: Added a MySQL-based configuration and data storage for the WAF to expand the number of hosting environments supported. For more detail, see: https://www.wordfence.com/help/firewall/mysqli-storage-engine/
  • Melhoria: banco de dados local atualizado de GeoIP.
  • Fix: Fixed several console notices when running via the CLI.

7.3.6 – July 31, 2019

  • Improvement: Multiple “php.ini file in core directory” issues are now consolidated into a single issue for clearer scan results.
  • Improvement: The AJAX error detection for false positive WAF blocks now better detects and processes the response for presenting the allowlisting prompt.
  • Improvement: Added overdue cron detection and highlighting to diagnostics to help identify issues.
  • Improvement: Added the necessary directives to exclude backwards compatibility code from creating warnings with phpcs for future compatibility with WP Tide.
  • Improvement: Normalized all PHP require/include calls to use full paths for better code quality.
  • Change: Removed deprecated high sensitivity scan option since current signatures are more accurate.
  • Fix: Fixed the status circle tooltips not showing.
  • Fix: IP detection at the WAF level better mirrors the main plugin exactly when using the automatic setting.
  • Fix: Fixed a currently-unused code path in email address verification for the strict check.

7.3.5 – July 16, 2019

  • Improvement: Improved tagging of the login endpoint for brute force protection.
  • Improvement: Added additional information about reCAPTCHA to its setting control.
  • Improvement: Added a constant that may be overridden to customize the expiration time of login verification email links.
  • Improvement: reCAPTCHA keys are now tested on saving to prevent accidentally inputting a v2 key.
  • Improvement: Added a setting to control the reCAPTCHA human/bot threshold.
  • Improvement: Added a separate option to trigger removal of Login Security tables and data on deactivation.
  • Improvement: Reworked the reCAPTCHA implementation to trigger the token check on login/registration form submission to avoid the token expiring.
  • Fix: Widened the reCAPTCHA key fields to allow the full keys to be visible.
  • Fix: Fixed encoding of the ellipsis character when reporting malware finds.
  • Fix: Disabling the IP blocklist once again correctly clears the block cache.
  • Fix: Addressed an issue when outbound UDP connections are blocked where the NTP check could log an error.
  • Fix: Added handling for reCAPTCHA’s JavaScript failing to load, which previously blocked logging in.
  • Fix: Fixed the functionality of the button to send 2FA grace period notifications.
  • Fix: Fixed a missing icon for some help links when running in standalone mode.

7.3.4 – June 17, 2019

  • Improvement: Added security events and alerting features built into Wordfence Central.

7.3.3 – June 11, 2019

  • Improvement: Added support for managing the login security settings to Wordfence Central.
  • Improvement: Updated the bundled root CA certificate store.
  • Improvement: Added a check and update flow for mod_php hosts with only the PHP5 directive set for the WAF’s extended protection mode.
  • Improvement: Added additional values to Diagnostics for debugging time-related issues, the new fatal error handler settings, and updated the PHP version check to reflect the new 5.6.20 requirement of WordPress.
  • Change: Changed the autoloader for our copy of sodium_compat to always load after WordPress core does.
  • Fix: Fixed the “removed from wordpress.org” detection for plugin, which was broken due to an API change.
  • Fix: Fixed the bulk repair function in the scan results when it included core files.

7.3.2 – May 16, 2019

  • Improvement: Updated sodium_compat to address an incompatibility that may occur with the pending WordPress 5.2.1 update.
  • Improvement: Clarified text around the reCAPTCHA setting to indicate v3 keys must be used.
  • Improvement: Added detection for Jetpack and a notice when XML-RPC authentication is disabled.
  • Fix: Suppressed error messages on the NTP time check to compensate for hosts with UDP connections disabled.

7.3.1 – May 14, 2019

  • Improvement: Two-factor authentication is new and improved, now available on all Premium and Free installations.
  • Improvement: Added Google reCAPTCHA v3 support to the login and registration forms.
  • Improvement: XML-RPC authentication may now be disabled or forced to require 2FA.
  • Improvement: Reduced size of SVG assets.
  • Improvement: Clarified text on “Maximum execution time for each scan stage” option.
  • Improvement: Added detection for an additional config file that may be created and publicly visible on some hosts.
  • Improvement: Improved detection for malformed malware scanning signatures.
  • Change: Long-deprecated database tables will be removed.
  • Change: Removed old performance logging code that’s no longer used.
  • Fix: Addressed a log notice when using the See Recent Traffic feature in Live Traffic.
  • Fix: WAF attack data now correctly includes JSON payloads when appropriate.
  • Fix: Fixed the text for Live Traffic entries that include a redirection message.
  • Fix: Fixed an issue with synchronizing scan issues to Wordfence Central that prevented stale issues from being cleared.

7.2.5 – April 18, 2019

  • Improvement: Added additional data breach records to the breached password check.
  • Improvement: Added the Accept-Encoding compression header to WAF-related requests for better performance during rule updates.
  • Improvement: Updated to the current GeoIP database.
  • Improvement: Added additional controls to the Wordfence Central connection page to better reflect the current connection state.
  • Change: Updated the text on the option to alert for scan results of a certain severity.

7.2.4 – March 26, 2019

  • Improvement: Updated vulnerability database integration.
  • Improvement: Better messaging when a WAF rule update fails to better indicate the cause.
  • Fix: Removed a double slash that could occur in an image path.
  • Fix: Adjusted timeouts to improve reliability of WAF rule updates on slower servers.
  • Fix: Improved connection process with Wordfence Central for better reliability on servers with non-standard paths.
  • Fix: Switched to autoloader with fastMult enabled on sodum_compat to minimize connection issues.

7.2.3 – February 28, 2019

  • Improvement: Country names are now shown instead of two letter codes where appropriate.
  • Improvement: Updated the service allowlist to reflect additions to the Facebook IP ranges.
  • Improvement: Added alerting for when the WAF is disabled for any reason.
  • Improvement: Additional alerting and troubleshooting steps for WAF configuration issues.
  • Change: Live Traffic human/bot status will additionally be based on the browscap record in security-only mode.
  • Change: Added dismissible prompt to switch Live Traffic to security-only mode.
  • Fix: The scan issues alerting option is now set correctly for new installations.
  • Fix: Fixed a transparency issue with flags for Switzerland and Nepal.
  • Fix: Fixed the malware link image rendering in scan issue emails and switched to always use https.
  • Fix: WAF-related scheduled tasks are now more resilient to connection timeouts or memory issues.
  • Fix: Fixed Wordfence Central connection flow within the first time experience.

7.2.2 – February 14, 2019

  • Melhoria: banco de dados GeoIP atualizado.
  • Fix: Syncing requests from Wordfence Central no longer appear in Live Traffic.
  • Fix: Addressed some display issues with the Wordfence Central panel on the Wordfence Dashboard.

7.2.1 – February 5, 2019

  • Improvement: Integrated Wordfence with Wordfence Central, a new service allowing you to manage multiple Wordfence installations from a single interface.
  • Improvement: Added a help link to the mode display when a host disabling Live Traffic is active.
  • Improvement: Added an option for allowlisting ManageWP in “Allowlisted Services”.
  • Fix: Enqueued fonts used in admin notices on all admin pages.
  • Fix: Change false positive user-reports link to use https.
  • Fix: Fix reference to non-existent function when registering menus.

7.1.20 – January 8, 2019

  • Fix: Fixed a commit error with 7.1.19

7.1.19 – January 8, 2019

  • Improvement: Speed optimizations for WAF rule compilation.
  • Improvement: Added Kosovo to country blocking.
  • Improvement: Additional flexibility for allowlist rules.
  • Fix: Added compensation for really long file lists in the “Exclude files from scan” setting.
  • Fix: Fixed an issue where the GeoIP database update check would never get marked as completed.
  • Fix: Login credentials passed as arrays no longer trigger a PHP notice from our filters.
  • Fix: Text fixes to the WAF nginx help text.

7.1.18 – December 4, 2018

  • Improvement: Removed unused font glyph ranges to reduce file count and size.
  • Improvement: Switched flags to use a CSS sprite to reduce file count and size.
  • Improvement: Added dates to each release in the changelog.
  • Change: Live Traffic now defaults to only logging security events on new installations.
  • Change: Added an upper limit to the maximum scan stage execution time if not explicitly overridden.
  • Fix: Changed WAF file handling to skip some file actions if running via the CLI.
  • Fix: Fixed an issue that could prevent files beginning with a period from working with the file restore function.
  • Fix: Improved layout of options page controls on small screens.
  • Fix: Fixed a typo in the htaccess update panel.
  • Fix: Added compensation for Windows path separators in the WAF config handling.
  • Fix: Fixed handling of case-insensitive tables in the Diagnostics table check.
  • Fix: Better messaging by the status circles when the WAF config is inaccessible or corrupt.
  • Fix: REST API hits now correctly follow the “Don’t log signed-in users with publishing access” option.

7.1.17 – November 6, 2018

  • Improvement: Increased frequency of filesystem permission check and update of the WAF config files.
  • Improvement: More complete data removal when deactivating with remove tables and files checked.
  • Improvement: Better diagnostics logging for GeoIP conflicts.
  • Fix: Text fix in invalid username lockout message.
  • Fix: PHP 7.3 syntax compatibility fixes.

7.1.16 – October 16, 2018

  • Improvement: Service allowlisting can now be selectively toggled on or off per service.
  • Melhoria: banco de dados local atualizado de GeoIP.
  • Change: Removed the “Disable Wordfence Cookies” option as we’ve removed all cookies it affected.
  • Change: Updates that refresh country statistics are more efficient and now only affect the most recent records.
  • Change: Changed the title of the Wordfence Dashboard so it’s easier to identify when many tabs are open.
  • Fix: Fixed an issue with country blocking and XML-RPC requests containing credentials.

7.1.15 – October 1, 2018

  • Fix: Addressed a plugin conflict with the composer autoloader.

7.1.14 – October 1, 2018

  • Improvement: Reduced queries and potential table size for rate limiting-related data.
  • Improvement: Updated the internal browscap database.
  • Improvement: Better error reporting for scan failures due to connectivity issues.
  • Improvement: WAF-related file permissions will now lock down further when possible.
  • Improvement: Hardening for sites on servers with insecure configuration, which should not be enabled on publicly accessible servers. Thanks Janek Vind.
  • Change: Switched the minimum PHP version to 5.3.
  • Fix: Prevent bypass of author enumeration prevention by using invalid parameters. Thanks Janek Vind.
  • Fix: Wordfence crons will now automatically reschedule if missing for any reason.
  • Fix: Fixed an issue where the block counts and total IPs blocked values on the dashboard might not agree.
  • Fix: Corrected the message shown on Live Traffic when a country blocking bypass URL is used.
  • Fix: Removed extra spacing in the example ranges for “Allowlisted IP addresses that bypass all rules”

7.1.12 – September 12, 2018

  • Melhoria: banco de dados local atualizado de GeoIP.
  • Improvement: Restructured the WAF configuration storage to be more resilient on hosts with no file locking support.
  • Change: Moved the settings import/export to the Tools page.
  • Change: New installations will now use lowercase table names to avoid issues with some backup plugins and Windows-based sites.
  • Fix: The notice and repair link for an unreadable WAF configuration now work correctly.
  • Fix: Improved appearance of some stat components on smaller screens.
  • Fix: Fixed duplicate entries with different status codes appearing in detailed live traffic.
  • Fix: Added better caching for the breached password check to compensate for sites that prevent the cache from expiring correctly.
  • Fix: Changing the frequency of the activity summary email now reschedules it.

7.1.11 – August 21, 2018

  • Improvement: Added a custom message field that will show on all block pages.
  • Improvement: Improved the standard appearance for block pages.
  • Improvement: Live Traffic now better displays failed logins.
  • Improvement: Added a constant to prevent direct MySQLi use for hosts with unsupported DB configurations.
  • Improvement: Malware scan results have been modified to include both a public identifier and description.
  • Change: Description updated on the Live Traffic page.
  • Fix: Removed an empty file hash from the old WordPress core file detection.
  • Fix: Update locking now works on multisites that have removed the original site.

7.1.10 – July 31, 2018

  • Improvement: Better labeling in Live Traffic for 301 and 302 redirects.
  • Improvement: Login timestamps are now displayed in the site’s configured time zone rather than UTC.
  • Improvement: Added detection and a workaround for hosts with a non-functional MySQLi interface.
  • Improvement: The prevent admin registration setting now works with WooCommerce’s registration flow.
  • Improvement: For hosts with varying URL values (e.g., AWS instances), notification and alert links now correctly use the canonical admin URL.
  • Fix: Fixed a layout problem with the live traffic disabled notice.
  • Fix: The scan stage that checks “How does Wordfence get IPs?” no longer shows a warning if the call fails.

7.1.9 – July 12, 2018

  • Improvement: Added an “unsubscribe” link to plugin-generated alerts.
  • Improvement: Added some additional flags.
  • Change: Removed some unnecessary files from the bundled GeoIP library.
  • Change: Updated wording in the Terms of Use/Privacy Policy agreement UI.
  • Change: The minimum “Lock out after how many login failures” is now 2.
  • Change: The diagnostics report now includes the scan issues for easier debugging.
  • Fix: Multiple improvements to automatic updating to avoid broken updates on sites with low resources or slow file systems.
  • Fix: Better text wrapping in the top failed logins widget.
  • Fix: Onboarding CSS/JS is now correctly enqueued for multisite installations.
  • Fix: Fixed a missing asset with the bundled jQueryUI library.
  • Fix: Fixed memory calculation when using PHP’s supported shorthand syntax.
  • Fix: Better wrapping behavior on the reason column in the blocks table.
  • Fix: Fixed an issue with an internal data structure to prevent error log entries when using mbstring functions.
  • Fix: Improved bot detection when no user agent is sent.

7.1.8 – June 26, 2018

  • Improvement: Better detection of removal status when uninstalling the WAF’s auto-prepend file.
  • Improvement: Switched optional mailing list signup to go directly through our servers rather than a third party.
  • Fix: Fixed the dashboard erroneously showing the payment method as missing for some payment methods.
  • Fix: If a premium license is deleted from wordfence.com, the plugin will now automatically downgrade rather than get stuck in an intermediate state.
  • Fix: Changed some wording to consistently use “License” or “License Key”.

7.1.7 – June 5, 2018

  • Improvement: Added better support for keyboard navigation of options.
  • Improvement: staging. and dev. subdomains are now supported for sharing premium licenses.
  • Improvement: Bundled our interface font to avoid loading from a remote source and reduced the pages some assets were loaded on.
  • Improvement: Added option to trim Live Traffic records after a specific number of days.
  • Improvement: Updated to the current GeoIP2 database.
  • Improvement: Extended the automatic redaction applied to attack data that may include sensitive information.
  • Change: Removed a no-longer-used API call.
  • Fix: Fixed a few options that couldn’t be searched for on the all options page.
  • Fix: Activity Report emails now detect and avoid symlink loops.

7.1.6 – May 22, 2018

  • Fix: Added a workaround for sites with inaccessible WAF config files when reading php://input

7.1.5 – May 22, 2018

  • Improvement: GDPR compliance updates.
  • Improvement: The list of blocks now shows the most recently-added blocks at the top by default.
  • Improvement: Added better table status display to Diagnostics to help with debugging.
  • Improvement: Added deferred loading to Live Traffic avatars to improve performance with some plugins.
  • Improvement: The server’s own IP is now automatically allowlisted for known safe requests.
  • Fix: Added a workaround to Live Traffic human/bot detection to compensate for other scripts that modify our event handlers.
  • Fix: Fixed an error with Live Traffic human/bot detection when plugins change the load order.
  • Fix: Fixed auto-enabling of some controls when pasting values.
  • Fix: Fixed an instance where http links could be generated for emails rather than https.

7.1.4 – May 2, 2018

  • Improvement: Added additional XSS detection capabilities.
  • Change: Initial preparation for GDPR compliance. Additional changes will be included in an upcoming release to meet the GDPR deadline.
  • Change: Reworked Live Traffic/Rate Limiting human and bot detection to function without cookies.
  • Change: Removed the wfvt_ cookie as it was no longer necessary.
  • Change: Better debug messaging for scan forking.
  • Fix: PHP deprecation notices no longer suppress those of old OpenSSL or WordPress.
  • Fix: Fixes to the deprecated OpenSSL version detection and alerting to handle non-patch version numbers.
  • Fix: Added detection for and fixed a very large pcre.backtrack_limit setting that could cause scans to fail, when modified by other plugins.
  • Fix: Scan issue alert emails no longer incorrectly show high sensitivity was enabled.
  • Fix: Fixed wrapping of long strings on the Diagnostics page.

7.1.3 – April 18, 2018

  • Improvement: Improved the performance of our config table status check.
  • Improvement: The IP address of the user activating Wordfence is now used by the breached password check until an admin successfully logs in.
  • Improvement: Added several new error displays for scan failures to help diagnose and fix issues.
  • Improvement: Added the block duration to alerts generated when an IP is blocked.
  • Improvement: A text version of scan results is now included in the activity log email.
  • Improvement: The WAF install/uninstall process no longer asks to backup files that do not exist.
  • Change: Began a phased rollout of moving brute force queries to be https-only.
  • Change: Added the initial deprecation notice for PHP 5.2.
  • Change: Suppressed a script tag on the diagnostics page from being output in the email version.
  • Fix: Addressed an issue where plugins that return a null user during authentication would cause a PHP notice to be logged.
  • Fix: Fixed an issue where plugins that use non-standard version formatting could end up with a inaccurate vulnerability status.
  • Fix: Added a workaround for web email clients that erroneously encode some URL characters (e.g., #).

7.1.2 – April 4, 2018

  • Improvement: Added support for filtering the blocks list.
  • Improvement: Added a flow for generating the WAF autoprepend file and retrieving the path for manual installations.
  • Improvement: Added a variety of new data values to the Diagnostics page to aid in debugging issues.
  • Improvement: SVG files now have the JavaScript-based malware signatures run against them.
  • Improvement: More descriptive text for the scan issue email when there’s an unknown WordPress core version.
  • Improvement: Added a dedicated error display that will show when a scan is detected as failed.
  • Improvement: readme.html and wp-config-sample.php are no longer scanned for changes due to differences between languages (malware signatures still run).
  • Improvement: When the license status changes, it now triggers a fresh pull of the WAF rules.
  • Improvement: Added dedicated messaging for leftover WordPress core files that were not fully removed during upgrade.
  • Improvement: Improved labeling in Live Traffic for hits blocked by the real-time IP blocklist.
  • Improvement: Added forced wrapping to the file paths in the activity report email to avoid scroll bar overlap making them unreadable.
  • Improvement: Updated the bundled GeoIP database.
  • Improvement: Updated the bundled browscap database.
  • Improvement: All emailed alerts now include a link to the generating site.
  • Change: Minor text change to unify some terminology.
  • Fix: Removed a remaining reference to the CDN version of Font Awesome.
  • Fix: Removed an old reference to the pre-Wordfence 7.1 lockouts table.
  • Fix: Scan results for malware detections in posts are no longer clickable.
  • Fix: We now verify that there’s a valid email address defined before attempting to send an alert and filter out any invalid ones.
  • Fix: Added a workaround for GoDaddy/Limit Login Attempts suppressing the 2FA prompting.

7.1.1 – March 20, 2018

  • Improvement: Added the ability to sort the blocks table.
  • Improvement: Added short-term caching of breach check results.
  • Improvement: The check for passwords leaked in breaches now allows a login if the user has previously logged in from the same IP successfully and displays an admin notice suggesting changing the password.
  • Improvement: Switched the bundled select2 library to use to prefixed version to work around other plugins including older versions on our pages.
  • Improvement: The scan page now displays when beta signatures are enabled since they can produce false positives.
  • Improvement: Improved positioning of the “Wordfence is Working” message.
  • Improvement: Added a character limit to the reason on blocks and forced wrapping to avoid the layout stretching too much.
  • Fix: Fixed an issue with some table prefixing where multisite installations with rare configurations could result in unknown table warnings.
  • Fix: Removed an older behavior with live traffic buttons that could allow them to open in a new tab and show nothing.
  • Fix: Added a check for sites with inaccurate disk space function results to avoid showing an issue.
  • Fix: Added a secondary check to the email summary cron to avoid repeated sending if the cron list is corrupted.
  • Fix: Fixed a typo on the Advanced Comment Spam Filter page.

7.1.0 – March 1, 2018

  • Improvement: Added a new feature to prevent attackers from successfully logging in to admin accounts whose passwords have been in data breaches.
  • Improvement: Added pagination support to the scan issues.
  • Improvement: Improved time zone handling for the WAF’s learning mode.
  • Improvement: Improved messaging on file-related scan issues when the file is wp-config.php.
  • Improvement: Modified the appearance of the “How does Wordfence get IPs” option to be more clear.
  • Improvement: Better messaging about the scan options that need to be enabled for free installations to achieve 100%.
  • Improvement: The country blocking selection drawer behavior has been changed to now allow saving directly from it.
  • Improvement: Increased the textarea size for the advanced firewall options to make editing easier.
  • Improvement: The URL blocklist check now includes additional variants in some checks to more accurately match.
  • Change: Adjusted messaging when blocks are loading.
  • Change: Wording change for the option “Maximum execution time for each stage”.
  • Change: Permanent blocks now display “Permanent” rather than “Indefinite” for the expiration for consistency.
  • Fix: Fixed the initial status code recorded for lockouts and blocks.
  • Fix: Fixed PHP notices that could occur when using the bulk delete/repair scan tools.
  • Fix: Improved the state updating for the scan bulk action buttons.
  • Fix: Usernames in live traffic now correctly link to the corresponding profile page.
  • Fix: Addressed a PHP warning that could occur if wordpress.org returned a certain format for the abandoned plugin check.
  • Fix: Fixed a possible PHP notice when syncing attack data records without metadata attached.
  • Fix: Modified the behavior of the disk space check to avoid a scan warning showing without an issue generated.
  • Fix: Fixed a CSS glitch where the top controls could have extra space at the top when sites have long navigation menus.
  • Fix: Updated some wording in the All Options search box.
  • Fix: Removed an old link for “See Recent Traffic” on Live Traffic that went nowhere.

7.0.4 – February 12, 2018

  • Change: Live Traffic records are no longer created for hits initiated by WP-CLI (e.g., manually running cron).
  • Fix: Fixed an issue where the human/bot detection wasn’t functioning.

7.0.4

  • Fix: Re-added missing file to fix commit excluding it.

7.0.3 – February 12, 2018

  • Improvement: Added an “All Options” page to enable developers and others to more rapidly configure Wordfence.
  • Improvement: Improved messaging for when a page has been open for more than a day and the security token expires.
  • Improvement: Relocated the “Always display expanded Live Traffic records” option to be more accessible.
  • Improvement: Improved appearance and behavior of option checkboxes.
  • Improvement: For plugins with incomplete header information, they’re now shown with a fallback title in scan results as appropriate.
  • Improvement: The country block rule in the blocks table now shows a count rather than a potentially large list of countries.
  • Change: Modified behavior of the advanced country blocking options to always show.
  • Fix: Fixed the “Make Permanent” button behavior for blocks created from Live Traffic.
  • Fix: Better synchronization of block records to the WAF config to avoid duplicate queries.
  • Fix: The diff viewer now forces wrapping to prevent long lines of text from stretching the layout.
  • Fix: Fixed an issue where the scanned plugin count could be inaccurate due to forking during the plugin scan.
  • Fix: Adjusted sizing on the country blocking options to prevent placeholder text from being cut off at some screen sizes.
  • Fix: Block/Unblock now works correctly when viewing Live Traffic with it grouped by IP.
  • Fix: Fixed an issue where the count of URLs checked was incorrect.

7.0.2 – January 31, 2018

  • Improvement: Added CSS/JS filename versioning to address caching plugins not refreshing for plugin updates.
  • Improvement: The premium key is no longer prompted for during installation if already present from an earlier version.
  • Improvement: Added a check and corresponding notice if the WAF config is unreadable or invalid.
  • Improvement: Improved live traffic sizing on smaller screens.
  • Improvement: Added tour coverage for live traffic.
  • Change: IPs blocked via live traffic now use the configurable how long is an IP blocked setting to match previous behavior.
  • Change: Changed the option to enable live traffic to match the wording and style of other options.
  • Change: Changed styling on the unknown country display in live traffic to match the common coloring.
  • Change: Statistics that do not depend on the WAF for their data now display when it is in learning mode.
  • Change: Scan issues that are indicative of a compromised site are moved to the top of the list.
  • Change: Changed styling on unselected checkboxes.
  • Fix: Quick scans no longer run daily if automatic scheduled scans are disabled.
  • Fix: The update check in a quick scan no longer runs if the update check has been turned off for regular scans.
  • Fix: Fixed the quick navigation letters in the country picker not scrolling.
  • Fix: Fixed editing the country block configuration when there are a large number of other blocks.
  • Fix: Addressed an issue where having the country block or a pattern block selected when clicking Make Permanent could break them.
  • Fix: Live traffic entries with long user agents no longer cause the table to stretch.
  • Fix: Fixed an issue where live traffic would stop loading new records if always display expanded records was on.
  • Fix: Suppressed warnings on IP conversion functions when processing potentially incomplete data.
  • Fix: Added a check in REST API hooks to avoid defining a constant twice.

7.0.1 – January 24, 2018

  • Comprehensive UI refresh.
  • Melhoria: banco de dados local atualizado de GeoIP.

6.3.22 – November 30, 2017

  • Fix: Addressed a warning that could occur on PHP 7.1 when reading php.ini size values.
  • Fix: Fixed a warning by adjusting a query to remove old-style variable references.

6.3.21 – November 1, 2017

  • Melhoria: banco de dados local atualizado de GeoIP.
  • Fix: Fixed a log warning that could occur during the scan for plugins not in the wordpress.org repository.

6.3.20 – October 12, 2017

  • Improvement: The scan will now alert for a publicly visible .user.ini file.
  • Fix: Fixed status code and human/bot tagging of block hit entries for live traffic and the Wordfence Security Network.
  • Fix: Added internal throttling to ensure the daily cron does not run too frequently on some hosts.

6.3.19 – September 20, 2017

  • Emergency Fix: Updated wpdb::prepare calls using %.6f since it is no longer supported.

6.3.18 – September 7, 2017

  • Improvement: Reduced size of some JavaScript for faster loading.
  • Improvement: Better block counting for advanced comment filtering.
  • Improvement: Increased logging in debug mode for plugin updates to help resolve issues.
  • Fix: Reduced the minimum duration of a scan stage to improve reliability on some hosts.

6.3.17 – August 24, 2017

  • Improvement: Prepared code for upcoming scan improvement which will greatly increase scan performance by optimizing malware signatures.
  • Improvement: Updated the bundled GeoIP database.
  • Improvement: Better scan messaging when a publicly-reachable searchreplacedb2.php utility is found.
  • Improvement: The no-cache constant for database caching is now set for W3TC for plugin updates and scans.
  • Improvement: Added an additional home/siteurl resolution check for WPML installations.

6.3.16 – August 8, 2017

  • Improvement: Introduced a new scan stage to check for malicious URLs and content within WordPress core, plugin, and theme options.
  • Improvement: New scan stage includes a new check for TrafficTrade malware.
  • Improvement: Reduced net memory usage during forked scan stages by up to 50%.
  • Improvement: Reduced the number of queries executed for some configuration options.
  • Improvement: Modified the default allowlisting to include the new core AJAX action in WordPress 4.8.1.
  • Fix: Synchronized the scan option names between the main options page and smaller scan options page.
  • Fix: Fixed CSS positioning issue for dashboard metabox with IPv6.
  • Fix: Fixed a compatibility issue with determining the site’s home_url when WPML is installed.

6.3.15 – July 24, 2017

  • Improvement: Reduced memory usage on scan forking and during the known files scan stage.
  • Improvement: Added additional scan options to allow for disabling the blocklist checks while still allowing malware scanning to be enabled.
  • Improvement: Added a Wordfence Application Firewall code block for the lsapi variant of LiteSpeed.
  • Improvement: Updated the bundled GeoIP database.
  • Fix: Added a validation check to IP range allowlisting to avoid log warnings if they’re malformed.

6.3.14 – July 17, 2017

  • Improvement: Introduced smart scan distribution. Scan times are now distributed intelligently across servers to provide consistent server performance.
  • Improvement: Introduced light-weight scan that runs frequently to perform checks that do not use any server resources.
  • Improvement: If unable to successfully look up the status of an IP claiming to be Googlebot, the hit is now allowed.
  • Improvement: Scan issue results for abandoned plugins and unpatched vulnerabilities include more info.
  • Fix: Suppressed PHP notice with time formatting when a microtimestamp is passed.
  • Fix: Improved binary data to HTML entity conversion to avoid wpdb stripping out-of-range UTF-8 sequences.
  • Fix: Added better detection to SSL status, particularly for IIS.
  • Fix: Fixed PHP notice in the diff renderer.
  • Fix: Fixed typo in lockout alert.

6.3.12 – June 28, 2017

  • Improvement: Adjusted the password audit to use a better cryptographic padding option.
  • Improvement: Improved the option value entry process for the modified files exclusion list.
  • Melhoria: adicionou rel=\”noopener noreferrer” a todos os links externos do plugin para uma melhor interoperabilidade com outros scanners.
  • Melhoria: Adicionado suporte ao WAF para validar URLs para uso futuro em regras.
  • Fix: Time formatting will now correctly handle :30 and :45 time zone offsets.
  • Reparo: os hosts que usam mod_lsapi agora serão detectados como Litespeed para otimização WAF.
  • Fix: Added an option to allow automatic updates to function on Litespeed servers that have the global noabort set rather than site-local.
  • Fix: Fixed a PHP notice that could occur when running a scan immediately after removing a plugin.

6.3.11 – June 15, 2017

  • Improvement: The scan will alert for plugins that have not been updated in 2+ years or have been removed from the wordpress.org directory. It will also indicate if there is a known vulnerability.
  • Improvement: Added a self-check to the scan to detect if it has stalled.
  • Melhoria: se o WordPress for atualizado automaticamente enquanto uma varredura estiver sendo executada, a varredura irá auto-abortar e reprogramar-se para tentar novamente mais tarde.
  • Improvement: IP-based filtering in Live Traffic can now use wildcards.
  • Improvement: Updated the bundled GeoIP database.
  • Improvement: Added an anti-crawler feature to the lockout page to avoid crawlers erroneously following the unlock link.
  • Improvement: The live traffic “Group By” options now dynamically show the results in a more useful format depending on the option selected.
  • Improvement: Improved the unknown core files check to include all extra files in core locations regardless of whether or not the “Scan images, binary, and other files as if they were executable” option is on.
  • Improvement: Better wording for the allowlisting IP range error message.
  • Fix: Addressed a performance issue on databases with tens of thousands of tables when trying to load the diagnostics page.
  • Fix: All dashboard and activity report email times are now displayed in the time zone configured for the WordPress installation.

6.3.10 – June 1, 2017

  • Melhoria: redução no uso geral da memória e uso de pico de memória para o scanner.
  • Improvement: Support for exporting a list of all blocked and locked out IP addresses.
  • Improvement: Updated the WAF’s CA certificate bundle.
  • Improvement: Updated the browscap database.
  • Improvement: Suppressed the automatic HTTP referer added by WordPress for API calls to reduce overall bandwidth usage.
  • Improvement: When all issues for a scan stage have been previously ignored, the results now indicate this rather than saying problems were found.
  • Fix: Worked around an issue with WordPress caching to allow password audits to succeed on sites with tens of thousands of users.
  • Fix: Fixed an IPv6 detection issue with one form of IPv6 address.
  • Fix: An empty ignored IP list for WAF alerts no longer creates a PHP notice.
  • Fix: Better detection for when to use secure cookies.
  • Fix: Fixed a couple issue types that were not able to be permanently ignored.
  • Fix: Adjusted the changelog link in the scan results email to work for the new wordpress.org repository.
  • Fix: Fixed some broken links in the activity summary email.
  • Fix: Fixed a typo in the scan summary text.
  • Fix: The increased attack rate emails now correctly identify blocklist blocks.
  • Fix: Fixed an issue with the dashboard where it could show the last scan failed when one has never ran.
  • Fix: Brute force records are now coalesced when possible prior to sending.

6.3.9 – May 17, 2017

  • Melhoria: a verificação da assinatura de malware foi melhor otimizada para melhorar a velocidade geral.
  • Improvement: Updated the bundled GeoIP database.
  • Improvement: The memory tester now tests up to the configured scan limit rather than a fixed value.
  • Improvement: Added a test to the diagnostics page that verifies permissions to the WAF config location.
  • Melhoria: a página de diagnóstico agora contém um teste de retorno de chamada para o próprio servidor.
  • Improvement: Updated the styling of dashboard notifications for better separation.
  • Melhoria: adicionou constantes adicionais à página de diagnóstico.
  • Change: Wordfence now enters a read-only mode with its configuration files when run via the ‘cli’ PHP SAPI on a misconfigured web server to avoid file ownership changing.
  • Change: Changed how administrator accounts are detected to compensate for managed WordPress sites that do not have the standard permissions.
  • Change: The table list on the diagnostics page is now limited in length to avoid being exceedingly large on big multisite installations.
  • Fix: Improved updating of WAF config values to minimize writing to disk.
  • Fix: The blocklist’s blocked IP records are now correctly trimmed when expired.
  • Fix: Added error suppression to the WAF attack data functions to prevent corrupt records from breaking the no-cache headers.
  • Fix: Fixed some incorrect documentation links on the diagnostics page.
  • Fix: Fixed a typo in a constant on the diagnostics page.

6.3.8 – May 2, 2017

  • Fix: Addressed an issue that could cause scans to time out on sites with tens of thousands of potential URLs in files, comments, and posts.

6.3.7 – April 25, 2017

  • Improvement: All URLs are now checked against the Wordfence Domain Blocklist in addition to Google’s.
  • Melhoria: melhor desempenho de carregamento de página para instalações multisite com milhares de tabelas.
  • Improvement: Updated the bundled GeoIP database.
  • Melhoria: estatísticas de bloqueio da lista negra integrada no painel para usuários Premium.
  • Fix: Added locking to the automatic update process to ensure non-standard crons don’t break Wordfence.
  • Fix: Fixed an activation error on multisite installations on very old WordPress versions.
  • Fix: Adjusted the behavior of the blocklist toggle for Free users.

6.3.6 – April 5, 2017

  • Improvement: Optimized the malware signature scan to reduce memory usage.
  • Improvement: Optimized the overall scan to make fewer network calls.
  • Improvement: Running an update now automatically dismisses the corresponding scan issue if present.
  • Improvement: Added a time limit to the live activity status so only current messages are shown.
  • Improvement: WAF configuration files are now excluded by default from the recently modified files list in the activity report.
  • Improvement: Background pausing for live activity and traffic may now be disabled.
  • Improvement: Added additional WAF support to allow us to more easily address false positives.
  • Improvement: Blocking pages presented by Wordfence now indicate the source and contain information to help diagnose caching problems.
  • Fix: All external URLs in the tour are now https.
  • Fix: Corrected a typo in the unlock email template.
  • Fix: Fixed the target of a label on the options page.

6.3.5 – March 23, 2017

  • Improvement: Sites can now specify a list of trusted proxies when using X-Forwarded-For for IP resolution.
  • Improvement: Added options to customize which dashboard notifications are shown.
  • Melhoria: melhorias na fase de malware do scanner para evitar o tempo limite em arquivos maiores.
  • Improvement: Provided additional no-caching indicators for caches that erroneously save pages with HTTP error status codes.
  • Improvement: Updated the bundled GeoIP database.
  • Improvement: Optimized the country update process in the upgrade handler so it only updates changed records.
  • Improvement: Added our own prefixed version of jQuery.DataTables to avoid conflicts with other plugins.
  • Melhoria: alterações no readme.txt e readme.md agora são ignoradas pelo scanner, a menos que uma alta sensibilidade esteja ativada.
  • Fix: Addressed an issue with multisite installations where they would execute the upgrade handler for each subsite.
  • Fix: Added additional error handling to the blocked IP list to avoid outputting notices when another plugin resets the error handler.
  • Fix: Made the description in the summary email for blocks resulting from the blocklist more descriptive.
  • Fix: Updated the copyright date on several pages.
  • Fix: Fixed incorrect wrapping of the Group by field on the live traffic page.

6.3.4 – March 13, 2017

  • Improvement: Added a path for people blocked by the IP blocklist (Premium Feature) to report false positives.

6.3.3 – March 9, 2017

  • New: Malicious IPs are now preemptively blocked by a regularly-updated blocklist. [Premium Feature]
  • Improvement: Better layout and display for mobile screen sizes.
  • Improvement: Dashboard chart data is now updated more frequently.
  • Fix: Fixed database errors on notifications page on multisite installations.
  • Fix: Fixed site URL detection for multisite installations.
  • Fix: Fixed tour popup positioning on multisite.
  • Fix: Increased the z-index of the AJAX error watcher alert.
  • Fix: Addressed an additional way to enumerate authors with the REST JSON API.

6.3.2 – February 23, 2017

  • Improvement: Improved the WAF’s ability to inspect POST bodies.
  • Improvement: Dashboard now shows up to 100 each of failed/successful logins.
  • Improvement: Updated internal GeoIP database.
  • Improvement: Updated internal browscap database.
  • Improvement: Better documentation on Country Blocking regarding Google AdWords
  • Advanced: Added constant “WORDFENCE_DISABLE_FILE_VIEWER” to prohibit file-viewing actions from Wordfence.
  • Advanced: Added constant “WORDFENCE_DISABLE_LIVE_TRAFFIC” to prohibit live traffic from capturing regular site visits.
  • Fix: Fixed a few links that didn’t open the correct configuration pages.
  • Fix: Unknown countries in the dashboard now show “Unknown” rather than empty.

6.3.1 – February 7, 2017

  • Improvement: Locked out IPs are now enforced at the WAF level to reduce server load.
  • Improvement: Added a “Show more” link to the IP block list and login attempts list.
  • Improvement: Added network data for the top countries blocked list.
  • Improvement: Added a notification when a premium key is installed on one site but registered for another URL.
  • Improvement: Switching tabs in the various pages now updates the page title as well.
  • Melhoria: várias melhorias de consistência de estilo.
  • Change: Separated the various blocking-related pages out from the Firewall top-level menu into “Blocking”.
  • Fix: Improved compatibility with our GeoIP interface.
  • Fix: The updates available notification is refreshed after updates are installed.
  • Fix: The scan notification is refreshed when issues are resolved or ignored.

6.3.0 – January 26, 2017

  • Enhancement: Added Wordfence Dashboard for quick overview of security activity.
  • Improvement: Simplified the UI by revamping menu structure and styling.
  • Fix: Fixed minor issue with REST API user enumeration blocking.
  • Fix: Fixed undefined index notices on password audit page.

6.2.10 – January 12, 2017

  • Improvement: Better reporting for failed brute force login attempts.
  • Change: Reworded setting for ignored IPs in the WAF alert email.
  • Change: Updated support link on scan page.
  • Fix: When a key is in place on multiple sites, it’s now possible to downgrade the ones not registered for it.
  • Fix: Addressed an issue where the increased attack rate emails would send repeatedly if the threshold value was missing.
  • Fix: Typo fix in firewall rule 11 name.

6.2.9 – December 27, 2016

  • Improvement: Updated internal GeoIP database.
  • Improvement: Better error handling when a site is unreachable publicly.
  • Fix: Fixed a URL in alert emails that did not correctly detect when sent from a multisite installation.
  • Fix: Addressed an issue where the scan did not alert about a new WordPress version.

6.2.8 – December 12, 2016

  • Improvement: Added support for hiding the username information revealed by the WordPress 4.7 REST API. Thanks Vladimir Smitka.
  • Improvement: Added vulnerability scanning for themes.
  • Melhoria: redução de uso de memória em até 90% ao verificar comentários.
  • Melhoria: melhorias de desempenho para o widget do painel.
  • Improvement: Added progressive loading of addresses on the blocked IP list.
  • Improvement: The diagnostics page now displays a config reading/writing test.
  • Alteração: Suporte para o cache Falcon foi removido.
  • Fix: Better messaging when the WAF rules are manually updated.
  • Fix: The proxy detection check frequency has been reduced and no longer alerts if the server is unreachable.
  • Fix: Adjusted the behavior of parsing the X-Forwarded-For header for better accuracy. Thanks Jason Woods.
  • Fix: Typo fix on the options page.
  • Fix: Scan issue for known core file now shows the correct links.
  • Fix: Links in “unlock” emails now work for IPv6 and IPv4-mapped-IPv6 addresses.
  • Fix: Restricted caching of responses from the Wordfence Security Network.
  • Fix: Fixed a recording issue with Wordfence Security Network statistics.

6.2.7 – December 1, 2016

  • Improvement: WordPress 4.7 improvements for the Web Application Firewall.
  • Improvement: Updated signatures for hash-based malware detection.
  • Improvement: Automatically attempt to detect when a site is behind a proxy and has IP information in a different field.
  • Improvement: Added additional contextual help links.
  • Improvement: Significant performance improvement for determining the connecting IP.
  • Improvement: Better messaging for two-factor recovery codes.
  • Fix: Adjusted message when trying to block an IP in the allowlist.
  • Fix: Error log download links now work on Windows servers.
  • Fix: Avoid running out of memory when viewing very large activity logs.
  • Fix: Fixed warning that could be logged when following an unlock email link.
  • Fix: Tour popups on options page now scroll into view correctly.

6.2.6 – November 17, 2016

  • Improvement: Improved formatting of attack data when it contains binary characters.
  • Improvement: Updated internal GeoIP database.
  • Improvement: Improved the ordering of rules in the malware scan so more specific rules are checked first.
  • Fix: Country blocking redirects are no longer allowed to be cached.
  • Fix: Fixed an issue with 2FA on multisite where the site could report URLs with different schemes depending on the state of plugin loading.

6.2.5 – November 9, 2016

  • Fix: Fixed an issue that could occur on older WordPress versions when processing login attempts

6.2.4 – November 9, 2016

  • Improvement: Scan times for very large sites with huge numbers of files are greatly improved.
  • Improvement: Added a configurable time limit for scans to help reduce overall server load and identify configuration problems.
  • Improvement: Email-based logins are now covered by “Don’t let WordPress reveal valid users in login errors”.
  • Improvement: Extended rate limiting support to the login page.
  • Fix: Fixed a case where files in the site root with issues could have them added multiple times.
  • Fix: Improved IP detection in the WAF when using an IP detection method that can have multiple values.
  • Fix: Added a safety check for when the database fails to return its max_allowed_packet value.
  • Fix: Added safety checks for when the configuration table migration has failed.
  • Fix: Added a couple rare failed login error codes to brute force detection.
  • Fix: Fixed a sequencing problem when adding detection for bot/human that led to it being called on every request.
  • Fix: Suppressed errors if a file is removed between the start of a scan and later scan stages.
  • Fix: Addressed a problem where the scan exclusions list was not checked correctly in some situations.

6.2.3 – October 26, 2016

  • Improvement: Reworked blocking for IP ranges, country blocking, and direct IP blocking to minimize server impact when under attack.
  • Improvement: Live traffic better indicates the action taken by country blocking when it redirects a visitor.
  • Improvement: Added support for finding server logs to the Diagnostics page to help with troubleshooting.
  • Improvement: Allowlisted StatusCake IP addresses.
  • Melhoria: banco de dados GeoIP atualizado.
  • Improvement: Disabling Wordfence now sends an alert.
  • Improvement: Improved detection for uploaded PHP content in the firewall.
  • Fix: Eliminated memory-related errors resulting from the scan on sites with very large numbers of issues and low memory.
  • Fix: Fixed admin page layout for sites using RTL languages.
  • Fix: Reduced overhead of the dashboard widget.
  • Fix: Improved performance of checking for Allowlisted IPs.
  • Fix: Changes to the default plugin hello.php are now detected correctly in scans.
  • Fix: Fixed IPv6 warning in the dashboard widget.

6.2.2 – October 12, 2016

  • Fix: Replaced a slow query in the dashboard widget that could affect sites with very large numbers of users.

6.2.1 – October 11, 2016

  • Improvement: Now performing scanning for PHP code in all uploaded files in real-time.
  • Melhoria: Manejo aprimorado de caracteres ruins e intervalos IPv6 no bloqueio avançado.
  • Improvement: Live traffic and scanning activity now display a paused notice when real-time updates are suspended while in the background.
  • Improvement: The file system scan alerts for files flagged by antivirus software with a ‘.suspected’ extension.
  • Improvement: New alert option to get notified only when logins are from a new location/device.
  • Change: First phase for removing the Falcon cache in place, which will add a notice of its pending removal.
  • Fix: Included country flags for Kosovo and Curaçao.
  • Reparo: corrigiu as diretivas .htaccess utilizadas para ocultar arquivos encontrados pelo scanner.
  • Fix: Dashboard widget shows correct status for failed logins by deleted users.
  • Fix: Removed duplicate issues for modified files in the scan results.
  • Fix: Suppressed warning from reverse lookup on IPv6 addresses without valid DNS records.
  • Fix: Fixed file inclusion error with themes lacking a 404 page.
  • Fix: CSS fixes for activity report email.

6.2.0 – September 27, 2016

  • Melhoria: aumento de desempenho maciço na varredura do sistema de arquivos.
  • Improvement: Added low resource usage scan option for shared hosts.
  • Improvement: Aggregated login attempts when checking the Wordfence Security Network for brute force attackers to reduce total requests.
  • Melhoria: agora exibindo tempo de varredura em um formato mais legível em vez de segundos totais.
  • Improvement: Added PHP7 compatible .htaccess directives to disable code execution within uploads directory.
  • Fix: Added throttling to sync the WAF attack data.
  • Fix: Removed unnecessary single quote in copy containing “IP’s”.
  • Fix: Fixed rare, edge case where cron key does not match the key in the database.
  • Fix: Fixed bug with regex matching carriage returns in the .htaccess based IP block list.
  • Fix: Fixed scans failing in subdirectory sites when updating malware signatures.
  • Fix: Fixed infinite loop in scan caused by symlinks.
  • Fix: Remove extra slash from “File restored OK” message in scan results.

6.1.17 – September 9, 2016

  • Fix: Replaced calls to json_decode with our own implentation for hosts without the JSON extension enabled.

6.1.16 – September 8, 2016

  • Improvement: Now performing malware scanning on all uploaded files in real-time.
  • Improvement: Added Web Application Firewall activity to Wordfence summary email.
  • Fix: Now using 503 response code in the page displayed when an IP is locked out.
  • Fix: wflogs directory is now correctly removed on uninstall.
  • Fix: Fixed recently introduced bug which caused the Allowlisted 404 URLs feature to no longer work.
  • Fix: Added try/catch to uncaught exception thrown when pinging the API key.
  • Melhoria: melhor desempenho da página do tráfego ao vivo no Firefox.
  • Melhoria: banco de dados GeoIP atualizado.

6.1.15 – August 25, 2016

  • Melhoria: remoção de cache de configuração baseada em arquivo, suporte adicional para armazenamento em cache através do cache de objetos do WordPress.
  • Improvement: Allowlisted Uptime Robot’s IP range.
  • Fix: Notify users if suPHP_ConfigPath is in their WAF setup, and prompt to update Extended Protection.
  • Fix: Fixed bug with allowing logins on admin accounts that are not fully activated with invalid 2FA codes when 2FA is required for all admins.
  • Fix: Removed usage of wp_get_sites() which was deprecated in WordPress 4.6.
  • Fix: Fixed PHP notice from Undefined index: url with custom/premium plugins.
  • Improvement: Converted the banned URLs input to a textarea.

6.1.14 – August 11, 2016

  • Melhoria: suporte ao download de um arquivo de códigos de recuperação 2FA.
  • Fix: Fixed PHP Notice: Undefined index: coreUnknown during scans.
  • Improvement: Add note to options page that login security is necessary for 2FA to work.
  • Fix: Fixed WAF false positives introduced with WordPress 4.6.
  • Improvement: Update Geo IP database.

6.1.12 – July 26, 2016

  • Fix: Fixed fatal error on sites running Wordfence 6.1.11 in subdirectory and 6.1.10 or lower in parent directory.
  • Fix: Added a few common files to be excluded from unknown WordPress core file scan.

6.1.11 – July 25, 2016

  • Melhoria: Alerta em arquivos adicionados ao wp-admin, wp-includes.
  • Melhoria: 2FA já está disponível através de qualquer programa de autenticação que aceite segredos da TOTP.
  • Fix: Fixed bug with specific Advanced Blocking user-agent patterns causing 500 errors.
  • Melhoria: as atualizações do plugin agora são apenas um problema crítico se houver uma correção relacionada à segurança e um aviso de outra forma. Um link para o changelog está incluído.
  • Fix: Added group writable permissions to Firewall’s configuration files.
  • Improvement: Changed allowlist entry area to textbox on options page.
  • Fix: Move flags and logo served from wordfence.com over to locally hosted files.
  • Fix: Fixed issues with scan in WordPress 4.6 beta.
  • Fix: Fixed bug where Firewall rules could be missing on some sites running IIS.
  • Improvement: Added browser-based malware signatures for .js, .html files in the malware scan.
  • Fix: Added error suppression to dns_get_record.

6.1.10 – June 22, 2016

  • Fix: Fixed fatal error in the event wflogs is not writable.

6.1.9 – June 21, 2016

  • Fix: Using WP-CLI causes error Undefined index: SERVER_NAME.
  • Improvement: Hooked up restore/delete file scan tools to Filesystem API.
  • Fix: Reworked country blocking authentication check for access to XMLRPC.
  • Improvement: Added option to require cellphone sign-in on all admin accounts.
  • Improvement: Updated IPv6 GeoIP lite data.
  • Fix: Removed suPHP_ConfigPath from WAF installation process.
  • Fix: Prevent author names from being found through /wp-json/oembed.
  • Improvement: Added better solutions for fixing wordfence-waf.php, .user.ini, or .htaccess in scan.
  • Improvement: Added a method to view which files are currently used for WAF and to remove without reinstalling Wordfence.
  • Melhoria: compilação de regras alteradas para usar as escritas atômicas.
  • Melhoria: níveis de segurança removidos da página Opções.
  • Improvement: Added option to disable ajaxwatcher (for allowlisting only for Admins) on the front end.

6.1.8 – May 26, 2016

  • Fix: Change wfConfig::set_ser to split large objects into multiple queries.
  • Fix: Fixed bug in multisite with “You do not have sufficient permissions to access this page” error after logging in.
  • Improvement: Update Geo IP database.
  • Fix: Fixed deadlock when NFS is used for WAF file storage, in wfWAFAttackDataStorageFileEngine::addRow().
  • Fix: Added third param to http_build_query for hosts with arg_separator.output set.
  • Improvement: Show admin notice if WAF blocks an admin (mainly needed for ajax requests).
  • Improvement: Clarify error message “Error reading config data, configuration file could be corrupted.”
  • Improvement: Added better crawler detection.
  • Improvement: Add currentUserIsNot(‘administrator’) to any generic firewall rules that are not XSS based.
  • Improvement: Update URLs in Wordfence for documentation about LiteSpeed and lockouts.
  • Improvement: Show message on scan results when a result is caused by enabling “Scan images and binary files as if they were executable” or…
  • Fix: Suppressed warning: dns_get_record(): DNS Query failed.
  • Fix: Suppressed warning gzinflate() error in scan logs.
  • Fix: On WAF roadblock page: Warning: urlencode() expects parameter 1 to be string, array given …
  • Fix: Scheduled update for WAF rules doesn’t decrease from 7 days, to 12 hours, when upgrading to a premium account.
  • Improvement: Better message for dashboard widget when no failed logins.

6.1.7 – May 10, 2016

  • Security Fix: Fixed reflected XSS vulnerability: CVSS 6.1 (Medium). Thanks Kacper Szurek.

6.1.6 – May 9, 2016

  • Fix: Fixed bug with 2FA not properly handling email address login.
  • Fix: Show logins/logouts when Live Traffic is disabled.
  • Fix: Fixed bug with PCRE versions < 7.0 (repeated subpattern is too long).
  • Fix: Now able to delete allowlisted URL/params containing ampersands and non-UTF8 characters.
  • Improvement: Reduced 2FA activation code to expire after 30 days.
  • Improvement: Live Traffic now only shows verified Googlebot under Google Crawler filter for new visits.
  • Melhoria: permissões ajustadas nos arquivos de log / config do firewall para ser 0640.
  • Fix: Fixed false positive from Maldet in the wfConfig table during the scan.

6.1.5 – April 28, 2016

  • Fix: WordPress language files no longer flagged as changed.
  • Improvement: Accept wildcards in “Immediately block IP’s that access these URLs.”
  • Fix: Fixed bug when multiple authors have published posts, /?author=N scans show an author archive page.
  • Fix: Fixed issue with IPv6 mapped IPv4 addresses not being treated as IPv4.
  • Improvement: Added WordPress version and various constants to Diagnostics report.
  • Fix: Fixed bug with Windows users unable to save Firewall config.
  • Improvement: Include option for IIS on Windows in Firewall config process, and recommend manual php.ini change only.
  • Fix: Made the ‘administrator email address’ admin notice dismissable.

6.1.4 – April 20, 2016

  • Fix: Fixed potential bug with ‘stored data not found after a fork. Got type: boolean’.
  • Improvement: Added bulk actions and filters to WAF allowlist table.
  • Improvement: Added a check while in learning mode to verify the response is not 404 before whitelising.
  • Fix: Added index to attackLogTime. wfHits trimmed on runInstall now.
  • Fix: Fixed attack data sync for hosts that cannot use wp-cron.
  • Melhoria: use wftest@wordfence.com como o endereço de e-mail padrão da página de diagnóstico.
  • Melhoria: quando WFWAF_ENABLED é configurado como falso para desativar o firewall, mostre isso na página Firewall.
  • Fix: Prevent warnings when $_SERVER is empty.
  • Fix: Bug fix for illegal string offset.
  • Fix: Hooked up multibyte string functions to binary safe equivalents.
  • Fix: Hooked up reverse IP lookup in Live Traffic.
  • Fix: Add the user the web server (or PHP) is currently running as to Diagnostics page.
  • Melhoria: pausa o tráfego ao vivo depois de percorrer a primeira entrada.
  • Improvement: Move “Permanently block all temporarily blocked IP addresses” button to top of blocked IP list.
  • Fix: Added JSON fallback for PHP installations that don’t have JSON enabled.

6.1.3 – April 14, 2016

  • Improvement: Added dismiss button to the Wordfence WAF setup admin notice.
  • Fix: Removed .htaccess and .user.ini from publicly accessible config and backup file scan.
  • Fix: Removed the disallow file mods for admins created outside of WordPress.
  • Fix: Fixed bug with ‘Hide WordPress version’ causing issues with reCAPTCHA.
  • Improvement: Added instructions for NGINX users to restrict access to .user.ini during Firewall configuration.
  • Fix: Fixed bug with multiple API calls to ‘get_known_files’.

6.1.2 – April 12, 2016

  • Fix: Fixed fatal error when using a allowlisted IPv6 range and connecting with an IPv6 address.

6.1.1 – April 12, 2016

  • Melhoria: firewall de aplicativos da Web adicionados
  • Enhancement: Added Diagnostics page
  • Enhancement: Added new scans:
    • Admins created outside of WordPress
    • Arquivos de backup comum (banco de dados ou wp-config.php) acessíveis ao público
  • Improvement: Updated Live Traffic with filters and to include blocked requests in the feed.

You can find a complete changelog on our documentation site.