=== Wordfence Security === Contributors: mmaunder Tags: security, firewall, login security, limit login attempts, malware scanner, antivirus, web application firewall, block hackers, country blocking, clean hacked site, blacklist, waf Requires at least: 3.9 Tested up to: 4.9.1 Stable tag: 6.3.22 Secure your website with the most comprehensive WordPress security plugin. Firewall, malware scan, blocking, live traffic, login security & more. == Description == = THE MOST POPULAR WORDPRESS SECURITY PLUGIN = Wordfence Security is 100% free and open-source security software supported by a large team dedicated exclusively to WordPress security. A deep set of features makes Wordfence the most comprehensive WordPress security solution available: * Firewall blocks complex and brute force attacks * Security Scan alerts you quickly in the event of a security issue * Threat Defense Feed keeps Wordfence up to date with the latest security data * Robust login security features * Configurable security alerts * Gain insight into traffic and hack attempts * Security incident recovery tools == Installation == Secure your website using the following steps to install Wordfence: 1. Install Wordfence automatically or by uploading the ZIP file. 2. Activate the Wordfence through the 'Plugins' menu in WordPress. Wordfence is now activated. 3. Go to the scan menu and start your first scan. Scheduled scanning will also be enabled. 4. Once your first scan has completed, a list of threats will appear. Go through them one by one to secure your site. 5. Visit the Wordfence options page to enter your email address so that you can receive email security alerts. 6. Optionally, change your security level or adjust the advanced options to set individual scanning and protection options for your site. 7. Click the "Live Traffic" menu option to watch your site activity in real-time. Situational awareness is an important part of website security. To install the Wordfence on WordPress Multi-Site installations: 1. Install Wordfence via the plugin directory or by uploading the ZIP file. 2. Network Activate Wordfence. This step is important because until you network activate it, your sites will see the plugin option on their plugins menu. Once activated that option dissappears. 3. Now that Wordfence is network activated it will appear on your Network Admin menu. Wordfence will not appear on any individual site's menu. 4. Go to the "Scan" menu and start your first scan. 5. Wordfence will do a scan of all files in your WordPress installation including those in the blogs.dir directory of your individual sites. 6. Live Traffic will appear for ALL sites in your network. If you have a heavily trafficked system you may want to disable live traffic which will stop logging to the DB. 7. Firewall rules and login rules apply to the WHOLE system. So if you fail a login on site1.example.com and site2.example.com it counts as 2 failures. Crawler traffic is counted between blogs, so if you hit three sites in the network, all the hits are totalled and that counts as the rate you're accessing the system. == Frequently Asked Questions == [Visit our documentation website which includes feature descriptions, common solutions and comprehensive help.](http://support.wordfence.com/) = How does Wordfence Security protect sites from attackers? = The WordPress security plugin provides the best protection available for your website. Powered by the constantly updated Threat Defense Feed, WordFence Firewall stops you from getting hacked. Wordfence Scan leverages the same proprietary feed, alerting you quickly in the event your site is compromised. The Live Traffic view gives you real-time visibility into traffic and hack attempts on your website. A deep set of additional tools round out the most comprehensive WordPress security solution available. = What features does Wordfence Premium enable? = We offer a Premium API key that gives you real-time updates to the Threat Defense Feed which includes a real-time IP blacklist, firewall rules and malware signatures. Premium support, country blocking, more frequent scans, password auditing, two-factor authentication and spam and spamvertising checks are also included. [Click here to sign-up for Wordfence Premium now](http://www.wordfence.com/) or simply install Wordfence free and start protecting your website. = How does the Wordfence WordPress Firewall protect websites? = * Web Application Firewall stops you from getting hacked by identifying malicious traffic, blocking attackers before they can access your website. * Threat Defense Feed automatically updates firewall rules that protect you from the latest threats. Premium members receive the real-time version. * Block common WordPress security threats like fake Googlebots, malicious scans from hackers and botnets. = What checks does the Wordfence Security Scanner perform? = * Scans core files, themes and plugins against WordPress.org repository versions to check their integrity. Verify security of your source. * See how files have changed. Optionally repair changed files that are security threats. * Scans for signatures of over 44,000 known malware variants that are known WordPress security threats. * Scans for many known backdoors that create security holes including C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx and many more. * Continuously scans for malware and phishing URL’s including all URLs on the Google Safe Browsing List in all your comments, posts and files that are security threats. * Scans for heuristics of backdoors, trojans, suspicious code and other security issues. = What security monitoring features does Wordfence include? = * See all your traffic in real-time, including robots, humans, 404 errors, logins and logouts and who is consuming most of your content. Enhances your situational awareness of which security threats your site is facing. * A real-time view of all traffic including automated bots that often constitute security threats that Javascript analytics packages never show you. * Real-time traffic includes reverse DNS and city-level geolocation. Know which geographic area security threats originate from. * Monitor your DNS security for unauthorized DNS changes. * Monitors disk space which is related to security because many DDoS attacks attempt to consume all disk space to create denial of service. = What login security features are included = * See all your traffic in real-time, including robots, humans, 404 errors, logins and logouts and who is consuming most of your content. Enhances your situational awareness of which security threats your site is facing. * A real-time view of all traffic including automated bots that often constitute security threats that Javascript analytics packages never show you. * Real-time traffic includes reverse DNS and city-level geolocation. Know which geographic area security threats originate from. * Monitor your DNS security for unauthorized DNS changes. * Monitors disk space which is related to security because many DDoS attacks attempt to consume all disk space to create denial of service. = How will I be alerted if my site has a security problem? = Wordfence sends security alerts via email. Once you install Wordfence, you will configure a list of email addresses where security alerts will be sent. When you receive a security alert, make sure you deal with it promptly to ensure your site stays secure. = Do I need a security plugin like Wordfence if I’m using a cloud based firewall (WAF)? = Wordfence provides true endpoint security for your WordPress website. Unlike cloud based firewalls, Wordfence executes within the WordPress environment, giving it knowledge like whether the user is signed in, their identity and what access level they have. Wordfence uses the user’s access level in more than 80% of the firewall rules it uses to protect WordPress websites. Learn more about the [Cloud WAF identity problem here](https://www.wordfence.com/blog/2016/10/endpoint-vs-cloud-security-cloud-waf-user-identity-problem/). Additionally, cloud based firewalls can be bypassed, leaving your site exposed to attackers. Because Wordfence is an integral part of the endpoint (your WordPress website), it can’t be bypassed. Learn more about the [Cloud WAF bypass problem here](https://www.wordfence.com/blog/2016/10/endpoint-vs-cloud-security-cloud-waf-bypass-problem/). To fully protect the investment you’ve made in your website you need to employ a defense in depth approach to security. Wordfence takes this approach. = What blocking features does Wordfence include? = * Real-time blocking of known attackers. If another site using Wordfence is attacked and blocks the attacker, your site is automatically protected. * Block entire malicious networks. Includes advanced IP and Domain WHOIS to report malicious IP’s or networks and block entire networks using the firewall. Report WordPress security threats to network owner. * Rate limit or block WordPress security threats like aggressive crawlers, scrapers and bots doing security scans for vulnerabilities in your site. * Choose whether you want to block or throttle users and robots who break your WordPress security rules. * Premium users can also block countries and schedule scans for specific times and a higher frequency. = What differentiates Wordfence from other WordPress Security plugins? = * Wordfence Security provides a WordPress Firewall developed specifically for WordPress and blocks attackers looking for vulnerabilities on your site. The Firewall is powered by our Threat Defense Feed which is continually updated as new threats emerge. Premium customers receive updates in real-time. * Wordfence verifies your website source code integrity against the official WordPress repository and shows you the changes. * Wordfence scans check all your files, comments and posts for URLs in Google's Safe Browsing list. We are the only plugin to offer this very important security enhancement. * Wordfence scans do not consume large amounts of your bandwidth because all security scans happen on your web server which makes them very fast. * Wordfence fully supports WordPress Multi-Site which means you can security scan every blog in your Multi-Site installation with one click. * Wordfence includes Two-Factor authentication, the most secure way to stop brute force attackers in their tracks. * Wordfence fully supports IPv6 including giving you the ability to look up the location of IPv6 addresses, block IPv6 ranges, detect IPv6 country and do a whois lookup on IPv6 addresses and more. = Will Wordfence slow down my website? = No. Wordfence Security is extremely fast and uses techniques like caching its own configuration data to avoid database lookups and blocking malicious attacks that would slow down your site. = What if my site has already been hacked? = Wordfence Security is able to repair core files, themes and plugins on sites where security is already compromised. You can follow this guide on [how to clean a hacked website](https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/) using Wordfence. However, please note that site security cannot be assured unless you do a full reinstall if your site has been hacked. We recommend you only use Wordfence Security to get your site into a running state in order to recover the data you need to do a full reinstall. If you need help repairing a hacked site, we offer an affordable, high-quality [site cleaning service](https://www.wordfence.com/wordfence-site-cleanings/) that includes a Premium key for a year. = Does Wordfence Security support IPv6? = Yes. We fully support IPv6 with all security functions including country blocking, range blocking, city lookup, whois lookup and all other security functions. If you are not running IPv6, Wordfence will work great on your site too. We are fully compatible with both IPv4 and IPv6 whether you run both or only one addressing scheme. = Does Wordfence Security support Multi-Site installations? = Yes. WordPress Multi-Site is fully supported. Using Wordfence you can scan every blog in your network for malware with one click. If one of your customers posts a page or post with a known malware URL that threatens your whole domain with being blacklisted by Google, we will alert you in the next scan. = What support options are available for Wordfence users? = Providing excellent customer service is very important to us. We offer help to all our customers whether you are using the Premium or free version of Wordfence. For help with the free version, you can post in our [forum](https://wordpress.org/support/plugin/wordfence) where we have dedicated staff responding to questions. If you need faster or more in-depth help, Premium customers can submit a [support ticket](https://support.wordfence.com/support/home) to our Premium support team. = Where can I learn more about WordPress security? = Designed for every skill level, [The WordPress Security Learning Center](https://www.wordfence.com/learn/) is dedicated to deepening users’ understanding of security best practices by providing free access to entry-level articles, in-depth articles, videos, industry survey results, graphics and more. == Screenshots == Secure your website with Wordfence. 1. The dashboard gives you an overview of your site's security including notifications, attack statistics and Wordfence feature status. 2. The Web Application Firewall protects your site from common types of attacks and known security vulnerabilities. 3. The Wordfence Malware Scanner lets you know if your site has been compromised and alerts you to other security issues that need to be addressed. 4. The Wordfence Live Traffic view shows you real-time activity on your site including bot traffic and exploit attempts. 5. Block IPs that are known to be malicious, manage IPs that have been locked out and see recently throttled IPs that violated security rules. 6. The Wordfence Options page is where you manage high-level Wordfence features and upgrade your license to Premium. 7. The Advanced Options page allows technically-minded users fine-tune their security settings. == Changelog == = 6.3.22 = * Fix: Addressed a warning that could occur on PHP 7.1 when reading php.ini size values. * Fix: Fixed a warning by adjusting a query to remove old-style variable references. = 6.3.21 = * Improvement: Updated bundled GeoIP database. * Fix: Fixed a log warning that could occur during the scan for plugins not in the wordpress.org repository. = 6.3.20 = * Improvement: The scan will now alert for a publicly visible .user.ini file. * Fix: Fixed status code and human/bot tagging of block hit entries for live traffic and the Wordfence Security Network. * Fix: Added internal throttling to ensure the daily cron does not run too frequently on some hosts. = 6.3.19 = * Emergency Fix: Updated wpdb::prepare calls using %.6f since it is no longer supported. = 6.3.18 = * Improvement: Reduced size of some JavaScript for faster loading. * Improvement: Better block counting for advanced comment filtering. * Improvement: Increased logging in debug mode for plugin updates to help resolve issues. * Fix: Reduced the minimum duration of a scan stage to improve reliability on some hosts. = 6.3.17 = * Improvement: Prepared code for upcoming scan improvement which will greatly increase scan performance by optimizing malware signatures. * Improvement: Updated the bundled GeoIP database. * Improvement: Better scan messaging when a publicly-reachable searchreplacedb2.php utility is found. * Improvement: The no-cache constant for database caching is now set for W3TC for plugin updates and scans. * Improvement: Added an additional home/siteurl resolution check for WPML installations. = 6.3.16 = * Improvement: Introduced a new scan stage to check for malicious URLs and content within WordPress core, plugin, and theme options. * Improvement: New scan stage includes a new check for TrafficTrade malware. * Improvement: Reduced net memory usage during forked scan stages by up to 50%. * Improvement: Reduced the number of queries executed for some configuration options. * Improvement: Modified the default whitelisting to include the new core AJAX action in WordPress 4.8.1. * Fix: Synchronized the scan option names between the main options page and smaller scan options page. * Fix: Fixed CSS positioning issue for dashboard metabox with IPv6. * Fix: Fixed a compatibility issue with determining the site's home_url when WPML is installed. = 6.3.15 = * Improvement: Reduced memory usage on scan forking and during the known files scan stage. * Improvement: Added additional scan options to allow for disabling the blacklist checks while still allowing malware scanning to be enabled. * Improvement: Added a Wordfence Application Firewall code block for the lsapi variant of LiteSpeed. * Improvement: Updated the bundled GeoIP database. * Fix: Added a validation check to IP range whitelisting to avoid log warnings if they're malformed. = 6.3.14 = * Improvement: Introduced smart scan distribution. Scan times are now distributed intelligently across servers to provide consistent server performance. * Improvement: Introduced light-weight scan that runs frequently to perform checks that do not use any server resources. * Improvement: If unable to successfully look up the status of an IP claiming to be Googlebot, the hit is now allowed. * Improvement: Scan issue results for abandoned plugins and unpatched vulnerabilities include more info. * Fix: Suppressed PHP notice with time formatting when a microtimestamp is passed. * Fix: Improved binary data to HTML entity conversion to avoid wpdb stripping out-of-range UTF-8 sequences. * Fix: Added better detection to SSL status, particularly for IIS. * Fix: Fixed PHP notice in the diff renderer. * Fix: Fixed typo in lockout alert. = 6.3.12 = * Improvement: Adjusted the password audit to use a better cryptographic padding option. * Improvement: Improved the option value entry process for the modified files exclusion list. * Improvement: Added rel="noopener noreferrer" to all external links from the plugin for better interoperability with other scanners. * Improvement: Added support to the WAF for validating URLs for future use in rules. * Fix: Time formatting will now correctly handle :30 and :45 time zone offsets. * Fix: Hosts using mod_lsapi will now be detected as Litespeed for WAF optimization. * Fix: Added an option to allow automatic updates to function on Litespeed servers that have the global noabort set rather than site-local. * Fix: Fixed a PHP notice that could occur when running a scan immediately after removing a plugin. = 6.3.11 = * Improvement: The scan will alert for plugins that have not been updated in 2+ years or have been removed from the wordpress.org directory. It will also indicate if there is a known vulnerability. * Improvement: Added a self-check to the scan to detect if it has stalled. * Improvement: If WordPress auto-updates while a scan is running, the scan will self-abort and reschedule itself to try again later. * Improvement: IP-based filtering in Live Traffic can now use wildcards. * Improvement: Updated the bundled GeoIP database. * Improvement: Added an anti-crawler feature to the lockout page to avoid crawlers erroneously following the unlock link. * Improvement: The live traffic "Group By" options now dynamically show the results in a more useful format depending on the option selected. * Improvement: Improved the unknown core files check to include all extra files in core locations regardless of whether or not the "Scan images, binary, and other files as if they were executable" option is on. * Improvement: Better wording for the whitelisting IP range error message. * Fix: Addressed a performance issue on databases with tens of thousands of tables when trying to load the diagnostics page. * Fix: All dashboard and activity report email times are now displayed in the time zone configured for the WordPress installation. = 6.3.10 = * Improvement: Reduction in overall memory usage and peak memory usage for the scanner. * Improvement: Support for exporting a list of all blocked and locked out IP addresses. * Improvement: Updated the WAF's CA certificate bundle. * Improvement: Updated the browscap database. * Improvement: Suppressed the automatic HTTP referer added by WordPress for API calls to reduce overall bandwidth usage. * Improvement: When all issues for a scan stage have been previously ignored, the results now indicate this rather than saying problems were found. * Fix: Worked around an issue with WordPress caching to allow password audits to succeed on sites with tens of thousands of users. * Fix: Fixed an IPv6 detection issue with one form of IPv6 address. * Fix: An empty ignored IP list for WAF alerts no longer creates a PHP notice. * Fix: Better detection for when to use secure cookies. * Fix: Fixed a couple issue types that were not able to be permanently ignored. * Fix: Adjusted the changelog link in the scan results email to work for the new wordpress.org repository. * Fix: Fixed some broken links in the activity summary email. * Fix: Fixed a typo in the scan summary text. * Fix: The increased attack rate emails now correctly identify blacklist blocks. * Fix: Fixed an issue with the dashboard where it could show the last scan failed when one has never ran. * Fix: Brute force records are now coalesced when possible prior to sending. = 6.3.9 = * Improvement: Malware signature checking has been better optimized to improve overall speed. * Improvement: Updated the bundled GeoIP database. * Improvement: The memory tester now tests up to the configured scan limit rather than a fixed value. * Improvement: Added a test to the diagnostics page that verifies permissions to the WAF config location. * Improvement: The diagnostics page now contains a callback test for the server itself. * Improvement: Updated the styling of dashboard notifications for better separation. * Improvement: Added additional constants to the diagnostics page. * Change: Wordfence now enters a read-only mode with its configuration files when run via the 'cli' PHP SAPI on a misconfigured web server to avoid file ownership changing. * Change: Changed how administrator accounts are detected to compensate for managed WordPress sites that do not have the standard permissions. * Change: The table list on the diagnostics page is now limited in length to avoid being exceedingly large on big multisite installations. * Fix: Improved updating of WAF config values to minimize writing to disk. * Fix: The blacklist's blocked IP records are now correctly trimmed when expired. * Fix: Added error suppression to the WAF attack data functions to prevent corrupt records from breaking the no-cache headers. * Fix: Fixed some incorrect documentation links on the diagnostics page. * Fix: Fixed a typo in a constant on the diagnostics page. = 6.3.8 = * Fix: Addressed an issue that could cause scans to time out on sites with tens of thousands of potential URLs in files, comments, and posts. = 6.3.7 = * Improvement: All URLs are now checked against the Wordfence Domain Blacklist in addition to Google's. * Improvement: Better page load performance for multisite installations with thousands of tables. * Improvement: Updated the bundled GeoIP database. * Improvement: Integrated blacklist blocking statistics into the dashboard for Premium users. * Fix: Added locking to the automatic update process to ensure non-standard crons don't break Wordfence. * Fix: Fixed an activation error on multisite installations on very old WordPress versions. * Fix: Adjusted the behavior of the blacklist toggle for Free users. = 6.3.6 = * Improvement: Optimized the malware signature scan to reduce memory usage. * Improvement: Optimized the overall scan to make fewer network calls. * Improvement: Running an update now automatically dismisses the corresponding scan issue if present. * Improvement: Added a time limit to the live activity status so only current messages are shown. * Improvement: WAF configuration files are now excluded by default from the recently modified files list in the activity report. * Improvement: Background pausing for live activity and traffic may now be disabled. * Improvement: Added additional WAF support to allow us to more easily address false positives. * Improvement: Blocking pages presented by Wordfence now indicate the source and contain information to help diagnose caching problems. * Fix: All external URLs in the tour are now https. * Fix: Corrected a typo in the unlock email template. * Fix: Fixed the target of a label on the options page. = 6.3.5 = * Improvement: Sites can now specify a list of trusted proxies when using X-Forwarded-For for IP resolution. * Improvement: Added options to customize which dashboard notifications are shown. * Improvement: Improvements to the scanner's malware stage to avoid timing out on larger files. * Improvement: Provided additional no-caching indicators for caches that erroneously save pages with HTTP error status codes. * Improvement: Updated the bundled GeoIP database. * Improvement: Optimized the country update process in the upgrade handler so it only updates changed records. * Improvement: Added our own prefixed version of jQuery.DataTables to avoid conflicts with other plugins. * Improvement: Changes to readme.txt and readme.md are now ignored by the scanner unless high sensitivity is on. * Fix: Addressed an issue with multisite installations where they would execute the upgrade handler for each subsite. * Fix: Added additional error handling to the blocked IP list to avoid outputting notices when another plugin resets the error handler. * Fix: Made the description in the summary email for blocks resulting from the blacklist more descriptive. * Fix: Updated the copyright date on several pages. * Fix: Fixed incorrect wrapping of the Group by field on the live traffic page. = 6.3.4 = * Improvement: Added a path for people blocked by the IP blacklist (Premium Feature) to report false positives. = 6.3.3 = * New: Malicious IPs are now preemptively blocked by a regularly-updated blacklist. [Premium Feature] * Improvement: Better layout and display for mobile screen sizes. * Improvement: Dashboard chart data is now updated more frequently. * Fix: Fixed database errors on notifications page on multisite installations. * Fix: Fixed site URL detection for multisite installations. * Fix: Fixed tour popup positioning on multisite. * Fix: Increased the z-index of the AJAX error watcher alert. * Fix: Addressed an additional way to enumerate authors with the REST JSON API. = 6.3.2 = * Improvement: Improved the WAF's ability to inspect POST bodies. * Improvement: Dashboard now shows up to 100 each of failed/successful logins. * Improvement: Updated internal GeoIP database. * Improvement: Updated internal browscap database. * Improvement: Better documentation on Country Blocking regarding Google AdWords * Advanced: Added constant "WORDFENCE_DISABLE_FILE_VIEWER" to prohibit file-viewing actions from Wordfence. * Advanced: Added constant "WORDFENCE_DISABLE_LIVE_TRAFFIC" to prohibit live traffic from capturing regular site visits. * Fix: Fixed a few links that didn't open the correct configuration pages. * Fix: Unknown countries in the dashboard now show "Unknown" rather than empty. = 6.3.1 = * Improvement: Locked out IPs are now enforced at the WAF level to reduce server load. * Improvement: Added a "Show more" link to the IP block list and login attempts list. * Improvement: Added network data for the top countries blocked list. * Improvement: Added a notification when a premium key is installed on one site but registered for another URL. * Improvement: Switching tabs in the various pages now updates the page title as well. * Improvement: Various styling consistency improvements. * Change: Separated the various blocking-related pages out from the Firewall top-level menu into "Blocking". * Fix: Improved compatibility with our GeoIP interface. * Fix: The updates available notification is refreshed after updates are installed. * Fix: The scan notification is refreshed when issues are resolved or ignored. = 6.3.0 = * Enhancement: Added Wordfence Dashboard for quick overview of security activity. * Improvement: Simplified the UI by revamping menu structure and styling. * Fix: Fixed minor issue with REST API user enumeration blocking. * Fix: Fixed undefined index notices on password audit page. = 6.2.10 = * Improvement: Better reporting for failed brute force login attempts. * Change: Reworded setting for ignored IPs in the WAF alert email. * Change: Updated support link on scan page. * Fix: When a key is in place on multiple sites, it's now possible to downgrade the ones not registered for it. * Fix: Addressed an issue where the increased attack rate emails would send repeatedly if the threshold value was missing. * Fix: Typo fix in firewall rule 11 name. = 6.2.9 = * Improvement: Updated internal GeoIP database. * Improvement: Better error handling when a site is unreachable publicly. * Fix: Fixed a URL in alert emails that did not correctly detect when sent from a multisite installation. * Fix: Addressed an issue where the scan did not alert about a new WordPress version. = 6.2.8 = * Improvement: Added support for hiding the username information revealed by the WordPress 4.7 REST API. Thanks Vladimir Smitka. * Improvement: Added vulnerability scanning for themes. * Improvement: Reduced memory usage by up to 90% when scanning comments. * Improvement: Performance improvements for the dashboard widget. * Improvement: Added progressive loading of addresses on the blocked IP list. * Improvement: The diagnostics page now displays a config reading/writing test. * Change: Support for the Falcon cache has been removed. * Fix: Better messaging when the WAF rules are manually updated. * Fix: The proxy detection check frequency has been reduced and no longer alerts if the server is unreachable. * Fix: Adjusted the behavior of parsing the X-Forwarded-For header for better accuracy. Thanks Jason Woods. * Fix: Typo fix on the options page. * Fix: Scan issue for known core file now shows the correct links. * Fix: Links in "unlock" emails now work for IPv6 and IPv4-mapped-IPv6 addresses. * Fix: Restricted caching of responses from the Wordfence Security Network. * Fix: Fixed a recording issue with Wordfence Security Network statistics. = 6.2.7 = * Improvement: WordPress 4.7 improvements for the Web Application Firewall. * Improvement: Updated signatures for hash-based malware detection. * Improvement: Automatically attempt to detect when a site is behind a proxy and has IP information in a different field. * Improvement: Added additional contextual help links. * Improvement: Significant performance improvement for determining the connecting IP. * Improvement: Better messaging for two-factor recovery codes. * Fix: Adjusted message when trying to block an IP in the whitelist. * Fix: Error log download links now work on Windows servers. * Fix: Avoid running out of memory when viewing very large activity logs. * Fix: Fixed warning that could be logged when following an unlock email link. * Fix: Tour popups on options page now scroll into view correctly. = 6.2.6 = * Improvement: Improved formatting of attack data when it contains binary characters. * Improvement: Updated internal GeoIP database. * Improvement: Improved the ordering of rules in the malware scan so more specific rules are checked first. * Fix: Country blocking redirects are no longer allowed to be cached. * Fix: Fixed an issue with 2FA on multisite where the site could report URLs with different schemes depending on the state of plugin loading. = 6.2.5 = * Fix: Fixed an issue that could occur on older WordPress versions when processing login attempts = 6.2.4 = * Improvement: Scan times for very large sites with huge numbers of files are greatly improved. * Improvement: Added a configurable time limit for scans to help reduce overall server load and identify configuration problems. * Improvement: Email-based logins are now covered by "Don't let WordPress reveal valid users in login errors". * Improvement: Extended rate limiting support to the login page. * Fix: Fixed a case where files in the site root with issues could have them added multiple times. * Fix: Improved IP detection in the WAF when using an IP detection method that can have multiple values. * Fix: Added a safety check for when the database fails to return its max_allowed_packet value. * Fix: Added safety checks for when the configuration table migration has failed. * Fix: Added a couple rare failed login error codes to brute force detection. * Fix: Fixed a sequencing problem when adding detection for bot/human that led to it being called on every request. * Fix: Suppressed errors if a file is removed between the start of a scan and later scan stages. * Fix: Addressed a problem where the scan exclusions list was not checked correctly in some situations. = 6.2.3 = * Improvement: Reworked blocking for IP ranges, country blocking, and direct IP blocking to minimize server impact when under attack. * Improvement: Live traffic better indicates the action taken by country blocking when it redirects a visitor. * Improvement: Added support for finding server logs to the Diagnostics page to help with troubleshooting. * Improvement: Whitelisted StatusCake IP addresses. * Improvement: Updated GeoIP database. * Improvement: Disabling Wordfence now sends an alert. * Improvement: Improved detection for uploaded PHP content in the firewall. * Fix: Eliminated memory-related errors resulting from the scan on sites with very large numbers of issues and low memory. * Fix: Fixed admin page layout for sites using RTL languages. * Fix: Reduced overhead of the dashboard widget. * Fix: Improved performance of checking for whitelisted IPs. * Fix: Changes to the default plugin hello.php are now detected correctly in scans. * Fix: Fixed IPv6 warning in the dashboard widget. = 6.2.2 = * Fix: Replaced a slow query in the dashboard widget that could affect sites with very large numbers of users. = 6.2.1 = * Improvement: Now performing scanning for PHP code in all uploaded files in real-time. * Improvement: Improved handling of bad characters and IPv6 ranges in Advanced Blocking. * Improvement: Live traffic and scanning activity now display a paused notice when real-time updates are suspended while in the background. * Improvement: The file system scan alerts for files flagged by antivirus software with a '.suspected' extension. * Improvement: New alert option to get notified only when logins are from a new location/device. * Change: First phase for removing the Falcon cache in place, which will add a notice of its pending removal. * Fix: Included country flags for Kosovo and Curaçao. * Fix: Fixed the .htaccess directives used to hide files found by the scanner. * Fix: Dashboard widget shows correct status for failed logins by deleted users. * Fix: Removed duplicate issues for modified files in the scan results. * Fix: Suppressed warning from reverse lookup on IPv6 addresses without valid DNS records. * Fix: Fixed file inclusion error with themes lacking a 404 page. * Fix: CSS fixes for activity report email. = 6.2.0 = * Improvement: Massive performance boost in file system scan. * Improvement: Added low resource usage scan option for shared hosts. * Improvement: Aggregated login attempts when checking the Wordfence Security Network for brute force attackers to reduce total requests. * Improvement: Now displaying scan time in a more readable format rather than total seconds. * Improvement: Added PHP7 compatible .htaccess directives to disable code execution within uploads directory. * Fix: Added throttling to sync the WAF attack data. * Fix: Removed unnecessary single quote in copy containing "IP's". * Fix: Fixed rare, edge case where cron key does not match the key in the database. * Fix: Fixed bug with regex matching carriage returns in the .htaccess based IP block list. * Fix: Fixed scans failing in subdirectory sites when updating malware signatures. * Fix: Fixed infinite loop in scan caused by symlinks. * Fix: Remove extra slash from "File restored OK" message in scan results. = 6.1.17 = * Fix: Replaced calls to json_decode with our own implentation for hosts without the JSON extension enabled. = 6.1.16 = * Improvement: Now performing malware scanning on all uploaded files in real-time. * Improvement: Added Web Application Firewall activity to Wordfence summary email. * Fix: Now using 503 response code in the page displayed when an IP is locked out. * Fix: `wflogs` directory is now correctly removed on uninstall. * Fix: Fixed recently introduced bug which caused the Whitelisted 404 URLs feature to no longer work. * Fix: Added try/catch to uncaught exception thrown when pinging the API key. * Improvement: Improved performance of the Live Traffic page in Firefox. * Improvement: Updated GeoIP database. = 6.1.15 = * Improvement: Removed file-based config caching, added support for caching via WordPress's object cache. * Improvement: Whitelisted Uptime Robot's IP range. * Fix: Notify users if suPHP_ConfigPath is in their WAF setup, and prompt to update Extended Protection. * Fix: Fixed bug with allowing logins on admin accounts that are not fully activated with invalid 2FA codes when 2FA is required for all admins. * Fix: Removed usage of `wp_get_sites()` which was deprecated in WordPress 4.6. * Fix: Fixed PHP notice from `Undefined index: url` with custom/premium plugins. * Improvement: Converted the banned URLs input to a textarea. = 6.1.14 = * Improvement: Support downloading a file of 2FA recovery codes. * Fix: Fixed PHP Notice: Undefined index: coreUnknown during scans. * Improvement: Add note to options page that login security is necessary for 2FA to work. * Fix: Fixed WAF false positives introduced with WordPress 4.6. * Improvement: Update Geo IP database. = 6.1.12 = * Fix: Fixed fatal error on sites running Wordfence 6.1.11 in subdirectory and 6.1.10 or lower in parent directory. * Fix: Added a few common files to be excluded from unknown WordPress core file scan. = 6.1.11 = * Improvement: Alert on added files to wp-admin, wp-includes. * Improvement: 2FA is now available via any authenticator program that accepts TOTP secrets. * Fix: Fixed bug with specific Advanced Blocking user-agent patterns causing 500 errors. * Improvement: Plugin updates are now only a critical issue if there is a security related fix, and a warning otherwise. A link to the changelog is included. * Fix: Added group writable permissions to Firewall's configuration files. * Improvement: Changed whitelist entry area to textbox on options page. * Fix: Move flags and logo served from wordfence.com over to locally hosted files. * Fix: Fixed issues with scan in WordPress 4.6 beta. * Fix: Fixed bug where Firewall rules could be missing on some sites running IIS. * Improvement: Added browser-based malware signatures for .js, .html files in the malware scan. * Fix: Added error suppression to `dns_get_record`. = 6.1.10 = * Fix: Fixed fatal error in the event wflogs is not writable. = 6.1.9 = * Fix: Using WP-CLI causes error Undefined index: SERVER_NAME. * Improvement: Hooked up restore/delete file scan tools to Filesystem API. * Fix: Reworked country blocking authentication check for access to XMLRPC. * Improvement: Added option to require cellphone sign-in on all admin accounts. * Improvement: Updated IPv6 GeoIP lite data. * Fix: Removed suPHP_ConfigPath from WAF installation process. * Fix: Prevent author names from being found through /wp-json/oembed. * Improvement: Added better solutions for fixing wordfence-waf.php, .user.ini, or .htaccess in scan. * Improvement: Added a method to view which files are currently used for WAF and to remove without reinstalling Wordfence. * Improvement: Changed rule compilation to use atomic writes. * Improvement: Removed security levels from Options page. * Improvement: Added option to disable ajaxwatcher (for whitelisting only for Admins) on the front end. = 6.1.8 = * Fix: Change wfConfig::set_ser to split large objects into multiple queries. * Fix: Fixed bug in multisite with "You do not have sufficient permissions to access this page" error after logging in. * Improvement: Update Geo IP database. * Fix: Fixed deadlock when NFS is used for WAF file storage, in wfWAFAttackDataStorageFileEngine::addRow(). * Fix: Added third param to http_build_query for hosts with arg_separator.output set. * Improvement: Show admin notice if WAF blocks an admin (mainly needed for ajax requests). * Improvement: Clarify error message "Error reading config data, configuration file could be corrupted." * Improvement: Added better crawler detection. * Improvement: Add currentUserIsNot('administrator') to any generic firewall rules that are not XSS based. * Improvement: Update URLs in Wordfence for documentation about LiteSpeed and lockouts. * Improvement: Show message on scan results when a result is caused by enabling "Scan images and binary files as if they were executable" or... * Fix: Suppressed warning: dns_get_record(): DNS Query failed. * Fix: Suppressed warning gzinflate() error in scan logs. * Fix: On WAF roadblock page: Warning: urlencode() expects parameter 1 to be string, array given ... * Fix: Scheduled update for WAF rules doesn't decrease from 7 days, to 12 hours, when upgrading to a premium account. * Improvement: Better message for dashboard widget when no failed logins. = 6.1.7 = * Security Fix: Fixed reflected XSS vulnerability: CVSS 6.1 (Medium). Thanks Kacper Szurek. = 6.1.6 = * Fix: Fixed bug with 2FA not properly handling email address login. * Fix: Show logins/logouts when Live Traffic is disabled. * Fix: Fixed bug with PCRE versions < 7.0 (repeated subpattern is too long). * Fix: Now able to delete whitelisted URL/params containing ampersands and non-UTF8 characters. * Improvement: Reduced 2FA activation code to expire after 30 days. * Improvement: Live Traffic now only shows verified Googlebot under Google Crawler filter for new visits. * Improvement: Adjusted permissions on Firewall log/config files to be 0640. * Fix: Fixed false positive from Maldet in the wfConfig table during the scan. = 6.1.5 = * Fix: WordPress language files no longer flagged as changed. * Improvement: Accept wildcards in "Immediately block IP's that access these URLs." * Fix: Fixed bug when multiple authors have published posts, /?author=N scans show an author archive page. * Fix: Fixed issue with IPv6 mapped IPv4 addresses not being treated as IPv4. * Improvement: Added WordPress version and various constants to Diagnostics report. * Fix: Fixed bug with Windows users unable to save Firewall config. * Improvement: Include option for IIS on Windows in Firewall config process, and recommend manual php.ini change only. * Fix: Made the 'administrator email address' admin notice dismissable. = 6.1.4 = * Fix: Fixed potential bug with 'stored data not found after a fork. Got type: boolean'. * Improvement: Added bulk actions and filters to WAF whitelist table. * Improvement: Added a check while in learning mode to verify the response is not 404 before whitelising. * Fix: Added index to attackLogTime. wfHits trimmed on runInstall now. * Fix: Fixed attack data sync for hosts that cannot use wp-cron. * Improvement: Use wftest@wordfence.com as the Diagnostics page default email address. * Improvement: When WFWAF_ENABLED is set to false to disable the firewall, show this on the Firewall page. * Fix: Prevent warnings when $_SERVER is empty. * Fix: Bug fix for illegal string offset. * Fix: Hooked up multibyte string functions to binary safe equivalents. * Fix: Hooked up reverse IP lookup in Live Traffic. * Fix: Add the user the web server (or PHP) is currently running as to Diagnostics page. * Improvement: Pause Live Traffic after scrolling past the first entry. * Improvement: Move "Permanently block all temporarily blocked IP addresses" button to top of blocked IP list. * Fix: Added JSON fallback for PHP installations that don't have JSON enabled. = 6.1.3 = * Improvement: Added dismiss button to the Wordfence WAF setup admin notice. * Fix: Removed .htaccess and .user.ini from publicly accessible config and backup file scan. * Fix: Removed the disallow file mods for admins created outside of WordPress. * Fix: Fixed bug with 'Hide WordPress version' causing issues with reCAPTCHA. * Improvement: Added instructions for NGINX users to restrict access to .user.ini during Firewall configuration. * Fix: Fixed bug with multiple API calls to 'get_known_files'. = 6.1.2 = * Fix: Fixed fatal error when using a whitelisted IPv6 range and connecting with an IPv6 address. = 6.1.1 = * Enhancement: Added Web Application Firewall * Enhancement: Added Diagnostics page * Enhancement: Added new scans: * Admins created outside of WordPress * Publicly accessible common (database or wp-config.php) backup files * Improvement: Updated Live Traffic with filters and to include blocked requests in the feed. You can find a [complete changelog](https://docs.wordfence.com/en/Changelog) on our documentation site.