Fix: Fixed the quick navigation letters in the country picker not scrolling. Situational awareness is an important part of website security. We recommend you only use Wordfence Security to get your site into a running state in order to recover the data you need to do a full reinstall. Improvement: Added a variety of new data values to the Diagnostics page to aid in debugging issues. Change: Removed the Disable Wordfence Cookies option as weve removed all cookies it affected. Fix: Adjusted the behavior of the blocklist toggle for Free users. Improvement: XML-RPC authentication may now be disabled or forced to require 2FA. Fix: Fixed the removed from wordpress.org detection for plugin, which was broken due to an API change. Fix: Added a safety check for when the database fails to return its max_allowed_packet value. This plugin can improve your website's design by ensuring that your images look crisp and clear on all devices. Improvement: Aggregated login attempts when checking the Wordfence Security Network for brute force attackers to reduce total requests. Prevents spoofing and works with most sites. Improvement: Added low resource usage scan option for shared hosts. Fix: Fixed an issue that could occur on older WordPress versions when processing login attempts. Firewall rules and login rules apply to the WHOLE system. Good morning , Solution: Configure Autoptimize to write files within the standard wp-content/uploads path for WordPress ( wp-content/uploads/autoptimize) by adding the following to wp-config.php: wp-config.php /** Changes location where Autoptimize stores optimized files */ define('AUTOPTIMIZE_CACHE_CHILD_DIR','/uploads/autoptimize/'); Fix: Changed some wording to consistently use License or License Key. Real-time blocking of known attackers. Improvement: Updated the bundled browscap database. Fix: Prevented custom wp-content or other directories from appearing in skipped paths scan result, even when scanned. Fix: Fixed issue where PHP 8 notice sometimes cannot be dismissed. Improvement: Better labeling in Live Traffic for 301 and 302 redirects. Fix: Adjusted sizing on the country blocking options to prevent placeholder text from being cut off at some screen sizes. Improvement: Added additional XSS detection capabilities. Got type: boolean. Fix: Fixed a typo in the scan summary text. Improvement: Malware signature checking has been better optimized to improve overall speed. Thanks Kacper Szurek. Improvement: Added additional values to Diagnostics for debugging time-related issues, the new fatal error handler settings, and updated the PHP version check to reflect the new 5.6.20 requirement of WordPress. Why does this help? Monitors disk space which is related to security because many DDoS attacks attempt to consume all disk space to create denial of service. Fix: Better text wrapping in the top failed logins widget. Fix: REST API hits now correctly follow the Dont log signed-in users with publishing access option. Login to your WordPress Admin Panel and navigate to 'Settings -> WP-Super-Cache'. Improvement: staging. Improvement: Added WAF coverage for an Infinite WP authentication bypass vulnerability. Fix: Fixed the status circle tooltips not showing. Fix: Removed unnecessary single quote in copy containing IPs. Fix: Text fixes to the WAF nginx help text. Fix: Fixed issues with scan in WordPress 4.6 beta. Malware scanner checks core files, themes and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections. Change: Scan issues that are indicative of a compromised site are moved to the top of the list. Fix: When a key is in place on multiple sites, its now possible to downgrade the ones not registered for it. Change: Modified behavior of the advanced country blocking options to always show. Fix: Scan results for malware detections in posts are no longer clickable. At the top, choose a time range. WordPress Multi-Site is fully supported. W3 Total Cache is a powerful caching plugin that includes features like page caching, object caching, and database caching. Once your first scan has completed, a list of threats will appear. Fix: Fixed the functionality of the button to send 2FA grace period notifications. Fix: The update check in a quick scan no longer runs if the update check has been turned off for regular scans. Designed for every skill level, The WordPress Security Learning Center is dedicated to deepening users understanding of security best practices by providing free access to entry-level articles, in-depth articles, videos, industry survey results, graphics and more. Visit the Wordfence options page to enter your email address so that you can receive email security alerts. Fix: Fixed a PHP warning that could occur if a bad response was received while updating an IP list. Fix: Added handling for reCAPTCHAs JavaScript failing to load, which previously blocked logging in. 3. Improvement: Massive performance boost in file system scan. References. It's often not the ideal option. Change: Changed the autoloader for our copy of sodium_compat to always load after WordPress core does. Fix: Sites using deleted premium licenses correctly revert to free license behavior. Track and alert on important security events including administrator logins, breached password usage and surges in attack activity. Change: Separated the various blocking-related pages out from the Firewall top-level menu into Blocking. Improvement: Remove Lynwood IP range from allowlist, and add new AWS IP range. Changed: Added compatibility messaging for reCAPTCHA when WooCommerce is active. Fix: Removed extra spacing in the example ranges for Allowlisted IP addresses that bypass all rules. Wordfence verifies your website source code integrity against the official WordPress repository and shows you the changes. Fix: Fixed bug with specific Advanced Blocking user-agent patterns causing 500 errors. Improvement: Better messaging about the scan options that need to be enabled for free installations to achieve 100%. Improvement: Live traffic better indicates the action taken by country blocking when it redirects a visitor. Go to the top of the " Diagnostics " tab on the Wordfence " Tools " page. Improvement: Improved detection for malformed malware scanning signatures. Fix: PHP deprecation notices no longer suppress those of old OpenSSL or WordPress. Fix: The diff viewer now forces wrapping to prevent long lines of text from stretching the layout. Using Wordfence you can scan every blog in your network for malware with one click. 2. We are the only plugin to offer this very important security enhancement. Improvement: Removed unused font glyph ranges to reduce file count and size. Improvement: Improved the performance of our config table status check. Let Wordfence use the most secure method to get visitor IP addresses. Improvement: Introduced a new scan stage to check for malicious URLs and content within WordPress core, plugin, and theme options. Check the boxes for the temporary cache files you want deleted, then click "Remove Files." When you're prompted to confirm, select "Continue" and your cache will be cleared. Fix: Fixed an issue with 2FA on multisite where the site could report URLs with different schemes depending on the state of plugin loading. Fix: Fixed a case where files in the site root with issues could have them added multiple times. Fix: Cleared pending plugin/theme update scan results and notification when a plugin/theme is auto-updated. subdomains are now supported for sharing premium licenses. Improvement: IP-based filtering in Live Traffic can now use wildcards. Fix: Fixed admin page layout for sites using RTL languages. Fix: Fixed a log warning that could occur during the scan for plugins not in the wordpress.org repository. Right-click the .htaccess file and select Download to create a local backup. Improvement: Added the ability to sort the blocks table. Improvement: The URL blocklist check now includes additional variants in some checks to more accurately match. Fix: Added internal throttling to ensure the daily cron does not run too frequently on some hosts. Improvement: Added support for finding server logs to the Diagnostics page to help with troubleshooting. Improvement: Malware signatures are now better applied to large files read in multiple passes. Fix: Improved the state updating for the scan bulk action buttons. Fix: Fixed a few options that couldnt be searched for on the all options page. Improvement: More descriptive text for the scan issue email when theres an unknown WordPress core version. Improvement: Added a prompt to allow user to download a backup prior to repairing files. Improvement: The list of blocks now shows the most recently-added blocks at the top by default. Improvement: Extended the automatic redaction applied to attack data that may include sensitive information. Fix: Fixed a compatibility issue with determining the sites home_url when WPML is installed. Advanced: Added constant WORDFENCE_DISABLE_FILE_VIEWER to prohibit file-viewing actions from Wordfence. Make sure that the second wp-affiliate cookie is recorded in the browser. These are available on our website: Terms of Service and Privacy Policy. Improvement: Added tour coverage for live traffic. Enter wftest [at] wordfence [dot] com as the email and peterpine as the forum username please. Fix: Changing the frequency of the activity summary email now reschedules it. Improvement: Prevented wildcard from running/saving for scans excluded files pattern. Wordfence fully supports IPv6 including giving you the ability to look up the location of IPv6 addresses, block IPv6 ranges, detect IPv6 country and do a whois lookup on IPv6 addresses and more. Fix: The increased attack rate emails now correctly identify blocklist blocks. Change: Removed duplicate browser label in Live Traffic. Fix: Fixed a warning by adjusting a query to remove old-style variable references. Improvement: Added Web Application Firewall activity to Wordfence summary email. Thank you to the translators for their contributions. Improvement: Live Traffic now better displays failed logins. Wordfence Security is extremely fast and uses techniques like caching its own configuration data to avoid database lookups and blocking malicious attacks that would slow down your site. Improvement: Reduced 2FA activation code to expire after 30 days. Change: Added the initial deprecation notice for PHP 5.2. This plugin also adds a button to the WP Admin Bar to make it really easy to clear the WordPress cache manually. Improvement: Added a setting to control the reCAPTCHA human/bot threshold. Improvement: Add php_errorlog to the list of downloadable logs in diagnostics. Fix: Brute force records are now coalesced when possible prior to sending. Change: The diagnostics report now includes the scan issues for easier debugging. This conflict can lead to weird glitches, and clearing your cache can help when . Fix: Time formatting will now correctly handle :30 and :45 time zone offsets. Fix: Syncing requests from Wordfence Central no longer appear in Live Traffic. Fix: Added check for when site is disconnected on Centrals end, but not in the plugin. Improvement: Normalized all PHP require/include calls to use full paths for better code quality. 2. The plugin also lets you block logins using known compromised user passwords. Fix: Fixed an issue where a bad cron record could interfere with automatic WAF rule updates. Improvement: Improved handling of bad characters and IPv6 ranges in Advanced Blocking. Additionally, WordFence Security includes login security features like two-factor authentication and reCAPTCHA. 1: Partially Remove Wordfence If you're familiar with installing and removing WordPress plugins, then you'll know about the Deactivate->Delete sequence. Fix: Fixed deadlock when NFS is used for WAF file storage, in wfWAFAttackDataStorageFileEngine::addRow(). Fix: Added additional error handling to the blocked IP list to avoid outputting notices when another plugin resets the error handler. Fix: Worked around an issue with WordPress caching to allow password audits to succeed on sites with tens of thousands of users. To fully protect the investment youve made in your website you need to employ a defense in depth approach to security. Fix: Fixed an issue with some table prefixing where multisite installations with rare configurations could result in unknown table warnings. Open Safari then Settings > Safari > Advanced > Website Data > Remove All Website Data. Fix: Added a workaround for web email clients that erroneously encode some URL characters (e.g., #). Improvement: Speed optimizations for WAF rule compilation. Improvement: Added better crawler detection. Improvement: Now displaying scan time in a more readable format rather than total seconds. Improvement: Now performing malware scanning on all uploaded files in real-time. If you need help with a security issue, check out Wordfence Care, which offers hands-on support from our team, including dealing with a hacked site. Improvement: If WordPress auto-updates while a scan is running, the scan will self-abort and reschedule itself to try again later. Wordfence is widely acknowledged as the number one WordPress security research team in the World. Improvement: Better message for dashboard widget when no failed logins. Clear your cache and browsing data with a single click of a button. Fix: Fixed PHP notices that could occur when using the bulk delete/repair scan tools. Improvement: Added a check while in learning mode to verify the response is not 404 before whitelising. Yes. The "Delete Cache" button. Improvement: Switched the bundled select2 library to use to prefixed version to work around other plugins including older versions on our pages. Fix: Suppressed warnings on IP conversion functions when processing potentially incomplete data. Thanks Janek Vind. Fix: Fixed bug with multiple API calls to get_known_files. A password manager is a software service that helps you store and manage your passwords and helps you save time and frustration. Improvement: Minor changes to ensure compatibility with PHP 7.4. Fix: Fixed an issue where the block counts and total IPs blocked values on the dashboard might not agree. Improvement: All URLs are now checked against the Wordfence Domain Blocklist in addition to Googles. Improvement: Added additional constants to the diagnostics page. Security Fix: Fixed reflected XSS vulnerability: CVSS 6.1 (Medium). Improvement: Enhanced the detection ability of the WAF for SQLi attacks. Fix: Added throttling to sync the WAF attack data. Fix: Addressed an issue where the increased attack rate emails would send repeatedly if the threshold value was missing. Fix: Fixed the bulk repair function in the scan results when it included core files. Improvement: Disabling Wordfence now sends an alert. Fix: Fixed IPv6 warning in the dashboard widget. Improvement: Reworked blocking for IP ranges, country blocking, and direct IP blocking to minimize server impact when under attack. Improvement: Prevent Wordfence from loading under