Announcing a new Firewall, a Threat Defense Feed and a New Approach

This morning at 9am Pacific time we rolled out a new kind of firewall to over 1 Million active WordPress websites. The new Wordfence firewall comes with a Threat Defense Feed that updates our firewall as new threats emerge. It also continuously updates our malware scan as we discover new malware patterns through our forensic research.

If you have auto-update enabled in Wordfence, you will automatically be upgraded to 6.1.1 today which will include the new firewall and features. You can manually update by signing into your WordPress site and upgrading to Wordfence to 6.1.1 or you can download Wordfence from the official WordPress plugin repository.

I want to share with you some of the journey that we took to arrive at this day. About 9 months ago we took a long hard look at Wordfence and asked the question: “How can we do a better job of stopping hacks and detecting them early?”.

We also looked at existing firewall providers and discovered they could be doing a better job. And then we looked at our own malware scan and realized that it could benefit from a few improvements.

So we set ourselves an ambitious goal:

  • Build an excellent forensic analysis team to discover the newest malware infections and new attacks that are used to break into sites.
  • Build a new kind of firewall that stops all attacks immediately, including zero day and emerging attacks.
  • Radically improve intelligence in our scan.
  • Continually feed the data our forensic team uncovers into our firewall and scan.

We worked for 7 months on the project and about 2 months ago we thought we had finished the firewall. But then we discovered a way to radically improve our protection against SQL injection attacks. It meant building an SQL parser into Wordfence that is both extremely fast and is able to understand SQL the way a database does and determine if something is malicious or not. It was worth taking the extra time to include this important functionality and so we did exactly that.

Then a few weeks ago, once again we thought we were ready and we realized we could build protection into the firewall against privilege escalation attacks. When you run Wordfence’s firewall, it knows who your users are so the firewall is able to make decisions about what to block more intelligently. So we went ahead and built that into Wordfence 6.1.1 too.

Instead of letting the marketing team rule, we gave the engineers enough space to solve these very hard problems with innovative solutions.

During the past month we have been quietly beta testing Wordfence 6.1.1 and our beta community has been an invaluable source of feedback and bug reports. Thank you very much to everyone who kindly participated in our public beta testing. You have helped turn Wordfence 6.1.1 into a rock solid enterprise-ready WordPress protector.

We have also been running Wordfence 6.1.1 Beta on this site for longer than a month and it has worked perfectly. At times we have had over 3,000 concurrent users on the site and huge traffic spikes. Last Thursday and Friday thanks to the huge amount of press we received for our ground-breaking research into how the Panama Papers were leaked, we experienced a large sustained traffic spike and the Wordfence firewall just yawned and carried on doing a great job of serving up pages and protecting us from attacks.

It’s really cool watching your own software block hackers in real-time. Instructions on how to watch that below.

Today we are officially announcing the release of Wordfence 6.1.1 along with our Threat Defense Feed. Here are the details:

The Firewall

The Wordfence firewall is installed with 6.1.1 and you will see a new ‘Firewall’ menu option appear in your Wordfence menu. When you arrive on the firewall configuration page, Wordfence should be in Learning Mode if you just upgraded to 6.1.1. It will look like this:

Screen Shot 2016-04-11 at 4.13.56 PM


Wordfence firewall will learn for a week and then automatically switch to “Enabled and Protecting”. During this one week learning period, anything that would have been blocked will automatically be whitelisted. You can scroll to the bottom of the firewall page and see the list of whitelisted items as they grow:

Screen Shot 2016-04-11 at 4.16.35 PM

If you don’t like something that has been whitelisted during Learning Mode or think it may be a real attack, you can simply remove it once the firewall is enabled.

If you don’t want to wait a week you can speed things up by:

  • Visiting all pages and taking all actions you can think of on your site. This includes working in the WordPress admin console, submitting forms on your site and doing everything else that normally happens on your site. This will allow Wordfence to rapidly learn about your site.
  • Then enable the firewall and keep an eye on what it blocks in live traffic. Read on to understand how to view firewall activity in Live Traffic.

Changes to Live Traffic and How to see what the Firewall has blocked

Wordfence Live Traffic has been given a redesign that I can only describe as spectacular. We have added a drop-down list that lets you filter what kind of traffic you want to see:

Screen Shot 2016-04-11 at 4.29.35 PM

Simply select the option “Blocked by Firewall” to see what your firewall has blocked recently. You’ll be surprised what shows up. We have had quite a few attacks on our own site blocked by Wordfence 6.1.1.

You’ll notice that Live Traffic has an advanced filters option that lets you filter your live traffic any way you can possibly imagine.

A Threat Defense Feed through Excellent Forensic Analysis

A great firewall and great scan engine are no good without continuous updates. We started by building an excellent forensic analysis team. Every day our team goes out and analyzes hacked sites and brings that on-the-ground intelligence back into Wordfence.

Malware samples are turned into signatures used by our scan engine. New attacks are turned into firewall rules which update our firewall logic.

We unified this flow of data under a single umbrella called the Threat Defense Feed. This feed constantly updates Wordfence’s ability to block attacks and to detect infections or malicious activity.

Our premium Wordfence customers receive a real-time version of the feed. If a new threat emerges, we can update your rules within minutes. Our free customers receive a delayed version of the Threat Defense Feed.

Changing the Game on Attackers

We realized that the status quo isn’t going to cut it if we are to succeed in our mission of making the web safer and protecting our customer’s sites. Wordfence 6.1.1 isn’t just a new product with new data flowing into it. It is an organizational change for us.

We have had to build a forensic analysis team by bringing senior analysts on board with tremendous depth of experience. Those senior team members have been developing processes and training up more junior colleagues to rapidly get them up to speed.

We have also had to scale up our operations, make new capital investments in hardware, in software and in operations personnel.

We have also brought on board additional senior engineers and customer service staff. We have been hiring so quickly that we decided to turn hiring into a software problem which you would have experienced if you’ve been through one of our tests for forensic analysts. Don’t worry, you still get to talk to us humans as part of the process.

What we’ve ended up with is one of the fastest growing and best performing information security organizations in the world. It has been an incredible experience for me personally during the past 2 years, hiring people who are smarter than I am, stepping back and watching them guide our product, serve our customers and create engineering solutions that are incredibly innovative and that provide a new kind of protection that is able to defeat the new threats that we are seeing.

I’m incredibly proud of our team for creating, testing and shipping Wordfence 6.1.1. Special thanks to Matt Barry our lead developer and Matt Rusnak our QA analyst who both worked tirelessly to improve, find new ways to break and then continue to improve 6.1.1. Thanks guys, you are both legends. Thanks also to the rest of the team who contributed tremendously, you know who you are and you’re amazing!

I speak for the whole team when I say that we are proud to have your trust and to have you as a customer. We are working hard to deliver the level of engineering, research and innovation you have come to expect from Wordfence. And we look forward to a long relationship with our community and our premium customers as we continue to deliver the best available protection for your WordPress website.

Mark Maunder – Wordfence Founder & CEO – April 2016.

Update: At 11am Pacific time we release 6.1.2 which is a point release that fixes a minor issue. It fixed fatal error when using a whitelisted IPv6 range and connecting with an IPv6 address. This is an edge case and would have only affected a small number of sites.

Official Press Release available here.

Press contact: Dan Moen at

Wordfence is hiring. If you’re passionate about tracking attackers and their methods and want to join our forensic analysis team, we’d love to hear from you.

The post Announcing a new Firewall, a Threat Defense Feed and a New Approach appeared first on Wordfence.