readme.txt — Wordfence Security – Firewall, Malware Scan, and Login Security 8.2.2

wordfence / readme.txt

wordfence Last commit date

crypto 1 month ago css 3 weeks ago fonts 4 years ago images 1 month ago js 3 weeks ago languages 3 weeks ago lib 3 weeks ago models 1 month ago modules 3 weeks ago tmp 4 years ago vendor 1 month ago views 1 month ago waf 6 months ago index.php 13 years ago license.txt 4 years ago readme.txt 3 weeks ago wordfence.php 3 weeks ago

readme.txt

661 lines

1	=== Wordfence Security - Firewall, Malware Scan, and Login Security ===
2	Contributors: mmaunder, wfryan, wfmatt, wfmattr
3	Tags: security, malware, 2fa, firewall, scanner
4	Requires at least: 4.7
5	Requires PHP: 7.0
6	Tested up to: 7.0
7	Stable tag: 8.2.2
8	License: GPLv3
9	License URI: https://www.gnu.org/licenses/gpl-3.0.html
10
11	Firewall, Malware Scanner, Two Factor Auth, and Comprehensive Security Features, powered by our 24-hour team. Make security a priority with Wordfence.
12
13	== Description ==
14
15	https://www.youtube.com/watch?v=i4ZN2TwlaBE
16
17	= THE MOST POPULAR WORDPRESS FIREWALL & SECURITY SCANNER =
18
19	WordPress security requires a team of dedicated analysts researching the latest malware variants and WordPress exploits, turning them into firewall rules and malware signatures, and releasing those to customers in real-time.
20
21	Choose the right protection for you: [Wordfence Free, Premium, Care or Response](https://www.wordfence.com/products/pricing/)
22
23	Wordfence is widely acknowledged as the number one WordPress security research team in the World. Our plugin provides a comprehensive suite of security features, and our team’s research is what powers our plugin and provides the level of security that we are known for.
24
25	At Wordfence, WordPress security isn’t a division of our business – WordPress security is all we do. We employ a global 24-hour dedicated incident response team that provides our priority customers with a 1 hour response time for any security incident.
26
27	The sun never sets on our global security team and we run a sophisticated threat intelligence platform to aggregate, analyze and produce ground breaking security research on the newest security threats.
28
29	Wordfence Security includes an endpoint firewall, malware scanner, robust login security features, live traffic views, and more. Our [Threat Defense Feed](https://www.wordfence.com/threat-intel/) arms Wordfence with the newest firewall rules, malware signatures, and malicious IP addresses it needs to keep your website safe.
30
31	Rounded out by 2FA and a suite of additional features, Wordfence is the most comprehensive WordPress security solution available.
32
33	### 🔥 WORDPRESS FIREWALL
34	- [Web Application Firewall](https://www.wordfence.com/help/firewall/) identifies and blocks malicious traffic. Built and maintained by a large team focused 100% on WordPress security.
35	- Real-time firewall rule and malware signature [Premium] updates via the Threat Defense Feed (free version is delayed by 30 days).
36	- [Real-time IP Blocklist](https://www.wordfence.com/help/blocking/) [Premium] blocks all requests from the most malicious IPs, protecting your site while reducing load.
37	- Protects your site at the endpoint, enabling deep integration with WordPress. Unlike cloud alternatives, it does not break encryption, cannot be bypassed and cannot leak data.
38	- [Integrated malware scanner](https://www.wordfence.com/help/scan/) blocks requests that include malicious code or content.
39	- [Protection from brute force](https://www.wordfence.com/help/firewall/brute-force/) attacks by limiting login attempts.
40
41	### 📡 WORDPRESS SECURITY SCANNER
42	- Malware scanner checks core files, themes and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections.
43	- Real-time malware signature updates [Premium] via the Threat Defense Feed (free version is delayed by 30 days).
44	- Compares with WordPress.org repository your core files, themes and plugins, checking their integrity and reporting any changes to you.
45	- Repair WordPress core, theme, and plugin files that have changed by overwriting them with a pristine, original version. Delete any files that don’t belong easily within the Wordfence interface.
46	- Malware Removal Tools "Delete File" and "Delete All Deletable Files" options allow for efficient malware removal. Remember to investigate the scan results and backup files first!
47	- Checks your site for known security vulnerabilities and alerts you to any issues. Also alerts you to potential security issues when a plugin has been closed or abandoned.
48	- Checks your content safety by scanning file contents, posts and comments for dangerous URLs and suspicious content.
49	- Checks to see if your site or IP have been blocklisted [Premium] for malicious activity, generating spam or other security issues.
50
51	### 🔒 LOGIN SECURITY
52	- [Two-factor authentication (2FA)](https://www.wordfence.com/help/tools/two-factor-authentication/), one of the most secure forms of remote system authentication available via any TOTP-based authenticator app or service.
53	- [Login Page CAPTCHA](https://www.wordfence.com/help/login-security/) stops bots from logging in.
54	- [2FA for WooCommerce and custom integrations](https://www.wordfence.com/help/login-security/#woocommerce-and-custom-integrations) allow for 2FA to be setup on custom account pages
55	- XML-RPC options including disabling or adding 2FA.
56	- Password Security: Block logins for administrators using known compromised passwords.
57
58	### 📋 SECURITY AUDIT LOG [Premium]
59	- [The Audit Log](https://www.wordfence.com/help/audit-log) monitors all changes and actions in security-sensitive areas of the site.
60	- Remote tamper-proof data storage via Wordfence Central.
61	- Monitor events and actions ranging from user creation and editing to plugin/theme installation and updates to post and page changes.
62	- Configurable to log all events or significant events only, which includes all authentication, site configuration, and site functionality events.
63
64	### 🌐 WORDFENCE CENTRAL
65	- [Wordfence Central](https://www.wordfence.com/products/wordfence-central/) is a powerful and efficient way to manage the security for multiple sites in one place.
66	- Centralized management: Efficiently assess the security status of all your websites in one view. View detailed security findings without leaving Wordfence Central.
67	- Powerful templates make configuring Wordfence a breeze.
68	- Highly configurable alerts can be delivered via email, SMS or Slack. Improve the signal to noise ratio by leveraging severity level options and a daily digest option.
69	- Track and alert on important security events including administrator logins, breached password usage and surges in attack activity.
70	- Free to use for unlimited sites.
71
72	### 🛠️ SECURITY TOOLS
73	- [Live Traffic](https://www.wordfence.com/help/tools/live-traffic/) monitors visits and hack attempts not shown in other analytics packages in real time; including origin, their IP address, the time of day and time spent on your site.
74	- Block attackers by IP or build advanced rules based on IP Range, Hostname, User Agent and Referrer.
75	- [Country blocking](https://www.wordfence.com/help/blocking/country-blocking/) available with Wordfence Premium.
76
77	== Installation ==
78
79	Secure your website using the following steps to install Wordfence:
80
81	1. Install Wordfence automatically or by uploading the ZIP file.
82	2. Activate the Wordfence through the 'Plugins' menu in WordPress. Wordfence is now activated.
83	3. Go to the scan menu and start your first scan. Scheduled scanning will also be enabled.
84	4. Once your first scan has completed, a list of threats will appear. Go through them one by one to secure your site.
85	5. Visit the Wordfence options page to enter your email address so that you can receive email security alerts.
86	6. Optionally, change your security level or adjust the advanced options to set individual scanning and protection options for your site.
87	7. Click the "Live Traffic" menu option to watch your site activity in real-time. Situational awareness is an important part of website security.
88
89	To install Wordfence on WordPress Multi-Site installations:
90
91	1. Install Wordfence via the plugin directory or by uploading the ZIP file.
92	2. Network Activate Wordfence. This step is important because until you network activate it, your sites will see the plugin option on their plugins menu. Once activated that option disappears.
93	3. Now that Wordfence is network activated it will appear on your Network Admin menu. Wordfence will not appear on any individual site's menu.
94	4. Go to the "Scan" menu and start your first scan.
95	5. Wordfence will do a scan of all files in your WordPress installation including those in the blogs.dir directory of your individual sites.
96	6. Live Traffic will appear for ALL sites in your network. If you have a heavily trafficked system you may want to disable live traffic which will stop logging to the DB.
97	7. Firewall rules and login rules apply to the WHOLE system. So if you fail a login on site1.example.com and site2.example.com it counts as 2 failures. Crawler traffic is counted between blogs, so if you hit three sites in the network, all the hits are totalled and that counts as the rate you're accessing the system.
98
99	== Frequently Asked Questions ==
100
101	[Visit our website to access our official documentation which includes security feature descriptions, common solutions and comprehensive help.](https://www.wordfence.com/help/)
102
103	= How does Wordfence Security protect sites from attackers? =
104
105	The WordPress security plugin provides the best protection available for your website. Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. Wordfence Scan leverages the same proprietary feed, alerting you quickly about security issues or if your site is compromised. The Live Traffic view gives you real-time visibility into traffic and hack attempts on your website. A deep set of additional tools round out the most comprehensive WordPress security solution available.
106
107	= What features does Wordfence Premium enable? =
108
109	We offer a Premium API key that gives you real-time updates to the Threat Defense Feed which includes a real-time IP blocklist, firewall rules, and malware signatures. Premium support, country blocking, more frequent scans, and spam and spamvertising checks are also included. [Click here to sign-up for Wordfence Premium now](https://www.wordfence.com/) or simply install Wordfence free and start protecting your website.
110
111	= How does the Wordfence WordPress Firewall protect websites? =
112
113	* Web Application Firewall stops you from getting hacked by identifying malicious traffic, blocking attackers before they can access your website.
114	* Threat Defense Feed automatically updates firewall rules that protect you from the latest threats. Premium members receive the real-time version.
115	* Block common WordPress security threats like fake Googlebots, malicious scans from hackers and botnets.
116
117	= What checks does the Wordfence Security Scanner perform? =
118
119	* Scans core files, themes and plugins against WordPress.org repository versions to check their integrity. Verify security of your source.
120	* See how files have changed. Optionally repair changed files that are security threats.
121	* Scans for signatures of over 44,000 known malware variants that are known WordPress security threats.
122	* Scans for many known backdoors that create security holes including C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx and many more.
123	* Continuously scans for malware and phishing URL’s including all URLs on the Google Safe Browsing List in all your comments, posts and files that are security threats.
124	* Scans for heuristics of backdoors, trojans, suspicious code and other security issues.
125
126	= What security monitoring features does Wordfence include? =
127
128	* See all your traffic in real-time, including robots, humans, 404 errors, logins and logouts and who is consuming most of your content. Enhances your situational awareness of which security threats your site is facing.
129	* A real-time view of all traffic including automated bots that often constitute security threats that Javascript analytics packages never show you.
130	* Real-time traffic includes reverse DNS and city-level geolocation. Know which geographic area security threats originate from.
131	* Monitors disk space which is related to security because many DDoS attacks attempt to consume all disk space to create denial of service.
132
133	= What login security features are included =
134
135	* See all your traffic in real-time, including robots, humans, 404 errors, logins and logouts and who is consuming most of your content. Enhances your situational awareness of which security threats your site is facing.
136	* A real-time view of all traffic including automated bots that often constitute security threats that Javascript analytics packages never show you.
137	* Real-time traffic includes reverse DNS and city-level geolocation. Know which geographic area security threats originate from.
138	* Monitors disk space which is related to security because many DDoS attacks attempt to consume all disk space to create denial of service.
139
140	= How will I be alerted if my site has a security problem? =
141
142	Wordfence sends security alerts via email. Once you install Wordfence, you will configure a list of email addresses where security alerts will be sent. When you receive a security alert, make sure you deal with it promptly to ensure your site stays secure.
143
144	= Do I need a security plugin like Wordfence if I’m using a cloud based firewall (WAF)? =
145
146	Wordfence provides true endpoint security for your WordPress website. Unlike cloud based firewalls, Wordfence executes within the WordPress environment, giving it knowledge like whether the user is signed in, their identity and what access level they have. Wordfence uses the user’s access level in more than 80% of the firewall rules it uses to protect WordPress websites. Learn more about the [Cloud WAF identity problem here](https://www.wordfence.com/blog/2016/10/endpoint-vs-cloud-security-cloud-waf-user-identity-problem/). Additionally, cloud based firewalls can be bypassed, leaving your site exposed to attackers. Because Wordfence is an integral part of the endpoint (your WordPress website), it can’t be bypassed. Learn more about the [Cloud WAF bypass problem here](https://www.wordfence.com/blog/2016/10/endpoint-vs-cloud-security-cloud-waf-bypass-problem/). To fully protect the investment you’ve made in your website you need to employ a defense in depth approach to security. Wordfence takes this approach.
147
148	= What blocking features does Wordfence include? =
149
150	* Real-time blocking of known attackers. If another site using Wordfence is attacked and blocks the attacker, your site is automatically protected.
151	* Block entire malicious networks. Includes advanced IP and Domain WHOIS to report malicious IP’s or networks and block entire networks using the firewall. Report WordPress security threats to network owner.
152	* Rate limit or block WordPress security threats like aggressive crawlers, scrapers and bots doing security scans for vulnerabilities in your site.
153	* Choose whether you want to block or throttle users and robots who break your WordPress security rules.
154	* Premium users can also block countries and schedule scans for specific times and a higher frequency.
155
156	= What differentiates Wordfence from other WordPress Security plugins? =
157
158	* Wordfence Security provides a WordPress Firewall developed specifically for WordPress and blocks attackers looking for vulnerabilities on your site. The Firewall is powered by our Threat Defense Feed which is continually updated as new threats emerge. Premium customers receive updates in real-time.
159	* Wordfence verifies your website source code integrity against the official WordPress repository and shows you the changes.
160	* Wordfence scans check all your files, comments and posts for URLs in Google's Safe Browsing list. We are the only plugin to offer this very important security enhancement.
161	* Wordfence scans do not consume large amounts of your bandwidth because all security scans happen on your web server which makes them very fast.
162	* Wordfence fully supports WordPress Multi-Site which means you can security scan every blog in your Multi-Site installation with one click.
163	* Wordfence includes Two-Factor authentication, the most secure way to stop brute force attackers in their tracks.
164	* Wordfence fully supports IPv6 including giving you the ability to look up the location of IPv6 addresses, block IPv6 ranges, detect IPv6 country and do a whois lookup on IPv6 addresses and more.
165
166	= Will Wordfence slow down my website? =
167
168	No. Wordfence Security is extremely fast and uses techniques like caching its own configuration data to avoid database lookups and blocking malicious attacks that would slow down your site.
169
170	= What if my site has already been hacked? =
171
172	Wordfence Security is able to repair core files, themes and plugins on sites where security is already compromised. You can follow this guide on [how to clean a hacked website using Wordfence](https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/). If you are cleaning your own site after a hack, note that site security cannot be assured unless you do a full reinstall if your site has been hacked. We recommend you only use Wordfence Security to get your site into a running state in order to recover the data you need to do a full reinstall. If you need help with a security issue, check out [Wordfence Care](https://www.wordfence.com/products/wordfence-care/), which offers hands-on support from our team, including dealing with a hacked site. For mission-critical sites, check out [Wordfence Response](https://www.wordfence.com/products/wordfence-response/).
173
174	= Does Wordfence Security support IPv6? =
175
176	Yes. We fully support IPv6 with all security functions including country blocking, range blocking, city lookup, whois lookup and all other security functions. If you are not running IPv6, Wordfence will work great on your site too. We are fully compatible with both IPv4 and IPv6 whether you run both or only one addressing scheme.
177
178	= Does Wordfence Security support Multi-Site installations? =
179
180	Yes. WordPress Multi-Site is fully supported. Using Wordfence you can scan every blog in your network for malware with one click. If one of your customers posts a page or post with a known malware URL that threatens your whole domain with being blocklisted by Google, we will alert you in the next scan.
181
182	= What support options are available for Wordfence users? =
183
184	Providing excellent customer service is very important to us. Our free users receive volunteer-level support in our [support forums](https://wordpress.org/support/plugin/wordfence). [Wordfence Premium](https://www.wordfence.com/products/wordfence-premium/) customers get paid ticket-based support. [Wordfence Care](https://www.wordfence.com/products/wordfence-care/) customers receive hands-on support including help with security incidents and a yearly security audit. [Wordfence Response](https://www.wordfence.com/products/wordfence-response/) customers get 24/7/365 support from our incident response team, with a 1 hour response time, and a maximum of 24 hours to resolve a security issue.
185
186	= Where can I learn more about WordPress security? =
187
188	Designed for every skill level, [The WordPress Security Learning Center](https://www.wordfence.com/learn/) is dedicated to deepening users’ understanding of security best practices by providing free access to entry-level articles, in-depth articles, videos, industry survey results, graphics and more.
189
190	= Where can I find the Wordfence Terms of Service and Privacy Policy? =
191
192	These are available on our website: [Terms of Service](https://www.wordfence.com/terms-of-service/) and [Privacy Policy](https://www.wordfence.com/privacy-policy/)
193
194	== Screenshots ==
195
196	Secure your website with Wordfence.
197
198	1. The dashboard gives you an overview of your site's security including notifications, attack statistics and Wordfence feature status.
199	2. The firewall protects your site from common types of attacks and known security vulnerabilities.
200	3. The Wordfence Security Scanner lets you know if your site has been compromised and alerts you to other security issues that need to be addressed.
201	4. Wordfence is highly configurable, with a deep set of options available for each feature. High level scan options are shown above.
202	5. Brute Force Protection features protect you from password guessing attacks.
203	6. Block attackers by IP, Country, IP range, Hostname, Browser or Referrer.
204	7. The Wordfence Live Traffic view shows you real-time activity on your site including bot traffic and exploit attempts.
205	8. Take login security to the next level with Two-Factor Authentication.
206	9. Logging in is easy with Wordfence 2FA.
207
208	== Changelog ==
209
210	= 8.2.2 - May 13, 2026 =
211	* Improvement: Better presentation of Live Traffic data on wide screens
212	* Improvement: Increased legibility of token fields
213	* Improvement: Reworked the pagination of the Blocking page for a better UX
214	* Improvement: Country blocking token field can now expand to show all entries
215	* Improvement: Performance improvements for the activity log and better pause behavior on window blur/focus
216	* Improvement: GeoIP database updated
217	* Change: Removed deprecated Central endpoint
218	* Fix: Addressed issue where the last activity log entry could repeatedly appear
219	* Fix: Using the embedded shortcode for the 2FA form now correctly enqueues core JavaScript dependencies
220	* Fix: Modals with content that overflows on smaller viewports can now be scrolled
221	* Fix: The changelog link in plugin upgrade scan issues now links correctly
222
223	= 8.2.1 - May 6, 2026 =
224	* Fix: Fixed issue with some i18n plugins/themes when a user has no 2FA recovery codes
225	* Fix: Toggled options with additional help links now correctly open the link rather than toggling the option
226	* Fix: Country Blocking editing fixed when there are multiple pages of block rules
227	* Fix: Added better error handling to the initial Vue data load
228	* Fix: Handled error when logging in using legacy 2FA with separate prompts enabled
229
230	= 8.2.0 - April 29, 2026 =
231	* Improvement: Migrated all deprecated JavaScript libraries in use to a Vue-based infrastructure
232	* Improvement: GeoIP database update
233	* Improvement: Better coverage of `aria-` accessibility attributes
234	* Improvement: Added `translators` comments to translatable strings where previously missing
235	* Fix: WordPress 7.0 compatibility fixes
236	* Note: Legacy two factor authentication using SMS-based codes will be discontinued around July 1, 2026. Sites using this functionality should migrate users to the TOTP-based two factor authentication on the Login Security page of the plugin
237
238	= 8.1.4 - December 20, 2025 =
239	* Fix: Fixed an issue with `inet_pton` introduced by a recent patch to PHP 8.1+ that could cause a fatal error if a malformed IP address was passed to the call
240
241	= 8.1.3 - December 3, 2025 =
242	* Improvement: Updated the bundled geoip database
243	* Note: Verified compatibility with WordPress 6.9
244
245	= 8.1.2 - November 12, 2025 =
246	* Improvement: Updated the bundled geoip database
247
248	= 8.1.1 - November 5, 2025 =
249	* Improvement: Improved localization support for the various block screens and messages
250	* Improvement: Updated the bundled geoip database
251	* Improvement: Prioritized Wordfence tables in the diagnostics tool when large numbers of tables exist
252	* Improvement: Allow non-US Google crawler IP addresses to pass country blocking
253	* Improvement: Enforcement of password strength requirements is now applied on the corresponding REST API endpoints
254	* Fix: Fixed detection for first-time logins and overall sending for login alerts when the corresponding settings are enabled
255	* Fix: When the WAF is using the mysql storage engine, fixed an issue with exclusion rules for the WAF not running correctly
256	* Fix: Reduced per-hit database query load around checking license status for free installations
257	* Fix: Optimized data sync with the WAF to better detect when the known server IP address list has changed
258
259	= 8.1.0 - August 25, 2025 =
260	* Improvement: Added password scanning support for WordPress 6.8 and later
261	* Improvement: Limited email alerts to 5 per hour by default and added notification when limit has been reached
262	* Improvement: Improved URL scanning performance
263	* Improvement: Updated GeoIP database
264	* Change: Reduced scan result severity for vulnerabilities with high attack complexity or required privileges
265	* Change: Added messaging around WAF support when NGINX Unit is detected
266	* Change: Added notice and scan result about Wordfence Assistant
267	* Change: Adjusted IPv6 connection issue message and appearance
268	* Fix: Prevented deprecation notice about calling base64_encode with null parameter
269	* Fix: Prevented deprecation message about calling preg_match with null parameter
270	* Fix: Corrected license type shown on dashboard when expiring
271	* Fix: Prevented disabled getmyuid function from causing fatal error
272	* Fix: Prevented disabled get_current_user function from causing fatal error
273	* Fix: Prevented notice about _load_textdomain_just_in_time being called incorrectly
274
275	= 8.0.5 - April 8, 2025 =
276	* Fix: Compatibility fixes for WordPress 6.8
277
278	= 8.0.4 - March 19, 2025 =
279	* Improvement: Improved error handling and messaging for some responses from our servers
280	* Improvement: Added messaging when a site may be using the same free license shared among multiple sites because it can cause the sites to use the same scan schedule rather than spreading out the load
281	* Improvement: Updated the readme content and formatting
282
283	= 8.0.3 - January 15, 2025 =
284	* Improvement: Added support for hosts relocating the WAF's auto-prepend file via the constant/envvar WORDFENCE_WAF_PREPEND_DIRECTORY
285	* Improvement: Added detection for non-repo plugins and themes to avoid the scanner reporting changes when the same slug + version exists within the wordpress.org repo
286	* Improvement: Messaging for Central disconnections now better reflects the user making the change
287	* Improvement: Scan errors due to unreachable Wordfence servers will now provide a link to our status page to check for outages
288	* Improvement: Reduced the number of network calls created to sync scan issues when updates are performed in bulk
289	* Change: Reworked setting caching to avoid issues with some object caches
290	* Change: Reworked cURL check to avoid using WP_Http_Curl, which has been deprecated
291	* Fix: Normalized all wordfence.com links to be https
292	* Fix: Fixed a rare error that could occur on the diagnostics page when displaying a list of error logs
293	* Fix: Removed the "back to top" button and related script block from emailed diagnostics
294	* Fix: Fixed some UI coloring that did not correctly reflect the license type in use
295
296	= 8.0.2 - January 2, 2025 =
297	* Improvement: General compatibility improvements and better error handling for PHP 8+
298	* Improvement: Added audit log status to the plugin dashboard
299	* Change: Increased width of diagnostics text export for better legibility
300	* Fix: Addressed an error with mail hooks and the audit log when third party plugins send unexpected value types
301
302	= 8.0.1 - November 14, 2024 =
303	* Improvement: Updated GeoIP database
304	* Change: Revised some help text related to the audit log to be more clear
305	* Fix: Improved audit log compatibility with some plugins that would cause excessive noise due to their behaviors around setting up user roles and capabilities
306	* Fix: Fixed a log notice that could occur when deactivating Wordfence with audit log events still pending and a broken Wordfence Central link
307
308	= 8.0.0 - November 4, 2024 =
309	* Improvement: Introduced the Wordfence Audit Log, a new premium feature to monitor all changes and actions in security-sensitive areas of the site with remote tamper-proof data storage via Wordfence Central
310	* Change: Increased the minimum supported WordPress version to 4.7
311	* Change: Increased the minimum supported PHP version to 7.0
312
313	= 7.11.7 - July 29, 2024 =
314	* Improvement: Optimized scan performance by reducing database queries by approximately 38% along with CPU usage
315	* Fix: Added translation support for "Page not found" string when viewing recent traffic
316
317	= 7.11.6 - June 6, 2024 =
318	* Improvement: Revised the strong password requirements notice to be more readable
319	* Improvement: Removed unnecessary calls for the plugin and theme vulnerability checks
320	* Improvement: Reduced the frequency of calls to Wordfence Central during some operations where the values do not need to be synced
321	* Improvement: Refactored some queries to avoid the automatic SHOW FULL COLUMNS queries that WordPress performs to verify database encodings
322	* Improvement: Infrequently-used config values are no longer automatically loaded into memory and instead loaded only on demand
323	* Fix: Fixed an issue where multisite installations using the WAF mysqli storage engine could repeatedly attempt to update WAF rules when not in optimized mode
324	* Improvement: Updated the bundled GeoIP database
325	* Change: Revised the formatting of TOTP app URLs to prioritize the site's own URL for better sorting and display
326	* Fix: Fixed the last captcha column in the users page so it no longer displays "(not required)" on 2FA users since that no longer applies
327	* Fix: Added a check in wflogs/rules.php to only run when within the WAF's bootstrap stage when hosted behind nginx
328
329	= 7.11.5 - April 3, 2024 =
330	* Fix: Revised the behavior of the reCAPTCHA verification to use the documented expiration period of the token and response to avoid sending verification requests too frequently, which could artificially lower scores in some circumstances
331	* Fix: Addressed PHP 8 deprecation notices in the file differ used by file changed scan results
332	* Fix: Reduced the frequency of Wordfence Central status update callbacks in sections of the scan that occur quickly in sequence
333
334	= 7.11.4 - March 11, 2024 =
335	* Change: CAPTCHA verification when enabled now additionally applies to 2FA logins (may send an email verification on low scores) and no longer reveals whether a user exists for the submitted account credentials (credit: Raxis)
336	* Fix: Addressed a potential PHP 8 notice in the human/bot detection AJAX call
337	* Fix: Addressed a potential PHP 8 notice when requesting a lockout unlock verification email
338	* Fix: Fixed the emailed diagnostics view not showing the missing table information when applicable
339	* Fix: Improved quick scan logic to base timing on regular scans so they're more evenly distributed
340
341	= 7.11.3 - February 15, 2024 =
342	* Fix: Fixed an issue with sites containing invalid Wordfence Central site data where they could throw an error when viewing Wordfence pages
343
344	= 7.11.2 - February 14, 2024 =
345	* Improvement: Enhanced the vulnerability scan to check and alert for WordPress core vulnerabilities and to adjust the severity of the scan result based on findings or available updates
346	* Improvement: Updated the bundled GeoIP database
347	* Improvement: Increased compatibility of brute force protection with plugins that override the normal login flow and omit traditional hooks
348	* Change: Adjusted the behavior of automatic quick scans to schedule themselves further away from full scans
349	* Fix: Added detection for a site being linked to a non-matching Wordfence Central record (e.g., when cloning the database to a staging site)
350	* Fix: Streamlined the license and terms of use installation flow to avoid unnecessary prompting
351	* Fix: Fixed an issue where user profiles with a selected locale different from the site itself could end up loading the site's locale instead
352
353	= 7.11.1 - January 2, 2024 =
354	* Improvement: Added ".env" to the files checked for "Scan for publicly accessible configuration, backup, or log files"
355	* Improvement: Provided better descriptive text for the option "Block IPs who send POST requests with blank User-Agent and Referer"
356	* Improvement: The diagnostics page now displays the contents of any `auto_prepend_file` .htaccess/.user.ini block for troubleshooting
357	* Fix: Fixed an issue where a login lockout on a WooCommerce login form could fail silently
358	* Fix: The scan result for abandoned plugins no longer states it has been removed from wordpress.org if it is still listed
359	* Fix: Addressed an exception parsing date information in non-repo plugins that have a bad `last_updated` value
360	* Fix: The URL scanner no longer generates a log warning when matching a potential URL fragment that ends up not being a valid URL
361
362	= 7.11.0 - November 28, 2023 =
363	* Improvement: Added new functionality for trusted proxy presets to support proxies such as Amazon CloudFront, Ezoic, and Quic.cloud
364	* Improvement: WAF rule and malware signature updates are now signed with SHA-256 as well for hosts that no longer build SHA1 support
365	* Improvement: Updated the bundled trusted CA certificates
366	* Change: The WAF will no longer attempt to fetch rule or blocklist updates when run via WP-CLI
367	* Fix: Removed uses of SQL_CALC_FOUND_ROWS, which is deprecated as of MySQL 8.0.17
368	* Fix: Fixed an issue where final scan summary counts in some instances were not sent to Central
369	* Fix: Fixed a deprecation notice for get_class in PHP 8.3.0
370	* Fix: Corrected an output error in the connectivity section of Diagnostics in text mode
371
372	= 7.10.7 - November 6, 2023 =
373	* Fix: Compatibility fix for WordPress 6.4 on the login page styling
374
375	= 7.10.6 - October 30, 2023 =
376	* Fix: Addressed an issue with multisite installations when the wp_options tables had different encodings/collations
377
378	= 7.10.5 - October 23, 2023 =
379	* Improvement: Updated the bundled GeoIP database
380	* Improvement: Added detection for Cloudflare reverse proxies blocking callbacks to the site
381	* Change: Files are no longer excluded from future scans if a previous scan stopped during their processing
382	* Fix: Added handling for the pending WordPress 6.4 change that removes $wpdb->use_mysqli
383	* Fix: The WAF MySQLi storage engine will now work correctly when either DB_COLLATE or DB_CHARSET are not defined
384	* Fix: Added additional error handling to Central calls to better handle request failures or conflicts
385	* Fix: Addressed a warning that would occur if a non-repo plugin update hook did not provide a last updated date
386	* Fix: Fixed an error in PHP 8 that could occur if the time correction offset was not numeric
387	* Fix: 2FA AJAX calls now use an absolute path rather than a full URL to avoid CORS issues on sites that do not canonicalize www and non-www requests
388	* Fix: Addressed a race condition where multiple concurrent hits on multisite could trigger overlapping role sync tasks
389	* Fix: Improved performance when viewing the user list on large multisites
390	* Fix: Fixed a UI bug where an invalid code on 2FA activation would leave the activate button disabled
391	* Fix: Reverted a change on error modals to bring back the additional close button for better accessibility
392
393	= 7.10.4 - September 25, 2023 =
394	* Improvement: "Admin created outside of WordPress" scan results may now be reviewed and approved
395	* Improvement: The WAF storage engine may now be specified by setting the environmental variable "WFWAF_STORAGE_ENGINE"
396	* Improvement: Detect when a plugin or theme with a custom update handler is broken and blocking update version checks
397	* Change: Deprecated support for WordPress versions lower than 4.7.0
398	* Change: Exclude parse errors of a damaged compiled rules file from reporting
399	* Fix: Suppress PHP notices related to rule loading when running WP-CLI
400	* Fix: Fixed an issue with the scan monitor cron that could leave it running unnecessarily
401
402	= 7.10.3 - July 31, 2023 =
403	* Improvement: Updated GeoIP database
404	* Fix: Added missing text domain to translation function call
405	* Fix: Corrected inconsistent styling of switch controls
406	* Change: Made MySQLi storage engine the default for Flywheel hosted sites
407
408	= 7.10.2 - July 17, 2023 =
409	* Fix: Prevented bundled sodium_compat library from conflicting with versions included with older WordPress versions
410
411	= 7.10.1 - July 12, 2023 =
412	* Improvement: Added support for processing arrays of files in the WAF
413	* Improvement: Refactored security event processing to send events in bulk
414	* Improvement: Updated bundled sodium_compat and random_compat libraries
415	* Fix: Prevented deprecation warning caused by dynamic property creation
416	* Fix: Added translation support for additional strings
417	* Change: Adjusted Wordfence registration UI
418
419	= 7.10.0 - June 21, 2023 =
420	* Improvement: Added translation support for strings from login security plugin
421	* Improvement: Added translator notes regarding word order and hidden text
422	* Improvement: Added translation support for additional strings
423	* Improvement: Prevented scans from failing if unreadable directories are encountered
424	* Improvement: Added help link to IPv4 scan option
425	* Improvement: Updated scan result text to clarify meaning of plugins removed from wordpress.org
426	* Improvement: Made "Increased Attack Rate" emails actionable
427	* Improvement: Updated GeoIP database
428	* Improvement: Updated JavaScript libraries
429	* Fix: Corrected IPv6 address expansion
430	* Fix: Ensured long request payloads for malicious requests are recorded in live traffic
431	* Fix: Prevented "commands out of sync" database error messages when the database connection has failed
432	* Fix: Prevented rare JSON encoding issues from breaking free license registration
433	* Fix: Prevented PHP notice from being logged when request parameter is missing
434	* Fix: Prevented deprecation warning in PHP 8.1
435	* Change: Moved detection for old TimThumb files to malware signature
436	* Change: Moved translation file from .po to .pot
437	* Change: Renamed "Macedonia" to "North Macedonia, Republic of"
438
439	= 7.9.3 - May 31, 2023 =
440	* Improvement: Added exception handling to prevent WAF errors from being fatal
441	* Fix: Corrected error caused by method call on null in WAF
442	* Change: Deprecated support for PHP 5.5 and 5.6, ended support for PHP 5.3 and 5.4
443	* Change: Specified WAF version parameter when requesting firewall rules
444
445	= 7.9.2 - March 27, 2023 =
446	* Improvement: The vulnerability severity score (CVSS) is now shown with any vulnerability findings from the scanner
447	* Improvement: Changed several links during initial setup to open in a new window/tab so it doesn't interrupt installation
448	* Change: Removed the non-https callback test to the Wordfence servers
449	* Fix: Fixed an error on PHP 8 that could occur when checking for plugin updates and another plugin has a broken hook
450	* Fix: Added a check for disabled functions when generating support diagnostics to avoid an error on PHP 8
451	* Fix: Prevent double-clicking when activating 2FA to avoid an "already set up" error
452
453	= 7.9.1 - March 1, 2023 =
454	* Improvement: Further improved performance when viewing 2FA settings and hid user counts by default on sites with many users
455	* Fix: Adjusted style inclusion and usage to prevent missing icons
456	* Fix: Avoided using the ctype extension as it may not be enabled
457	* Fix: Prevented fatal errors caused by malformed Central keys
458
459	= 7.9.0 - February 14, 2023 =
460	* Improvement: Added 2FA management shortcode and WooCommerce account integration
461	* Improvement: Improved performance when viewing 2FA settings on sites with many users
462	* Improvement: Updated GeoIP database
463	* Fix: Ensured Captcha and 2FA scripts load on WooCommerce when activated on a sub-site in multisite
464	* Fix: Prevented reCAPTCHA logo from being obscured by some themes
465	* Fix: Enabled wfls_registration_blocked_message filter support for WooCommerce integration
466
467	= 7.8.2 - December 13, 2022 =
468	* Fix: Releasing same changes as 7.8.1, due to wordpress.org error
469
470	= 7.8.1 - December 13, 2022 =
471	* Improvement: Added more granualar data deletion options to deactivation prompt
472	* Improvement: Allowed accessing diagnostics prior to completing registration
473	* Fix: Prevented installation prompt from displaying when a license key is already installed but the alert email address has been removed
474
475	= 7.8.0 - November 28, 2022 =
476	* Improvement: Added feedback when login form is submitted with 2FA
477	* Fix: Restored click support on login button when using 2FA with WooCommerce
478	* Fix: Corrected display issue with reCAPTCHA score history graph
479	* Fix: Prevented errors on PHP caused by corrupted login timestamps
480	* Fix: Prevented deprecation notices on PHP 8.2 related to dynamic properties
481	* Change: Updated Wordfence registration workflow
482
483	= 7.7.1 - October 4, 2022 =
484	* Fix: Prevented scan resume attempts from repeating indefinitely when the initial scan stage fails
485
486	= 7.7.0 - October 3, 2022 =
487	* Improvement: Added configurable scan resume functionality to prevent scan failures on sites with intermittent connectivity issues
488	* Improvement: Added new scan result for vulnerabilities found in plugins that do not have patched versions available via WordPress.org
489	* Improvement: Implemented stand-alone MMDB reader for IP address lookups to prevent plugin conflicts and support additional PHP versions
490	* Improvement: Added option to disable looking up IP address locations via the Wordfence API
491	* Improvement: Prevented successful logins from resetting brute force counters
492	* Improvement: Clarified IPv6 diagnostic
493	* Improvement: Included maximum number of days in live traffic option text
494	* Fix: Made timezones consistent on firewall page
495	* Fix: Added "Use only IPv4 to start scans" option to search
496	* Fix: Prevented deprecation notices on PHP 8.1 when emailing the activity log
497	* Fix: Prevented warning on PHP 8 related to process owner diagnostic
498	* Fix: Prevented PHP Code Sniffer false positive related to T_BAD_CHARACTER
499	* Fix: Removed unsupported beta feed option
500
501	= 7.6.2 - September 19, 2022 =
502	* Improvement: Hardened 2FA login flow to reduce exposure in cases where an attacker is able to obtain privileged information from the database
503
504	= 7.6.1 - September 6, 2022 =
505	* Fix: Prevented XSS that would have required admin privileges to exploit (CVE-2022-3144)
506
507	= 7.6.0 - July 28, 2022 =
508	* Improvement: Added option to start scans using only IPv4
509	* Improvement: Added diagnostic for internal IPv6 connectivity to site
510	* Improvement: Added AUTOMATIC_UPDATER_DISABLED diagnostic
511	* Improvement: Updated password strength check
512	* Improvement: Added support for scanning plugin/theme files in when using the WP_CONTENT_DIR/WP_PLUGIN_DIR constants
513	* Improvement: Updated GeoIP database
514	* Improvement: Made DISABLE_WP_CRON diagnostic more clear
515	* Improvement: Added "Hostname" to Live Traffic message displayed for hostname blocking
516	* Improvement: Improved compatibility with Flywheel hosting
517	* Improvement: Adopted semantic versioning
518	* Improvement: Added support for dynamic cookie redaction patterns when logging requests
519	* Fix: Prevented scanned paths from being displayed as skipped in rare cases
520	* Fix: Corrected indexed files count in scan messages
521	* Fix: Prevented overlapping AJAX requests when viewing Live Traffic on slower servers
522	* Fix: Corrected WP_DEBUG_DISPLAY diagnostic
523	* Fix: Prevented extraneous warnings caused by DNS resolution failures
524	* Fix: Corrected display issue with Save/Cancel buttons on All Options page
525	* Fix: Prevented errors caused by WHOIS searches for invalid values
526
527	= 7.5.11 - June 14, 2022 =
528	* Improvement: Added option to toggle display of last login column on WP Users page
529	* Improvement: Improved autocomplete support for 2FA code on Apple devices
530	* Improvement: Prevented Batcache from caching block pages
531	* Improvement: Updated GeoIP database
532	* Fix: Prevented extraneous scan results when non-existent paths are configured using UPLOADS and related constants
533	* Fix: Corrected issue that prevented reCAPTCHA scores from being recorded
534	* Fix: Prevented invalid JSON setting values from triggering fatal errors
535	* Fix: Made text domains consistent for translation support
536	* Fix: Clarified that allowlisted IP addresses also bypass reCAPTCHA
537
538	= 7.5.10 - May 17, 2022 =
539	* Improvement: Improved scan support for sites with non-standard directory structures
540	* Improvement: Increased accuracy of executable PHP upload detection
541	* Improvement: Addressed various deprecation notices with PHP 8.1
542	* Improvement: Improved handling of invalidated license keys
543	* Fix: Corrected lost password redirect URL when used with WooCommerce
544	* Fix: Prevented errors when live traffic data exceeds database column length
545	* Fix: Prevented bulk password resets from locking out admins
546	* Fix: Corrected issue that prevented saving country blocking settings in certain cases
547	* Change: Updated copyright information
548
549	= 7.5.9 - March 22, 2022 =
550	* Improvement: Updated GeoIP database
551	* Improvement: Removed blocking data update logic in order to reduce timeouts
552	* Improvement: Increased timeout value for API calls in order to reduce timeouts
553	* Improvement: Clarified notification count on Wordfence menu
554	* Improvement: Improved scan compatibility with WooCommerce
555	* Improvement: Added messaging when application passwords are disabled
556	* Fix: Prevented warnings and errors when constants are defined based on the value of other constants in wp-config.php
557	* Fix: Corrected redundant escaping that prevented viewing or repairing files in scan results
558
559	= 7.5.8 - February 1, 2022 =
560	* Launch of Wordfence Care and Wordfence Response
561
562	= 7.5.7 - November 22, 2021 =
563	* Improvement: Made preliminary changes for compatibility with PHP 8.1
564	* Change: Added GPLv3 license and updated EULA
565
566	= 7.5.6 - October 18, 2021 =
567	* Fix: Prevented login errors with WooCommerce integration when manual username entry is enabled on the WooCommerce registration form
568	* Fix: Corrected theme incompatibilities with WooCommerce integration
569
570	= 7.5.5 - August 16, 2021 =
571	* Improvement: Enhanced accessibility
572	* Improvement: Replaced regex in scan log with signature ID
573	* Improvement: Updated Knockout JS dependency to version 3.5.1
574	* Improvement: Removed PHP 8 compatibility notice
575	* Improvement: Added NTP status for Login Security to Diagnostics
576	* Improvement: Updated plugin headers for compatibility with WordPress 5.8
577	* Improvement: Updated Nginx documentation links to HTTPS
578	* Improvement: Updated IP address geolocation database
579	* Improvement: Expanded WAF SQL syntax support
580	* Improvement: Added optional constants to configure WAF database connection
581	* Improvement: Added support for matching punycode domain names
582	* Improvement: Updated Wordfence install count
583	* Improvement: Deprecated support for WordPress versions older than 4.4.0
584	* Improvement: Added warning messages when blocking U.S.
585	* Improvement: Added MYSQLI_CLIENT_SSL support to WAF database connection
586	* Improvement: Added 2FA and reCAPTCHA support for WooCommerce login and registration forms
587	* Improvement: Added option to require 2FA for any role
588	* Improvement: Added logic to automatically disable NTP after repeated failures and option to manually disable NTP
589	* Improvement: Updated reCAPTCHA setup note
590	* Fix: Prevented issue where country blocking changes are not saved
591	* Fix: Corrected string placeholder
592	* Fix: Added missing text domain to translation calls
593	* Fix: Corrected warning about sprintf arguments on Central setup page
594	* Fix: Prevented lost password functionality from revealing valid logins
595
596	= 7.5.4 - June 7, 2021 =
597
598	* Fix: Resolve conflict with woocommerce-gateway-amazon-payments-advanced plugin
599
600	= 7.5.3 - May 10, 2021 =
601
602	* Improvement: Expanded WAF capabilities including better JSON and user permission handling
603	* Improvement: Switched to relative paths in WAF auto_prepend file to increase portability
604	* Improvement: Eliminated unnecessary calls to Wordfence servers
605	* Fix: Prevented errors on PHP 8.0 when disk_free_space and/or disk_total_space are included in disabled_functions
606	* Fix: Fixed PHP notices caused by unexpected plugin version data
607	* Fix: Gracefully handle unexpected responses from Wordfence servers
608	* Fix: Time field now displays correctly on "See Recent Traffic" overlay
609	* Fix: Corrected typo on Diagnostics page
610	* Fix: Corrected IP counts on activity report
611	* Fix: Added missing line break in scan result emails
612	* Fix: Sending test activity report now provides success/failure response
613	* Fix: Reduced SQLi false positives caused by comma-separated strings
614	* Fix: Fixed JS error when resolving last scan result
615
616	= 7.5.2 - March 24, 2021 =
617
618	* Fix: Fixed fatal error on single-sites running WordPress <4.9.
619
620	= 7.5.1 - March 24, 2021 =
621
622	* Fix: Fixed fatal error when viewing the Login Security settings page from an allowlisted IP.
623
624	= 7.5.0 - March 24, 2021 =
625
626	* Improvement: Translation-readiness: All user-facing strings are now run through WordPress's i18n functions.
627	* Improvement: Remove legacy admin functions no longer used within the UI.
628	* Improvement: Local GeoIP database update.
629	* Improvement: Remove Lynwood IP range from allowlist, and add new AWS IP range.
630	* Fix: Fixed bug with unlocking a locked out IP without correctly resetting its failure counters.
631	* Fix: Sites using deleted premium licenses correctly revert to free license behavior.
632	* Fix: When enabled, cookies are now set for the correct roles on previously used devices.
633	* Fix: WAF cron jobs are now skipped when running on the CLI.
634	* Fix: PHP 8.0 compatibility - prevent syntax error when linting files.
635	* Fix: Fixed issue where PHP 8 notice sometimes cannot be dismissed.
636
637	= 7.4.14 - December 3, 2020 =
638
639	* Improvement: Added option to disable application passwords.
640	* Improvement: Updated site cleaning callout with 1-year guarantee.
641	* Improvement: Upgraded sodium_compat library to 1.13.0.
642	* Improvement: Replaced the terms whitelist and blacklist with allowlist and blocklist.
643	* Improvement: Made a number of WordPress 5.6 and jQuery 3.x compatibility improvements.
644	* Improvement: Made a number of PHP8 compatilibility improvements.
645	* Improvement: Added dismissable notice informing users of possible PHP8 compatibility issues.
646
647	= 7.4.12 - October 21, 2020 =
648
649	* Improvement: Initial integration of i18n in Wordfence.
650	* Improvement: Prevent Wordfence from loading under <PHP 5.3.
651	* Improvement: Updated GeoIP database.
652	* Improvement: Prevented wildcard from running/saving for scan's excluded files pattern.
653	* Improvement: Included Wordfence Login Security tables in diagnostics missing table list.
654	* Fix: Removed new scan issues when WordPress update occurs mid-scan.
655	* Fix: Specified category when saving `whitelistedServiceIPs` to WAF storage engine.
656	* Fix: Removed localhost IP for auto-update email alerts.
657	* Fix: Fixed broken message in Live Traffic with MySQLi storage engine for blocklisted hits.
658	* Fix: Removed optional parameter values for PHP 8 compatibility.
659
660	You can find a [complete changelog](https://www.wordfence.com/help/advanced/changelog/) on our documentation site.
661