Wordfence Security – Firewall & Malware Scan

Registro de cambios

7.8.0 – November 28, 2022

• Improvement: Added feedback when login form is submitted with 2FA
• Fix: Restored click support on login button when using 2FA with WooCommerce
• Fix: Corrected display issue with reCAPTCHA score history graph
• Fix: Prevented errors on PHP caused by corrupted login timestamps
• Fix: Prevented deprecation notices on PHP 8.2 related to dynamic properties
• Change: Updated Wordfence registration workflow

7.7.1 – October 4, 2022

• Fix: Prevented scan resume attempts from repeating indefinitely when the initial scan stage fails

7.7.0 – October 3, 2022

• Improvement: Added configurable scan resume functionality to prevent scan failures on sites with intermittent connectivity issues
• Improvement: Added new scan result for vulnerabilities found in plugins that do not have patched versions available via WordPress.org
• Improvement: Implemented stand-alone MMDB reader for IP address lookups to prevent plugin conflicts and support additional PHP versions
• Improvement: Added option to disable looking up IP address locations via the Wordfence API
• Improvement: Prevented successful logins from resetting brute force counters
• Improvement: Clarified IPv6 diagnostic
• Improvement: Included maximum number of days in live traffic option text
• Fix: Made timezones consistent on firewall page
• Fix: Added «Use only IPv4 to start scans» option to search
• Fix: Prevented deprecation notices on PHP 8.1 when emailing the activity log
• Fix: Prevented warning on PHP 8 related to process owner diagnostic
• Fix: Prevented PHP Code Sniffer false positive related to T_BAD_CHARACTER
• Fix: Removed unsupported beta feed option

7.6.2 – September 19, 2022

• Improvement: Hardened 2FA login flow to reduce exposure in cases where an attacker is able to obtain privileged information from the database

7.6.1 – September 6, 2022

• Fix: Prevented XSS that would have required admin privileges to exploit (CVE-2022-3144)

7.6.0 – July 28, 2022

• Improvement: Added option to start scans using only IPv4
• Improvement: Added diagnostic for internal IPv6 connectivity to site
• Improvement: Added AUTOMATIC_UPDATER_DISABLED diagnostic
• Improvement: Updated password strength check
• Improvement: Added support for scanning plugin/theme files in when using the WP_CONTENT_DIR/WP_PLUGIN_DIR constants
• Improvement: Updated GeoIP database
• Improvement: Made DISABLE_WP_CRON diagnostic more clear
• Improvement: Added «Hostname» to Live Traffic message displayed for hostname blocking
• Improvement: Improved compatibility with Flywheel hosting
• Improvement: Adopted semantic versioning
• Improvement: Added support for dynamic cookie redaction patterns when logging requests
• Fix: Prevented scanned paths from being displayed as skipped in rare cases
• Fix: Corrected indexed files count in scan messages
• Fix: Prevented overlapping AJAX requests when viewing Live Traffic on slower servers
• Fix: Corrected WP_DEBUG_DISPLAY diagnostic
• Fix: Prevented extraneous warnings caused by DNS resolution failures
• Fix: Corrected display issue with Save/Cancel buttons on All Options page
• Fix: Prevented errors caused by WHOIS searches for invalid values

7.5.11 – June 14, 2022

• Improvement: Added option to toggle display of last login column on WP Users page
• Improvement: Improved autocomplete support for 2FA code on Apple devices
• Improvement: Prevented Batcache from caching block pages
• Improvement: Updated GeoIP database
• Fix: Prevented extraneous scan results when non-existent paths are configured using UPLOADS and related constants
• Fix: Corrected issue that prevented reCAPTCHA scores from being recorded
• Fix: Prevented invalid JSON setting values from triggering fatal errors
• Fix: Made text domains consistent for translation support
• Fix: Clarified that allowlisted IP addresses also bypass reCAPTCHA

7.5.10 – May 17, 2022

• Improvement: Improved scan support for sites with non-standard directory structures
• Improvement: Increased accuracy of executable PHP upload detection
• Improvement: Addressed various deprecation notices with PHP 8.1
• Improvement: Improved handling of invalidated license keys
• Fix: Corrected lost password redirect URL when used with WooCommerce
• Fix: Prevented errors when live traffic data exceeds database column length
• Fix: Prevented bulk password resets from locking out admins
• Fix: Corrected issue that prevented saving country blocking settings in certain cases
• Change: Updated copyright information

7.5.9 – March 22, 2022

• Improvement: Updated GeoIP database
• Improvement: Removed blocking data update logic in order to reduce timeouts
• Improvement: Increased timeout value for API calls in order to reduce timeouts
• Improvement: Clarified notification count on Wordfence menu
• Improvement: Improved scan compatibility with WooCommerce
• Improvement: Added messaging when application passwords are disabled
• Fix: Prevented warnings and errors when constants are defined based on the value of other constants in wp-config.php
• Fix: Corrected redundant escaping that prevented viewing or repairing files in scan results

7.5.8 – February 1, 2022

• Launch of Wordfence Care and Wordfence Response

7.5.7 – November 22, 2021

• Improvement: Made preliminary changes for compatibility with PHP 8.1
• Change: Added GPLv3 license and updated EULA

7.5.6 – October 18, 2021

• Fix: Prevented login errors with WooCommerce integration when manual username entry is enabled on the WooCommerce registration form
• Fix: Corrected theme incompatibilities with WooCommerce integration

7.5.5 – August 16, 2021

• Improvement: Enhanced accessibility
• Improvement: Replaced regex in scan log with signature ID
• Improvement: Updated Knockout JS dependency to version 3.5.1
• Improvement: Removed PHP 8 compatibility notice
• Improvement: Added NTP status for Login Security to Diagnostics
• Improvement: Updated plugin headers for compatibility with WordPress 5.8
• Improvement: Updated Nginx documentation links to HTTPS
• Improvement: Updated IP address geolocation database
• Improvement: Expanded WAF SQL syntax support
• Improvement: Added optional constants to configure WAF database connection
• Improvement: Added support for matching punycode domain names
• Improvement: Updated Wordfence install count
• Improvement: Deprecated support for WordPress versions older than 4.4.0
• Improvement: Added warning messages when blocking U.S.
• Improvement: Added MYSQLI_CLIENT_SSL support to WAF database connection
• Improvement: Added 2FA and reCAPTCHA support for WooCommerce login and registration forms
• Improvement: Added option to require 2FA for any role
• Improvement: Added logic to automatically disable NTP after repeated failures and option to manually disable NTP
• Improvement: Updated reCAPTCHA setup note
• Fix: Prevented issue where country blocking changes are not saved
• Fix: Corrected string placeholder
• Fix: Added missing text domain to translation calls
• Fix: Corrected warning about sprintf arguments on Central setup page
• Fix: Prevented lost password functionality from revealing valid logins

7.5.4 – June 7, 2021

• Fix: Resolve conflict with woocommerce-gateway-amazon-payments-advanced plugin

7.5.3 – May 10, 2021

• Improvement: Expanded WAF capabilities including better JSON and user permission handling
• Improvement: Switched to relative paths in WAF auto_prepend file to increase portability
• Improvement: Eliminated unnecessary calls to Wordfence servers
• Fix: Prevented errors on PHP 8.0 when disk_free_space and/or disk_total_space are included in disabled_functions
• Fix: Fixed PHP notices caused by unexpected plugin version data
• Fix: Gracefully handle unexpected responses from Wordfence servers
• Fix: Time field now displays correctly on «See Recent Traffic» overlay
• Fix: Corrected typo on Diagnostics page
• Fix: Corrected IP counts on activity report
• Fix: Added missing line break in scan result emails
• Fix: Sending test activity report now provides success/failure response
• Fix: Reduced SQLi false positives caused by comma-separated strings
• Fix: Fixed JS error when resolving last scan result

7.5.2 – March 24, 2021

• Fix: Fixed fatal error on single-sites running WordPress <4.9.

7.5.1 – 24 de marzo de 2021

• Fix: Fixed fatal error when viewing the Login Security settings page from an allowlisted IP.

7.5.0 – March 24, 2021

• Mejora: Preparación para la traducción: Ahora todas las cadenas de caracteres orientadas al usuario se ejecutan mediante las funciones i18n de WordPress.
• Mejora: Eliminar las funciones de administración heredadas que ya no se usan en la interfaz de usuario.
• Mejora: Actualización de la base de datos GeoIP local.
• Improvement: Remove Lynwood IP range from allowlist, and add new AWS IP range.
• Corrección: se corrigió el fallo al desbloquear una IP bloqueada sin restablecer correctamente sus contadores de fallos.
• Fix: Sites using deleted premium licenses correctly revert to free license behavior.
• Corrección: Cuando está activado, las cookies se establecen para los perfiles correctos en los dispositivos usados ​​anteriormente.
• Corrección: Los trabajos cron de WAF ahora se omiten cuando se ejecutan en la CLI.
• Fix: PHP 8.0 compatibility – prevent syntax error when linting files.
• Corrección: se corrigió el problema por el cual el aviso de PHP 8 a veces no se puede descartar.

7.4.14 – December 3, 2020

• Mejora: Añadidas opciones para desactivar las contraseñas de las aplicaciones.
• Mejora: Leyenda de limpieza del sitio actualizada con garantía de 1 año.
• Mejora: Actualizada la biblioteca sodium_compat a 1.13.0.
• Mejora: Se han sustituido los términos lista blanca y lista negra por lista de permitidos y lista de bloqueados.
• Mejora: Realizadas varias mejoras de compatibilidad con WordPress 5.6 y jQuery 3.x.
• Mejora: Realizadas varias mejoras de compatibilidad con PHP8.
• Mejora: Se ha añadido un aviso desechable que informa a los usuarios de posibles problemas de compatibilidad con PHP8.

7.4.12 – October 21, 2020

• Improvement: Initial integration of i18n in Wordfence.
• Improvement: Prevent Wordfence from loading under <PHP 5.3.
• Improvement: Updated GeoIP database.
• Improvement: Prevented wildcard from running/saving for scan’s excluded files pattern.
• Improvement: Included Wordfence Login Security tables in diagnostics missing table list.
• Fix: Removed new scan issues when WordPress update occurs mid-scan.
• Fix: Specified category when saving whitelistedServiceIPs to WAF storage engine.
• Corrección: Se eliminó la IP del host local para las alertas de correo electrónico de actualización automática.
• Fix: Fixed broken message in Live Traffic with MySQLi storage engine for blocklisted hits.
• Corrección: Se eliminaron los valores de parámetros opcionales para la compatibilidad con PHP 8.

7.4.11 – 27 de Agosto de 2020

• Improvement: Added diagnostic debug button to clear Wordfence Central connection data from the database.
• Improvement: Added help documentation links to modified plugin/theme file scan results.
• Fix: Prevent file system scan from following symlinks to root.
• Fix: Cleared pending plugin/theme update scan results and notification when a plugin/theme is auto-updated.
• Fix: Added check for when site is disconnected on Central’s end, but not in the plugin.

7.4.10 – 5 de Agosto de 2020

• Improvement: Prevent author sitemap from leaking usernames in WordPress >= 5.5.0.
• Fix: Prevent Wordfence auto-update from running if the user has enabled auto-update through WordPress.
• Fix: Added default permission_callback params to Wordfence Central REST routes.
• Fix: Fixed missing styling on WAF optimization admin notice.

7.4.9 – July 8, 2020

• Improvement: Added list of known malicious usernames to suspicious administrator scan.
• Improvement: Added ability for the WAF to determine if a given plugin/theme/core version is installed.
• Improvement: Added a feature to export a diagnostics report.
• Improvement: Add php_errorlog to the list of downloadable logs in diagnostics.
• Improvement: Added a prompt to allow user to download a backup prior to repairing files.
• Improvement: Prevent scan from failing when the home URL has changed and the key is no longer valid.
• Improvement: Deprecated PHP 5.3, and ended PHP 5.2 support by prevent auto-update from running on older versions.
• Fix: Fixed issue where WAF mysqli storage engine cannot find credentials if wflogs/ does not exist.
• Fix: Changed capability checked to read WP REST API users endpoint when «Prevent discovery of usernames through …» is enabled.
• Fix: Prevented duplicate queries for wordfenceCentralConnected wfconfig value.
• Fix: Prevented custom wp-content or other directories from appearing in «skipped paths» scan result, even when scanned.
• Fix: Login Attempts dashboard widget «Show more» link is not visible when long usernames and IPs cause wrapping.
• Fix: Fix typo in the readme.

7.4.8 – June 16, 2020

• Fix: Fixed issue with fatal errors encountered during activation under certain conditions.

7.4.7 – April 23, 2020

• Mejora: Actualizada la base de datos incluida de GeoIP.
• Improvement: Better messaging when selecting restrictive rate limits.
• Improvement: Scan result emails now include the count of issues that were found again.
• Improvement: Resolved scan issues will now email again if they reoccur.
• Improvement: Added the state/province name when applicable to geolocation displays in Live Traffic.
• Improvement: New blocking page design to better inform blocked visitors on how to resolve the block.
• Improvement: Custom WP_CONTENT_DIR, WP_PLUGIN_DIR, and UPLOADS path constants will now get scanned correctly.
• Improvement: Added TLS connection failure detection to brute force reporting and checking and a corresponding backoff period.
• Fix: Fixed an issue where a bad cron record could interfere with automatic WAF rule updates.
• Fix: Fixed a PHP warning that could occur if a bad response was received while updating an IP list.
• Fix: The new user tour and onboarding flow will now work correctly on the 2FA page.

7.4.6 – February 12, 2020

• Improvement: Enhanced the detection ability of the WAF for SQLi attacks.
• Improvement: Updated the bundled GeoIP database.
• Improvement: Modified some country names in the block configuration to align with those shown in Live Traffic.
• Change: Moved the skipped files scan check to the Server State category.
• Fix: Fixed an issue where after scrolling on the Live Traffic page, updates would no longer automatically load.
• Fix: Modified the number of login records kept to align better with Live Traffic so they’re trimmed around the same time.

7.4.5 – January 15, 2020

• Improvement: Improved WAF coverage for an Infinite WP authentication bypass vulnerability.

7.4.4 – January 14, 2020

• Fix: Fixed a UI issue where the scan summary status marker for malware didn’t always match the findings.

7.4.3 – January 13, 2020

• Improvement: Added WAF coverage for an Infinite WP authentication bypass vulnerability.
• Improvement: The malicious URL scan now includes protocol-relative URLs (e.g., //example.com)
• Improvement: Malware signatures are now better applied to large files read in multiple passes.
• Improvement: Added a scan issue that will appear when one or more paths are skipped due to scan settings excluding them.
• Changed: AJAX endpoints now send the application/json Content-Type header.
• Changed: Updated text on scan issues for plugins removed from wordpress.org to better indicate possible reasons.
• Changed: Added compatibility messaging for reCAPTCHA when WooCommerce is active.
• Fixed: Added missing $wp_query->set_404() call when outputting a 404 page on a custom action.
• Fixed: Fixed the logout username display in Live Traffic broken by a change in WordPress 5.3.
• Fixed: Improved the response callback used for the WAF status check during extended protection installation.
• Fixed: The «Require 2FA for all administrators» notice is now automatically dismissed if an administrator sets up 2FA.

7.4.2 – December 3, 2019

• Improvement: Increased performance of IP CIDR range comparisons.
• Improvement: Added parameter signature to remote scanning for better validation during forking.
• Change: Removed duplicate browser label in Live Traffic.
• Fix: Added compensation for PHP 7.4 deprecation notice with get_magic_quotes_gpc.
• Fix: Fixed potential notice in dashboard widget when no updates are found.
• Fix: Updated JS hashing library to compensate for a variable name collision that could occur.
• Fix: Fixed an issue where certain symlinks could cause a scan to erroneously skip files.
• Fix: Fixed PHP memory test for newer PHP versions whose optimizations prevented it from allocating memory as desired.

7.4.1 – November 6, 2019

• Improvement: Updated the bundled GeoIP database.
• Improvement: Minor changes to ensure compatibility with PHP 7.4.
• Improvement: Updated the WHOIS lookup for better reliability.
• Improvement: Added better diagnostic data when the WAF MySQL storage engine is active.
• Improvement: Improved the messaging when switching between premium and free licenses.
• Change: Deprecated DNS changes scan.
• Change: The plugin will no longer email alerts when Central is managing them.
• Fix: Added error suppression to ignore_user_abort calls to silence it on hosts with it disabled.
• Fix: Improved path generation to better avoid outputting extra slashes in URLs.
• Fix: Applied a length limit to malware reporting to avoid failures due to large content size.

7.4.0 – August 22, 2019

• Improvement: Added a MySQL-based configuration and data storage for the WAF to expand the number of hosting environments supported. For more detail, see: https://www.wordfence.com/help/firewall/mysqli-storage-engine/
• Mejora: Actualizada la base de datos incluida de GeoIP.
• Fix: Fixed several console notices when running via the CLI.

7.3.6 – July 31, 2019

• Improvement: Multiple «php.ini file in core directory» issues are now consolidated into a single issue for clearer scan results.
• Improvement: The AJAX error detection for false positive WAF blocks now better detects and processes the response for presenting the allowlisting prompt.
• Improvement: Added overdue cron detection and highlighting to diagnostics to help identify issues.
• Improvement: Added the necessary directives to exclude backwards compatibility code from creating warnings with phpcs for future compatibility with WP Tide.
• Improvement: Normalized all PHP require/include calls to use full paths for better code quality.
• Change: Removed deprecated high sensitivity scan option since current signatures are more accurate.
• Fix: Fixed the status circle tooltips not showing.
• Fix: IP detection at the WAF level better mirrors the main plugin exactly when using the automatic setting.
• Fix: Fixed a currently-unused code path in email address verification for the strict check.

7.3.5 – July 16, 2019

• Improvement: Improved tagging of the login endpoint for brute force protection.
• Improvement: Added additional information about reCAPTCHA to its setting control.
• Improvement: Added a constant that may be overridden to customize the expiration time of login verification email links.
• Improvement: reCAPTCHA keys are now tested on saving to prevent accidentally inputting a v2 key.
• Improvement: Added a setting to control the reCAPTCHA human/bot threshold.
• Improvement: Added a separate option to trigger removal of Login Security tables and data on deactivation.
• Improvement: Reworked the reCAPTCHA implementation to trigger the token check on login/registration form submission to avoid the token expiring.
• Fix: Widened the reCAPTCHA key fields to allow the full keys to be visible.
• Fix: Fixed encoding of the ellipsis character when reporting malware finds.
• Fix: Disabling the IP blocklist once again correctly clears the block cache.
• Fix: Addressed an issue when outbound UDP connections are blocked where the NTP check could log an error.
• Fix: Added handling for reCAPTCHA’s JavaScript failing to load, which previously blocked logging in.
• Fix: Fixed the functionality of the button to send 2FA grace period notifications.
• Fix: Fixed a missing icon for some help links when running in standalone mode.

7.3.4 – June 17, 2019

• Improvement: Added security events and alerting features built into Wordfence Central.

7.3.3 – June 11, 2019

• Improvement: Added support for managing the login security settings to Wordfence Central.
• Improvement: Updated the bundled root CA certificate store.
• Improvement: Added a check and update flow for mod_php hosts with only the PHP5 directive set for the WAF’s extended protection mode.
• Improvement: Added additional values to Diagnostics for debugging time-related issues, the new fatal error handler settings, and updated the PHP version check to reflect the new 5.6.20 requirement of WordPress.
• Change: Changed the autoloader for our copy of sodium_compat to always load after WordPress core does.
• Fix: Fixed the «removed from wordpress.org» detection for plugin, which was broken due to an API change.
• Fix: Fixed the bulk repair function in the scan results when it included core files.

7.3.2 – May 16, 2019

• Improvement: Updated sodium_compat to address an incompatibility that may occur with the pending WordPress 5.2.1 update.
• Improvement: Clarified text around the reCAPTCHA setting to indicate v3 keys must be used.
• Improvement: Added detection for Jetpack and a notice when XML-RPC authentication is disabled.
• Fix: Suppressed error messages on the NTP time check to compensate for hosts with UDP connections disabled.

7.3.1 – May 14, 2019

• Improvement: Two-factor authentication is new and improved, now available on all Premium and Free installations.
• Improvement: Added Google reCAPTCHA v3 support to the login and registration forms.
• Improvement: XML-RPC authentication may now be disabled or forced to require 2FA.
• Improvement: Reduced size of SVG assets.
• Improvement: Clarified text on «Maximum execution time for each scan stage» option.
• Improvement: Added detection for an additional config file that may be created and publicly visible on some hosts.
• Improvement: Improved detection for malformed malware scanning signatures.
• Change: Long-deprecated database tables will be removed.
• Change: Removed old performance logging code that’s no longer used.
• Fix: Addressed a log notice when using the See Recent Traffic feature in Live Traffic.
• Fix: WAF attack data now correctly includes JSON payloads when appropriate.
• Fix: Fixed the text for Live Traffic entries that include a redirection message.
• Fix: Fixed an issue with synchronizing scan issues to Wordfence Central that prevented stale issues from being cleared.

7.2.5 – April 18, 2019

• Improvement: Added additional data breach records to the breached password check.
• Improvement: Added the Accept-Encoding compression header to WAF-related requests for better performance during rule updates.
• Improvement: Updated to the current GeoIP database.
• Improvement: Added additional controls to the Wordfence Central connection page to better reflect the current connection state.
• Change: Updated the text on the option to alert for scan results of a certain severity.

7.2.4 – March 26, 2019

• Improvement: Updated vulnerability database integration.
• Improvement: Better messaging when a WAF rule update fails to better indicate the cause.
• Fix: Removed a double slash that could occur in an image path.
• Fix: Adjusted timeouts to improve reliability of WAF rule updates on slower servers.
• Fix: Improved connection process with Wordfence Central for better reliability on servers with non-standard paths.
• Fix: Switched to autoloader with fastMult enabled on sodum_compat to minimize connection issues.

7.2.3 – February 28, 2019

• Improvement: Country names are now shown instead of two letter codes where appropriate.
• Improvement: Updated the service allowlist to reflect additions to the Facebook IP ranges.
• Improvement: Added alerting for when the WAF is disabled for any reason.
• Improvement: Additional alerting and troubleshooting steps for WAF configuration issues.
• Change: Live Traffic human/bot status will additionally be based on the browscap record in security-only mode.
• Change: Added dismissible prompt to switch Live Traffic to security-only mode.
• Fix: The scan issues alerting option is now set correctly for new installations.
• Fix: Fixed a transparency issue with flags for Switzerland and Nepal.
• Fix: Fixed the malware link image rendering in scan issue emails and switched to always use https.
• Fix: WAF-related scheduled tasks are now more resilient to connection timeouts or memory issues.
• Fix: Fixed Wordfence Central connection flow within the first time experience.

7.2.2 – February 14, 2019

• Improvement: Updated GeoIP database.
• Fix: Syncing requests from Wordfence Central no longer appear in Live Traffic.
• Fix: Addressed some display issues with the Wordfence Central panel on the Wordfence Dashboard.

7.2.1 – February 5, 2019

• Improvement: Integrated Wordfence with Wordfence Central, a new service allowing you to manage multiple Wordfence installations from a single interface.
• Improvement: Added a help link to the mode display when a host disabling Live Traffic is active.
• Improvement: Added an option for allowlisting ManageWP in «Allowlisted Services».
• Fix: Enqueued fonts used in admin notices on all admin pages.
• Fix: Change false positive user-reports link to use https.
• Fix: Fix reference to non-existent function when registering menus.

7.1.20 – January 8, 2019

• Fix: Fixed a commit error with 7.1.19

7.1.19 – January 8, 2019

• Improvement: Speed optimizations for WAF rule compilation.
• Improvement: Added Kosovo to country blocking.
• Improvement: Additional flexibility for allowlist rules.
• Fix: Added compensation for really long file lists in the «Exclude files from scan» setting.
• Fix: Fixed an issue where the GeoIP database update check would never get marked as completed.
• Fix: Login credentials passed as arrays no longer trigger a PHP notice from our filters.
• Fix: Text fixes to the WAF nginx help text.

7.1.18 – December 4, 2018

• Improvement: Removed unused font glyph ranges to reduce file count and size.
• Improvement: Switched flags to use a CSS sprite to reduce file count and size.
• Improvement: Added dates to each release in the changelog.
• Change: Live Traffic now defaults to only logging security events on new installations.
• Change: Added an upper limit to the maximum scan stage execution time if not explicitly overridden.
• Fix: Changed WAF file handling to skip some file actions if running via the CLI.
• Fix: Fixed an issue that could prevent files beginning with a period from working with the file restore function.
• Fix: Improved layout of options page controls on small screens.
• Fix: Fixed a typo in the htaccess update panel.
• Fix: Added compensation for Windows path separators in the WAF config handling.
• Fix: Fixed handling of case-insensitive tables in the Diagnostics table check.
• Fix: Better messaging by the status circles when the WAF config is inaccessible or corrupt.
• Fix: REST API hits now correctly follow the «Don’t log signed-in users with publishing access» option.

7.1.17 – November 6, 2018

• Improvement: Increased frequency of filesystem permission check and update of the WAF config files.
• Improvement: More complete data removal when deactivating with remove tables and files checked.
• Improvement: Better diagnostics logging for GeoIP conflicts.
• Fix: Text fix in invalid username lockout message.
• Fix: PHP 7.3 syntax compatibility fixes.

7.1.16 – October 16, 2018

• Improvement: Service allowlisting can now be selectively toggled on or off per service.
• Mejora: Actualizada la base de datos incluida de GeoIP.
• Change: Removed the «Disable Wordfence Cookies» option as we’ve removed all cookies it affected.
• Change: Updates that refresh country statistics are more efficient and now only affect the most recent records.
• Change: Changed the title of the Wordfence Dashboard so it’s easier to identify when many tabs are open.
• Fix: Fixed an issue with country blocking and XML-RPC requests containing credentials.

7.1.15 – October 1, 2018

• Fix: Addressed a plugin conflict with the composer autoloader.

7.1.14 – October 1, 2018

• Improvement: Reduced queries and potential table size for rate limiting-related data.
• Improvement: Updated the internal browscap database.
• Improvement: Better error reporting for scan failures due to connectivity issues.
• Improvement: WAF-related file permissions will now lock down further when possible.
• Improvement: Hardening for sites on servers with insecure configuration, which should not be enabled on publicly accessible servers. Thanks Janek Vind.
• Change: Switched the minimum PHP version to 5.3.
• Fix: Prevent bypass of author enumeration prevention by using invalid parameters. Thanks Janek Vind.
• Fix: Wordfence crons will now automatically reschedule if missing for any reason.
• Fix: Fixed an issue where the block counts and total IPs blocked values on the dashboard might not agree.
• Fix: Corrected the message shown on Live Traffic when a country blocking bypass URL is used.
• Fix: Removed extra spacing in the example ranges for «Allowlisted IP addresses that bypass all rules»

7.1.12 – September 12, 2018

• Mejora: Actualizada la base de datos incluida de GeoIP.
• Improvement: Restructured the WAF configuration storage to be more resilient on hosts with no file locking support.
• Change: Moved the settings import/export to the Tools page.
• Change: New installations will now use lowercase table names to avoid issues with some backup plugins and Windows-based sites.
• Fix: The notice and repair link for an unreadable WAF configuration now work correctly.
• Fix: Improved appearance of some stat components on smaller screens.
• Fix: Fixed duplicate entries with different status codes appearing in detailed live traffic.
• Fix: Added better caching for the breached password check to compensate for sites that prevent the cache from expiring correctly.
• Fix: Changing the frequency of the activity summary email now reschedules it.

7.1.11 – August 21, 2018

• Improvement: Added a custom message field that will show on all block pages.
• Mejora: Mejorado el aspecto estándar para páginas de bloque.
• Mejora: Live Traffic ahora muestra mejor los inicios de sesión fallidos.
• Mejora: Añadida una constante para evitar el uso directo de MySQLi para alojamientos con configuraciones de base de datos no compatibles.
• Mejora: Los resultados del análisis de malware se han modificado para incluir tanto un identificador público como una descripción.
• Cambio: Descripción actualizada en la página de Live Traffic.
• Solución: Se eliminó un hash de archivo vacío de la antigua detección de archivos principales de WordPress.
• Solución: El bloqueo de actualización ahora funciona en sitios múltiples que han eliminado el sitio original.

7.1.10 – July 31, 2018

• Improvement: Better labeling in Live Traffic for 301 and 302 redirects.
• Improvement: Login timestamps are now displayed in the site’s configured time zone rather than UTC.
• Improvement: Added detection and a workaround for hosts with a non-functional MySQLi interface.
• Improvement: The prevent admin registration setting now works with WooCommerce’s registration flow.
• Improvement: For hosts with varying URL values (e.g., AWS instances), notification and alert links now correctly use the canonical admin URL.
• Fix: Fixed a layout problem with the live traffic disabled notice.
• Fix: The scan stage that checks «How does Wordfence get IPs?» no longer shows a warning if the call fails.

7.1.9 – July 12, 2018

• Improvement: Added an «unsubscribe» link to plugin-generated alerts.
• Improvement: Added some additional flags.
• Change: Removed some unnecessary files from the bundled GeoIP library.
• Change: Updated wording in the Terms of Use/Privacy Policy agreement UI.
• Change: The minimum «Lock out after how many login failures» is now 2.
• Change: The diagnostics report now includes the scan issues for easier debugging.
• Fix: Multiple improvements to automatic updating to avoid broken updates on sites with low resources or slow file systems.
• Fix: Better text wrapping in the top failed logins widget.
• Fix: Onboarding CSS/JS is now correctly enqueued for multisite installations.
• Fix: Fixed a missing asset with the bundled jQueryUI library.
• Fix: Fixed memory calculation when using PHP’s supported shorthand syntax.
• Fix: Better wrapping behavior on the reason column in the blocks table.
• Fix: Fixed an issue with an internal data structure to prevent error log entries when using mbstring functions.
• Fix: Improved bot detection when no user agent is sent.

7.1.8 – June 26, 2018

• Improvement: Better detection of removal status when uninstalling the WAF’s auto-prepend file.
• Improvement: Switched optional mailing list signup to go directly through our servers rather than a third party.
• Fix: Fixed the dashboard erroneously showing the payment method as missing for some payment methods.
• Fix: If a premium license is deleted from wordfence.com, the plugin will now automatically downgrade rather than get stuck in an intermediate state.
• Fix: Changed some wording to consistently use «License» or «License Key».

7.1.7 – June 5, 2018

• Improvement: Added better support for keyboard navigation of options.
• Improvement: staging. and dev. subdomains are now supported for sharing premium licenses.
• Improvement: Bundled our interface font to avoid loading from a remote source and reduced the pages some assets were loaded on.
• Improvement: Added option to trim Live Traffic records after a specific number of days.
• Improvement: Updated to the current GeoIP2 database.
• Improvement: Extended the automatic redaction applied to attack data that may include sensitive information.
• Change: Removed a no-longer-used API call.
• Fix: Fixed a few options that couldn’t be searched for on the all options page.
• Fix: Activity Report emails now detect and avoid symlink loops.

7.1.6 – May 22, 2018

• Fix: Added a workaround for sites with inaccessible WAF config files when reading php://input

7.1.5 – May 22, 2018

• Improvement: GDPR compliance updates.
• Improvement: The list of blocks now shows the most recently-added blocks at the top by default.
• Improvement: Added better table status display to Diagnostics to help with debugging.
• Improvement: Added deferred loading to Live Traffic avatars to improve performance with some plugins.
• Improvement: The server’s own IP is now automatically allowlisted for known safe requests.
• Fix: Added a workaround to Live Traffic human/bot detection to compensate for other scripts that modify our event handlers.
• Fix: Fixed an error with Live Traffic human/bot detection when plugins change the load order.
• Fix: Fixed auto-enabling of some controls when pasting values.
• Fix: Fixed an instance where http links could be generated for emails rather than https.

7.1.4 – May 2, 2018

• Improvement: Added additional XSS detection capabilities.
• Change: Initial preparation for GDPR compliance. Additional changes will be included in an upcoming release to meet the GDPR deadline.
• Change: Reworked Live Traffic/Rate Limiting human and bot detection to function without cookies.
• Change: Removed the wfvt_ cookie as it was no longer necessary.
• Change: Better debug messaging for scan forking.
• Fix: PHP deprecation notices no longer suppress those of old OpenSSL or WordPress.
• Fix: Fixes to the deprecated OpenSSL version detection and alerting to handle non-patch version numbers.
• Fix: Added detection for and fixed a very large pcre.backtrack_limit setting that could cause scans to fail, when modified by other plugins.
• Fix: Scan issue alert emails no longer incorrectly show high sensitivity was enabled.
• Fix: Fixed wrapping of long strings on the Diagnostics page.

7.1.3 – April 18, 2018

• Improvement: Improved the performance of our config table status check.
• Improvement: The IP address of the user activating Wordfence is now used by the breached password check until an admin successfully logs in.
• Improvement: Added several new error displays for scan failures to help diagnose and fix issues.
• Improvement: Added the block duration to alerts generated when an IP is blocked.
• Improvement: A text version of scan results is now included in the activity log email.
• Improvement: The WAF install/uninstall process no longer asks to backup files that do not exist.
• Change: Began a phased rollout of moving brute force queries to be https-only.
• Change: Added the initial deprecation notice for PHP 5.2.
• Change: Suppressed a script tag on the diagnostics page from being output in the email version.
• Fix: Addressed an issue where plugins that return a null user during authentication would cause a PHP notice to be logged.
• Fix: Fixed an issue where plugins that use non-standard version formatting could end up with a inaccurate vulnerability status.
• Fix: Added a workaround for web email clients that erroneously encode some URL characters (e.g., #).

7.1.2 – April 4, 2018

• Improvement: Added support for filtering the blocks list.
• Improvement: Added a flow for generating the WAF autoprepend file and retrieving the path for manual installations.
• Improvement: Added a variety of new data values to the Diagnostics page to aid in debugging issues.
• Improvement: SVG files now have the JavaScript-based malware signatures run against them.
• Improvement: More descriptive text for the scan issue email when there’s an unknown WordPress core version.
• Improvement: Added a dedicated error display that will show when a scan is detected as failed.
• Improvement: readme.html and wp-config-sample.php are no longer scanned for changes due to differences between languages (malware signatures still run).
• Improvement: When the license status changes, it now triggers a fresh pull of the WAF rules.
• Improvement: Added dedicated messaging for leftover WordPress core files that were not fully removed during upgrade.
• Improvement: Improved labeling in Live Traffic for hits blocked by the real-time IP blocklist.
• Improvement: Added forced wrapping to the file paths in the activity report email to avoid scroll bar overlap making them unreadable.
• Improvement: Updated the bundled GeoIP database.
• Improvement: Updated the bundled browscap database.
• Improvement: All emailed alerts now include a link to the generating site.
• Change: Minor text change to unify some terminology.
• Fix: Removed a remaining reference to the CDN version of Font Awesome.
• Fix: Removed an old reference to the pre-Wordfence 7.1 lockouts table.
• Fix: Scan results for malware detections in posts are no longer clickable.
• Fix: We now verify that there’s a valid email address defined before attempting to send an alert and filter out any invalid ones.
• Fix: Added a workaround for GoDaddy/Limit Login Attempts suppressing the 2FA prompting.

7.1.1 – March 20, 2018

• Improvement: Added the ability to sort the blocks table.
• Improvement: Added short-term caching of breach check results.
• Improvement: The check for passwords leaked in breaches now allows a login if the user has previously logged in from the same IP successfully and displays an admin notice suggesting changing the password.
• Improvement: Switched the bundled select2 library to use to prefixed version to work around other plugins including older versions on our pages.
• Improvement: The scan page now displays when beta signatures are enabled since they can produce false positives.
• Improvement: Improved positioning of the «Wordfence is Working» message.
• Improvement: Added a character limit to the reason on blocks and forced wrapping to avoid the layout stretching too much.
• Fix: Fixed an issue with some table prefixing where multisite installations with rare configurations could result in unknown table warnings.
• Fix: Removed an older behavior with live traffic buttons that could allow them to open in a new tab and show nothing.
• Fix: Added a check for sites with inaccurate disk space function results to avoid showing an issue.
• Fix: Added a secondary check to the email summary cron to avoid repeated sending if the cron list is corrupted.
• Fix: Fixed a typo on the Advanced Comment Spam Filter page.

7.1.0 – March 1, 2018

• Improvement: Added a new feature to prevent attackers from successfully logging in to admin accounts whose passwords have been in data breaches.
• Improvement: Added pagination support to the scan issues.
• Improvement: Improved time zone handling for the WAF’s learning mode.
• Improvement: Improved messaging on file-related scan issues when the file is wp-config.php.
• Improvement: Modified the appearance of the «How does Wordfence get IPs» option to be more clear.
• Improvement: Better messaging about the scan options that need to be enabled for free installations to achieve 100%.
• Improvement: The country blocking selection drawer behavior has been changed to now allow saving directly from it.
• Improvement: Increased the textarea size for the advanced firewall options to make editing easier.
• Improvement: The URL blocklist check now includes additional variants in some checks to more accurately match.
• Change: Adjusted messaging when blocks are loading.
• Change: Wording change for the option «Maximum execution time for each stage».
• Change: Permanent blocks now display «Permanent» rather than «Indefinite» for the expiration for consistency.
• Fix: Fixed the initial status code recorded for lockouts and blocks.
• Fix: Fixed PHP notices that could occur when using the bulk delete/repair scan tools.
• Fix: Improved the state updating for the scan bulk action buttons.
• Fix: Usernames in live traffic now correctly link to the corresponding profile page.
• Fix: Addressed a PHP warning that could occur if wordpress.org returned a certain format for the abandoned plugin check.
• Fix: Fixed a possible PHP notice when syncing attack data records without metadata attached.
• Fix: Modified the behavior of the disk space check to avoid a scan warning showing without an issue generated.
• Fix: Fixed a CSS glitch where the top controls could have extra space at the top when sites have long navigation menus.
• Fix: Updated some wording in the All Options search box.
• Fix: Removed an old link for «See Recent Traffic» on Live Traffic that went nowhere.

7.0.4 – February 12, 2018

• Change: Live Traffic records are no longer created for hits initiated by WP-CLI (e.g., manually running cron).
• Fix: Fixed an issue where the human/bot detection wasn’t functioning.

7.0.4

• Fix: Re-added missing file to fix commit excluding it.

7.0.3 – February 12, 2018

• Improvement: Added an «All Options» page to enable developers and others to more rapidly configure Wordfence.
• Improvement: Improved messaging for when a page has been open for more than a day and the security token expires.
• Improvement: Relocated the «Always display expanded Live Traffic records» option to be more accessible.
• Improvement: Improved appearance and behavior of option checkboxes.
• Improvement: For plugins with incomplete header information, they’re now shown with a fallback title in scan results as appropriate.
• Improvement: The country block rule in the blocks table now shows a count rather than a potentially large list of countries.
• Change: Modified behavior of the advanced country blocking options to always show.
• Fix: Fixed the «Make Permanent» button behavior for blocks created from Live Traffic.
• Fix: Better synchronization of block records to the WAF config to avoid duplicate queries.
• Fix: The diff viewer now forces wrapping to prevent long lines of text from stretching the layout.
• Fix: Fixed an issue where the scanned plugin count could be inaccurate due to forking during the plugin scan.
• Fix: Adjusted sizing on the country blocking options to prevent placeholder text from being cut off at some screen sizes.
• Fix: Block/Unblock now works correctly when viewing Live Traffic with it grouped by IP.
• Fix: Fixed an issue where the count of URLs checked was incorrect.

7.0.2 – January 31, 2018

• Improvement: Added CSS/JS filename versioning to address caching plugins not refreshing for plugin updates.
• Improvement: The premium key is no longer prompted for during installation if already present from an earlier version.
• Improvement: Added a check and corresponding notice if the WAF config is unreadable or invalid.
• Improvement: Improved live traffic sizing on smaller screens.
• Improvement: Added tour coverage for live traffic.
• Change: IPs blocked via live traffic now use the configurable how long is an IP blocked setting to match previous behavior.
• Change: Changed the option to enable live traffic to match the wording and style of other options.
• Change: Changed styling on the unknown country display in live traffic to match the common coloring.
• Change: Statistics that do not depend on the WAF for their data now display when it is in learning mode.
• Change: Scan issues that are indicative of a compromised site are moved to the top of the list.
• Change: Changed styling on unselected checkboxes.
• Fix: Quick scans no longer run daily if automatic scheduled scans are disabled.
• Fix: The update check in a quick scan no longer runs if the update check has been turned off for regular scans.
• Fix: Fixed the quick navigation letters in the country picker not scrolling.
• Fix: Fixed editing the country block configuration when there are a large number of other blocks.
• Fix: Addressed an issue where having the country block or a pattern block selected when clicking Make Permanent could break them.
• Fix: Live traffic entries with long user agents no longer cause the table to stretch.
• Fix: Fixed an issue where live traffic would stop loading new records if always display expanded records was on.
• Fix: Suppressed warnings on IP conversion functions when processing potentially incomplete data.
• Fix: Added a check in REST API hooks to avoid defining a constant twice.

7.0.1 – January 24, 2018

• Comprehensive UI refresh.
• Mejora: Actualizada la base de datos incluida de GeoIP.

6.3.22 – November 30, 2017

• Fix: Addressed a warning that could occur on PHP 7.1 when reading php.ini size values.
• Fix: Fixed a warning by adjusting a query to remove old-style variable references.

6.3.21 – November 1, 2017

• Mejora: Actualizada la base de datos incluida de GeoIP.
• Fix: Fixed a log warning that could occur during the scan for plugins not in the wordpress.org repository.

6.3.20 – October 12, 2017

• Improvement: The scan will now alert for a publicly visible .user.ini file.
• Fix: Fixed status code and human/bot tagging of block hit entries for live traffic and the Wordfence Security Network.
• Fix: Added internal throttling to ensure the daily cron does not run too frequently on some hosts.

6.3.19 – September 20, 2017

• Emergency Fix: Updated wpdb::prepare calls using %.6f since it is no longer supported.

6.3.18 – September 7, 2017

• Improvement: Reduced size of some JavaScript for faster loading.
• Improvement: Better block counting for advanced comment filtering.
• Improvement: Increased logging in debug mode for plugin updates to help resolve issues.
• Fix: Reduced the minimum duration of a scan stage to improve reliability on some hosts.

6.3.17 – August 24, 2017

• Improvement: Prepared code for upcoming scan improvement which will greatly increase scan performance by optimizing malware signatures.
• Improvement: Updated the bundled GeoIP database.
• Improvement: Better scan messaging when a publicly-reachable searchreplacedb2.php utility is found.
• Improvement: The no-cache constant for database caching is now set for W3TC for plugin updates and scans.
• Improvement: Added an additional home/siteurl resolution check for WPML installations.

6.3.16 – August 8, 2017

• Improvement: Introduced a new scan stage to check for malicious URLs and content within WordPress core, plugin, and theme options.
• Improvement: New scan stage includes a new check for TrafficTrade malware.
• Improvement: Reduced net memory usage during forked scan stages by up to 50%.
• Improvement: Reduced the number of queries executed for some configuration options.
• Improvement: Modified the default allowlisting to include the new core AJAX action in WordPress 4.8.1.
• Fix: Synchronized the scan option names between the main options page and smaller scan options page.
• Fix: Fixed CSS positioning issue for dashboard metabox with IPv6.
• Corrección: Corregido un error de compatibilidad con la sentencia del home_url de los sitios cuando está instalado WPML.

6.3.15 – July 24, 2017

• Improvement: Reduced memory usage on scan forking and during the known files scan stage.
• Improvement: Added additional scan options to allow for disabling the blocklist checks while still allowing malware scanning to be enabled.
• Improvement: Added a Wordfence Application Firewall code block for the lsapi variant of LiteSpeed.
• Improvement: Updated the bundled GeoIP database.
• Fix: Added a validation check to IP range allowlisting to avoid log warnings if they’re malformed.

6.3.14 – July 17, 2017

• Mejora: Introducción de la distribución de escaneo inteligente. Los tiempos de escaneo se distribuyen ahora de forma inteligente entre los servidores para proporcionar un rendimiento consistente del servidor.
• Mejora: introducción de escáner ligero que se ejecuta con frecuencia para realizar comprobaciones que no utilizan ningún recurso del servidor.
• Mejora: Si no puede buscar con éxito el estado de una IP que afirma ser Googlebot, el hit está permitido ahora.
• Mejora: Los resultados de los análisis para los complementos abandonados y las vulnerabilidades sin parches incluyen más información.
• Corrección: Suprimido el aviso PHP cuando se supera el tiempo de formateo de un microtimestamp.
• Corrección: Mejora de los datos binarios en la conversión de entidades HTML para evitar wpdb extracción fuera de rango de secuencias UTF-8
• Corrección: Añadido mejora de detección en el estado de SSL, especialmente para IIS.
• Corrección: Aviso PHP corregido en el renderizador diff.
• Corrección: Corregido el error tipográfico en la alerta de bloqueo.

6.3.12 – June 28, 2017

• Mejora: Se ajustó la auditoría de contraseñas para usar una mejor opción de relleno criptográfico.
• Mejora: Mejora el proceso de entrada de valor de opción para la lista de exclusión de archivos modificados.
• Mejora: Se agregó rel=»noopener noreferrer» a todos los enlaces externos desde el complemento para una mejor interoperabilidad con otros escáneres.
• Mejora: Se ha añadido soporte al WAF para validar las URL para uso futuro en las reglas.
• Corrección: El formateo de tiempo ahora manejará correctamente: 30 y: 45 offsets de zona horaria.
• Solución: Los hosts que utilizan mod_lsapi ahora serán detectados como Litespeed para la optimización WAF.
• Solución: Se ha agregado una opción para permitir que las actualizaciones automáticas funcionen en los servidores Litespeed que tienen el conjunto noabort global en lugar de local-local.
• Solución: Se corrigió un aviso de PHP que podría ocurrir al ejecutar un análisis inmediatamente después de eliminar un complemento.

6.3.11 – June 15, 2017

• Improvement: The scan will alert for plugins that have not been updated in 2+ years or have been removed from the wordpress.org directory. It will also indicate if there is a known vulnerability.
• Improvement: Added a self-check to the scan to detect if it has stalled.
• Mejora: si WordPress se actualiza automáticamente mientras se está ejecutando un análisis, el análisis se autoabortará y se reprogramará para volver a intentarlo más tarde.
• Mejora: El filtrado basado en IP en Live Traffic ahora puede usar comodines.
• Improvement: Updated the bundled GeoIP database.
• Mejora: Se agregó una característica anti-crawler a la página de bloqueo para evitar que los rastreadores sigan erróneamente el enlace de desbloqueo.
• Mejora: Las opciones de tráfico en vivo «Agrupar por» ahora muestran dinámicamente los resultados en un formato más útil dependiendo de la opción seleccionada.
• Mejora: Se ha mejorado la comprobación de los archivos de núcleo desconocidos para incluir todos los archivos adicionales en las ubicaciones principales, independientemente de si la opción «Escanear imágenes, archivos binarios y otros archivos como si fueran ejecutables» esté activada.
• Mejora: Mejor redacción para el mensaje de error de rango de IP de lista permitida.
• Solución: Solucionado un problema de rendimiento en bases de datos con decenas de miles de tablas al intentar cargar la página de diagnósticos.
• Solución: Toda la actividad del panel de control y los informes de correo electrónico se muestran ahora en la zona horaria configurada para la instalación de WordPress.

6.3.10 – June 1, 2017

• Improvement: Reduction in overall memory usage and peak memory usage for the scanner.
• Improvement: Support for exporting a list of all blocked and locked out IP addresses.
• Improvement: Updated the WAF’s CA certificate bundle.
• Improvement: Updated the browscap database.
• Improvement: Suppressed the automatic HTTP referer added by WordPress for API calls to reduce overall bandwidth usage.
• Improvement: When all issues for a scan stage have been previously ignored, the results now indicate this rather than saying problems were found.
• Fix: Worked around an issue with WordPress caching to allow password audits to succeed on sites with tens of thousands of users.
• Fix: Fixed an IPv6 detection issue with one form of IPv6 address.
• Fix: An empty ignored IP list for WAF alerts no longer creates a PHP notice.
• Fix: Better detection for when to use secure cookies.
• Fix: Fixed a couple issue types that were not able to be permanently ignored.
• Fix: Adjusted the changelog link in the scan results email to work for the new wordpress.org repository.
• Fix: Fixed some broken links in the activity summary email.
• Fix: Fixed a typo in the scan summary text.
• Fix: The increased attack rate emails now correctly identify blocklist blocks.
• Fix: Fixed an issue with the dashboard where it could show the last scan failed when one has never ran.
• Fix: Brute force records are now coalesced when possible prior to sending.

6.3.9 – May 17, 2017

• Improvement: Malware signature checking has been better optimized to improve overall speed.
• Improvement: Updated the bundled GeoIP database.
• Improvement: The memory tester now tests up to the configured scan limit rather than a fixed value.
• Improvement: Added a test to the diagnostics page that verifies permissions to the WAF config location.
• Improvement: The diagnostics page now contains a callback test for the server itself.
• Mejora: Actualización del estilo de las notificaciones del panel de control para una mejor separación.
• Mejora: Se agregaron constantes adicionales a la página de diagnóstico.
• Cambio: Wordfence ahora entra en un modo de sólo lectura con sus archivos de configuración cuando se ejecuta a través de la ‘cli’ PHP SAPI en un servidor web mal configurado para evitar el cambio de propiedad de archivo.
• Cambio: Se ha cambiado cómo se detectan las cuentas de administrador para compensar sitios de WordPress administrados que no tienen los permisos estándar.
• Cambio: La lista de la tabla en la página de diagnóstico está limitado en longitud para evitar ser excesivamente grande en grandes instalaciones de múltiples sitios.
• Solución: Actualización mejorada de los valores de configuración WAF para minimizar la escritura en disco.
• Fix: The blocklist’s blocked IP records are now correctly trimmed when expired.
• Fix: Added error suppression to the WAF attack data functions to prevent corrupt records from breaking the no-cache headers.
• Fix: Fixed some incorrect documentation links on the diagnostics page.
• Fix: Fixed a typo in a constant on the diagnostics page.

6.3.8 – May 2, 2017

• Fix: Addressed an issue that could cause scans to time out on sites with tens of thousands of potential URLs in files, comments, and posts.

6.3.7 – April 25, 2017

• Improvement: All URLs are now checked against the Wordfence Domain Blocklist in addition to Google’s.
• Improvement: Better page load performance for multisite installations with thousands of tables.
• Improvement: Updated the bundled GeoIP database.
• Improvement: Integrated blocklist blocking statistics into the dashboard for Premium users.
• Fix: Added locking to the automatic update process to ensure non-standard crons don’t break Wordfence.
• Fix: Fixed an activation error on multisite installations on very old WordPress versions.
• Fix: Adjusted the behavior of the blocklist toggle for Free users.

6.3.6 – April 5, 2017

• Improvement: Optimized the malware signature scan to reduce memory usage.
• Improvement: Optimized the overall scan to make fewer network calls.
• Improvement: Running an update now automatically dismisses the corresponding scan issue if present.
• Improvement: Added a time limit to the live activity status so only current messages are shown.
• Improvement: WAF configuration files are now excluded by default from the recently modified files list in the activity report.
• Improvement: Background pausing for live activity and traffic may now be disabled.
• Improvement: Added additional WAF support to allow us to more easily address false positives.
• Improvement: Blocking pages presented by Wordfence now indicate the source and contain information to help diagnose caching problems.
• Fix: All external URLs in the tour are now https.
• Fix: Corrected a typo in the unlock email template.
• Fix: Fixed the target of a label on the options page.

6.3.5 – March 23, 2017

• Improvement: Sites can now specify a list of trusted proxies when using X-Forwarded-For for IP resolution.
• Improvement: Added options to customize which dashboard notifications are shown.
• Improvement: Improvements to the scanner’s malware stage to avoid timing out on larger files.
• Improvement: Provided additional no-caching indicators for caches that erroneously save pages with HTTP error status codes.
• Improvement: Updated the bundled GeoIP database.
• Improvement: Optimized the country update process in the upgrade handler so it only updates changed records.
• Improvement: Added our own prefixed version of jQuery.DataTables to avoid conflicts with other plugins.
• Improvement: Changes to readme.txt and readme.md are now ignored by the scanner unless high sensitivity is on.
• Fix: Addressed an issue with multisite installations where they would execute the upgrade handler for each subsite.
• Fix: Added additional error handling to the blocked IP list to avoid outputting notices when another plugin resets the error handler.
• Fix: Made the description in the summary email for blocks resulting from the blocklist more descriptive.
• Fix: Updated the copyright date on several pages.
• Fix: Fixed incorrect wrapping of the Group by field on the live traffic page.

6.3.4 – March 13, 2017

• Improvement: Added a path for people blocked by the IP blocklist (Premium Feature) to report false positives.

6.3.3 – March 9, 2017

• New: Malicious IPs are now preemptively blocked by a regularly-updated blocklist. [Premium Feature]
• Improvement: Better layout and display for mobile screen sizes.
• Improvement: Dashboard chart data is now updated more frequently.
• Fix: Fixed database errors on notifications page on multisite installations.
• Fix: Fixed site URL detection for multisite installations.
• Fix: Fixed tour popup positioning on multisite.
• Fix: Increased the z-index of the AJAX error watcher alert.
• Fix: Addressed an additional way to enumerate authors with the REST JSON API.

6.3.2 – February 23, 2017

• Improvement: Improved the WAF’s ability to inspect POST bodies.
• Improvement: Dashboard now shows up to 100 each of failed/successful logins.
• Improvement: Updated internal GeoIP database.
• Improvement: Updated internal browscap database.
• Improvement: Better documentation on Country Blocking regarding Google AdWords
• Advanced: Added constant «WORDFENCE_DISABLE_FILE_VIEWER» to prohibit file-viewing actions from Wordfence.
• Advanced: Added constant «WORDFENCE_DISABLE_LIVE_TRAFFIC» to prohibit live traffic from capturing regular site visits.
• Fix: Fixed a few links that didn’t open the correct configuration pages.
• Fix: Unknown countries in the dashboard now show «Unknown» rather than empty.

6.3.1 – February 7, 2017

• Improvement: Locked out IPs are now enforced at the WAF level to reduce server load.
• Improvement: Added a «Show more» link to the IP block list and login attempts list.
• Improvement: Added network data for the top countries blocked list.
• Improvement: Added a notification when a premium key is installed on one site but registered for another URL.
• Improvement: Switching tabs in the various pages now updates the page title as well.
• Improvement: Various styling consistency improvements.
• Change: Separated the various blocking-related pages out from the Firewall top-level menu into «Blocking».
• Fix: Improved compatibility with our GeoIP interface.
• Fix: The updates available notification is refreshed after updates are installed.
• Fix: The scan notification is refreshed when issues are resolved or ignored.

6.3.0 – January 26, 2017

• Enhancement: Added Wordfence Dashboard for quick overview of security activity.
• Improvement: Simplified the UI by revamping menu structure and styling.
• Fix: Fixed minor issue with REST API user enumeration blocking.
• Fix: Fixed undefined index notices on password audit page.

6.2.10 – January 12, 2017

• Improvement: Better reporting for failed brute force login attempts.
• Change: Reworded setting for ignored IPs in the WAF alert email.
• Change: Updated support link on scan page.
• Fix: When a key is in place on multiple sites, it’s now possible to downgrade the ones not registered for it.
• Fix: Addressed an issue where the increased attack rate emails would send repeatedly if the threshold value was missing.
• Fix: Typo fix in firewall rule 11 name.

6.2.9 – December 27, 2016

• Improvement: Updated internal GeoIP database.
• Improvement: Better error handling when a site is unreachable publicly.
• Fix: Fixed a URL in alert emails that did not correctly detect when sent from a multisite installation.
• Fix: Addressed an issue where the scan did not alert about a new WordPress version.

6.2.8 – December 12, 2016

• Improvement: Added support for hiding the username information revealed by the WordPress 4.7 REST API. Thanks Vladimir Smitka.
• Improvement: Added vulnerability scanning for themes.
• Improvement: Reduced memory usage by up to 90% when scanning comments.
• Improvement: Performance improvements for the dashboard widget.
• Improvement: Added progressive loading of addresses on the blocked IP list.
• Improvement: The diagnostics page now displays a config reading/writing test.
• Change: Support for the Falcon cache has been removed.
• Fix: Better messaging when the WAF rules are manually updated.
• Fix: The proxy detection check frequency has been reduced and no longer alerts if the server is unreachable.
• Fix: Adjusted the behavior of parsing the X-Forwarded-For header for better accuracy. Thanks Jason Woods.
• Fix: Typo fix on the options page.
• Fix: Scan issue for known core file now shows the correct links.
• Fix: Links in «unlock» emails now work for IPv6 and IPv4-mapped-IPv6 addresses.
• Fix: Restricted caching of responses from the Wordfence Security Network.
• Fix: Fixed a recording issue with Wordfence Security Network statistics.

6.2.7 – December 1, 2016

• Improvement: WordPress 4.7 improvements for the Web Application Firewall.
• Improvement: Updated signatures for hash-based malware detection.
• Improvement: Automatically attempt to detect when a site is behind a proxy and has IP information in a different field.
• Improvement: Added additional contextual help links.
• Improvement: Significant performance improvement for determining the connecting IP.
• Improvement: Better messaging for two-factor recovery codes.
• Fix: Adjusted message when trying to block an IP in the allowlist.
• Fix: Error log download links now work on Windows servers.
• Fix: Avoid running out of memory when viewing very large activity logs.
• Fix: Fixed warning that could be logged when following an unlock email link.
• Fix: Tour popups on options page now scroll into view correctly.

6.2.6 – November 17, 2016

• Improvement: Improved formatting of attack data when it contains binary characters.
• Improvement: Updated internal GeoIP database.
• Improvement: Improved the ordering of rules in the malware scan so more specific rules are checked first.
• Fix: Country blocking redirects are no longer allowed to be cached.
• Fix: Fixed an issue with 2FA on multisite where the site could report URLs with different schemes depending on the state of plugin loading.

6.2.5 – November 9, 2016

• Fix: Fixed an issue that could occur on older WordPress versions when processing login attempts

6.2.4 – November 9, 2016

• Improvement: Scan times for very large sites with huge numbers of files are greatly improved.
• Improvement: Added a configurable time limit for scans to help reduce overall server load and identify configuration problems.
• Improvement: Email-based logins are now covered by «Don’t let WordPress reveal valid users in login errors».
• Improvement: Extended rate limiting support to the login page.
• Fix: Fixed a case where files in the site root with issues could have them added multiple times.
• Fix: Improved IP detection in the WAF when using an IP detection method that can have multiple values.
• Fix: Added a safety check for when the database fails to return its max_allowed_packet value.
• Fix: Added safety checks for when the configuration table migration has failed.
• Fix: Added a couple rare failed login error codes to brute force detection.
• Fix: Fixed a sequencing problem when adding detection for bot/human that led to it being called on every request.
• Fix: Suppressed errors if a file is removed between the start of a scan and later scan stages.
• Fix: Addressed a problem where the scan exclusions list was not checked correctly in some situations.

6.2.3 – October 26, 2016

• Improvement: Reworked blocking for IP ranges, country blocking, and direct IP blocking to minimize server impact when under attack.
• Improvement: Live traffic better indicates the action taken by country blocking when it redirects a visitor.
• Improvement: Added support for finding server logs to the Diagnostics page to help with troubleshooting.
• Improvement: Allowlisted StatusCake IP addresses.
• Improvement: Updated GeoIP database.
• Improvement: Disabling Wordfence now sends an alert.
• Improvement: Improved detection for uploaded PHP content in the firewall.
• Fix: Eliminated memory-related errors resulting from the scan on sites with very large numbers of issues and low memory.
• Fix: Fixed admin page layout for sites using RTL languages.
• Fix: Reduced overhead of the dashboard widget.
• Fix: Improved performance of checking for Allowlisted IPs.
• Fix: Changes to the default plugin hello.php are now detected correctly in scans.
• Fix: Fixed IPv6 warning in the dashboard widget.

6.2.2 – October 12, 2016

• Fix: Replaced a slow query in the dashboard widget that could affect sites with very large numbers of users.

6.2.1 – October 11, 2016

• Improvement: Now performing scanning for PHP code in all uploaded files in real-time.
• Improvement: Improved handling of bad characters and IPv6 ranges in Advanced Blocking.
• Improvement: Live traffic and scanning activity now display a paused notice when real-time updates are suspended while in the background.
• Improvement: The file system scan alerts for files flagged by antivirus software with a ‘.suspected’ extension.
• Improvement: New alert option to get notified only when logins are from a new location/device.
• Change: First phase for removing the Falcon cache in place, which will add a notice of its pending removal.
• Fix: Included country flags for Kosovo and Curaçao.
• Fix: Fixed the .htaccess directives used to hide files found by the scanner.
• Fix: Dashboard widget shows correct status for failed logins by deleted users.
• Fix: Removed duplicate issues for modified files in the scan results.
• Fix: Suppressed warning from reverse lookup on IPv6 addresses without valid DNS records.
• Fix: Fixed file inclusion error with themes lacking a 404 page.
• Fix: CSS fixes for activity report email.

6.2.0 – September 27, 2016

• Improvement: Massive performance boost in file system scan.
• Improvement: Added low resource usage scan option for shared hosts.
• Improvement: Aggregated login attempts when checking the Wordfence Security Network for brute force attackers to reduce total requests.
• Improvement: Now displaying scan time in a more readable format rather than total seconds.
• Improvement: Added PHP7 compatible .htaccess directives to disable code execution within uploads directory.
• Fix: Added throttling to sync the WAF attack data.
• Fix: Removed unnecessary single quote in copy containing «IP’s».
• Fix: Fixed rare, edge case where cron key does not match the key in the database.
• Fix: Fixed bug with regex matching carriage returns in the .htaccess based IP block list.
• Fix: Fixed scans failing in subdirectory sites when updating malware signatures.
• Fix: Fixed infinite loop in scan caused by symlinks.
• Fix: Remove extra slash from «File restored OK» message in scan results.

6.1.17 – September 9, 2016

• Fix: Replaced calls to json_decode with our own implentation for hosts without the JSON extension enabled.

6.1.16 – September 8, 2016

• Improvement: Now performing malware scanning on all uploaded files in real-time.
• Improvement: Added Web Application Firewall activity to Wordfence summary email.
• Fix: Now using 503 response code in the page displayed when an IP is locked out.
• Fix: wflogs directory is now correctly removed on uninstall.
• Fix: Fixed recently introduced bug which caused the Allowlisted 404 URLs feature to no longer work.
• Fix: Added try/catch to uncaught exception thrown when pinging the API key.
• Improvement: Improved performance of the Live Traffic page in Firefox.
• Improvement: Updated GeoIP database.

6.1.15 – August 25, 2016

• Improvement: Removed file-based config caching, added support for caching via WordPress’s object cache.
• Improvement: Allowlisted Uptime Robot’s IP range.
• Fix: Notify users if suPHP_ConfigPath is in their WAF setup, and prompt to update Extended Protection.
• Fix: Fixed bug with allowing logins on admin accounts that are not fully activated with invalid 2FA codes when 2FA is required for all admins.
• Fix: Removed usage of wp_get_sites() which was deprecated in WordPress 4.6.
• Fix: Fixed PHP notice from Undefined index: url with custom/premium plugins.
• Improvement: Converted the banned URLs input to a textarea.

6.1.14 – August 11, 2016

• Improvement: Support downloading a file of 2FA recovery codes.
• Fix: Fixed PHP Notice: Undefined index: coreUnknown during scans.
• Improvement: Add note to options page that login security is necessary for 2FA to work.
• Fix: Fixed WAF false positives introduced with WordPress 4.6.
• Improvement: Update Geo IP database.

6.1.12 – July 26, 2016

• Fix: Fixed fatal error on sites running Wordfence 6.1.11 in subdirectory and 6.1.10 or lower in parent directory.
• Fix: Added a few common files to be excluded from unknown WordPress core file scan.

6.1.11 – July 25, 2016

• Improvement: Alert on added files to wp-admin, wp-includes.
• Improvement: 2FA is now available via any authenticator program that accepts TOTP secrets.
• Fix: Fixed bug with specific Advanced Blocking user-agent patterns causing 500 errors.
• Improvement: Plugin updates are now only a critical issue if there is a security related fix, and a warning otherwise. A link to the changelog is included.
• Fix: Added group writable permissions to Firewall’s configuration files.
• Improvement: Changed allowlist entry area to textbox on options page.
• Fix: Move flags and logo served from wordfence.com over to locally hosted files.
• Fix: Fixed issues with scan in WordPress 4.6 beta.
• Fix: Fixed bug where Firewall rules could be missing on some sites running IIS.
• Improvement: Added browser-based malware signatures for .js, .html files in the malware scan.
• Fix: Added error suppression to dns_get_record.

6.1.10 – June 22, 2016

• Fix: Fixed fatal error in the event wflogs is not writable.

6.1.9 – June 21, 2016

• Fix: Using WP-CLI causes error Undefined index: SERVER_NAME.
• Improvement: Hooked up restore/delete file scan tools to Filesystem API.
• Fix: Reworked country blocking authentication check for access to XMLRPC.
• Improvement: Added option to require cellphone sign-in on all admin accounts.
• Improvement: Updated IPv6 GeoIP lite data.
• Fix: Removed suPHP_ConfigPath from WAF installation process.
• Fix: Prevent author names from being found through /wp-json/oembed.
• Improvement: Added better solutions for fixing wordfence-waf.php, .user.ini, or .htaccess in scan.
• Improvement: Added a method to view which files are currently used for WAF and to remove without reinstalling Wordfence.
• Improvement: Changed rule compilation to use atomic writes.
• Improvement: Removed security levels from Options page.
• Improvement: Added option to disable ajaxwatcher (for allowlisting only for Admins) on the front end.

6.1.8 – May 26, 2016

• Fix: Change wfConfig::set_ser to split large objects into multiple queries.
• Fix: Fixed bug in multisite with «You do not have sufficient permissions to access this page» error after logging in.
• Improvement: Update Geo IP database.
• Fix: Fixed deadlock when NFS is used for WAF file storage, in wfWAFAttackDataStorageFileEngine::addRow().
• Fix: Added third param to http_build_query for hosts with arg_separator.output set.
• Improvement: Show admin notice if WAF blocks an admin (mainly needed for ajax requests).
• Improvement: Clarify error message «Error reading config data, configuration file could be corrupted.»
• Improvement: Added better crawler detection.
• Improvement: Add currentUserIsNot(‘administrator’) to any generic firewall rules that are not XSS based.
• Improvement: Update URLs in Wordfence for documentation about LiteSpeed and lockouts.
• Improvement: Show message on scan results when a result is caused by enabling «Scan images and binary files as if they were executable» or…
• Fix: Suppressed warning: dns_get_record(): DNS Query failed.
• Fix: Suppressed warning gzinflate() error in scan logs.
• Fix: On WAF roadblock page: Warning: urlencode() expects parameter 1 to be string, array given …
• Fix: Scheduled update for WAF rules doesn’t decrease from 7 days, to 12 hours, when upgrading to a premium account.
• Improvement: Better message for dashboard widget when no failed logins.

6.1.7 – May 10, 2016

• Security Fix: Fixed reflected XSS vulnerability: CVSS 6.1 (Medium). Thanks Kacper Szurek.

6.1.6 – May 9, 2016

• Fix: Fixed bug with 2FA not properly handling email address login.
• Fix: Show logins/logouts when Live Traffic is disabled.
• Fix: Fixed bug with PCRE versions < 7.0 (repeated subpattern is too long).
• Fix: Now able to delete allowlisted URL/params containing ampersands and non-UTF8 characters.
• Improvement: Reduced 2FA activation code to expire after 30 days.
• Improvement: Live Traffic now only shows verified Googlebot under Google Crawler filter for new visits.
• Improvement: Adjusted permissions on Firewall log/config files to be 0640.
• Fix: Fixed false positive from Maldet in the wfConfig table during the scan.

6.1.5 – April 28, 2016

• Corrección: Los archivos de idioma de WordPress ya no se marcan como modificados.
• Improvement: Accept wildcards in «Immediately block IP’s that access these URLs.»
• Fix: Fixed bug when multiple authors have published posts, /?author=N scans show an author archive page.
• Fix: Fixed issue with IPv6 mapped IPv4 addresses not being treated as IPv4.
• Improvement: Added WordPress version and various constants to Diagnostics report.
• Corrección: Corregido un fallo con los usuarios de Windows que no podían guardar la configuración del cortafuegos.
• Improvement: Include option for IIS on Windows in Firewall config process, and recommend manual php.ini change only.
• Fix: Made the ‘administrator email address’ admin notice dismissable.

6.1.4 – April 20, 2016

• Fix: Fixed potential bug with ‘stored data not found after a fork. Got type: boolean’.
• Improvement: Added bulk actions and filters to WAF allowlist table.
• Improvement: Added a check while in learning mode to verify the response is not 404 before whitelising.
• Fix: Added index to attackLogTime. wfHits trimmed on runInstall now.
• Fix: Fixed attack data sync for hosts that cannot use wp-cron.
• Improvement: Use [email protected] as the Diagnostics page default email address.
• Improvement: When WFWAF_ENABLED is set to false to disable the firewall, show this on the Firewall page.
• Fix: Prevent warnings when $_SERVER is empty.
• Fix: Bug fix for illegal string offset.
• Fix: Hooked up multibyte string functions to binary safe equivalents.
• Fix: Hooked up reverse IP lookup in Live Traffic.
• Fix: Add the user the web server (or PHP) is currently running as to Diagnostics page.
• Improvement: Pause Live Traffic after scrolling past the first entry.
• Improvement: Move «Permanently block all temporarily blocked IP addresses» button to top of blocked IP list.
• Fix: Added JSON fallback for PHP installations that don’t have JSON enabled.

6.1.3 – April 14, 2016

• Improvement: Added dismiss button to the Wordfence WAF setup admin notice.
• Fix: Removed .htaccess and .user.ini from publicly accessible config and backup file scan.
• Fix: Removed the disallow file mods for admins created outside of WordPress.
• Fix: Fixed bug with ‘Hide WordPress version’ causing issues with reCAPTCHA.
• Improvement: Added instructions for NGINX users to restrict access to .user.ini during Firewall configuration.
• Corrección: Corregido un fallo con múltiples llamadas a la API a `get_known_files`.

6.1.2 – April 12, 2016

• Fix: Fixed fatal error when using a allowlisted IPv6 range and connecting with an IPv6 address.

6.1.1 – April 12, 2016

• Mejora: Añadido el cortafuegos de aplicaciones web
• Mejora: Añadida la página de diagnósticos
• Enhancement: Added new scans:
  • Admins created outside of WordPress
  • Publicly accessible common (database or wp-config.php) backup files
• Improvement: Updated Live Traffic with filters and to include blocked requests in the feed.

You can find a complete changelog on our documentation site.