Do You Need a WordPress Security Plugin?

At Wordfence we are a big team these days with millions of customers, and we think about security all day long. Sometimes we can get deep down the proverbial rabbit hole and forget about the basics.

I recently overheard someone asking “Do I really need a WordPress security plugin?” and I realized this is a perfectly valid question. If you are not in the security industry, you might ask it.

I know that many of you are well versed in security already – and WordPress security in particular. Perhaps that is why you are reading this post or subscribe to our mailing list. What I would like to provide you with in this post is a way to answer the question of “Do I need a WordPress security plugin?” to friends, family and colleagues that is both enlightening and easy to understand.

If you are new to WordPress, I hope this post helps increase your understanding of WordPress security.

Physical Security compared to WordPress Security

Many people think about WordPress security in the same way that they think about physical security in the real world. In the physical world, we might build a facility like a bank that needs to be secured. We build barriers to entry and access controls as part of the construction project.

Once the project is complete, we have a secure facility with walls, gates, secure entry and exit, cameras, access controls and human personnel to implement security procedures as people enter and exit. The physical construction does not change much over time, once the project is completed.

You are unlikely to discover that the concrete you used to build a wall for your bank is now vulnerable and needs to be replaced. A wall is still difficult to penetrate and a locked gate with a guard is going to still be quite effective a few months from now.

It is easy to make the mistake of thinking about WordPress security in the same way. If you install software that is secure to power your WordPress website and you implement good security policy and controls, one might think a website would behave in the same way. In other words, one might think a secure website today should be secure a few months from now if it doesn’t change.

That is not the case and I’m going to explain why. If you build a website using the newest software that has been verified to be secure and you implement good security policy, your website does not change, but the environment it is operating in changes. Attackers continually research the software that powers your website and vulnerabilities are eventually discovered in most popular online software.

Therefore the problem is that, while your website software starts off secure, it almost always ends up being insecure without anything changing on your website. It’s not your fault or the fault of the person who created your website. It is just the way of the online world. This differs from our building metaphor above in that a secure building doesn’t usually end up insecure a couple of months after being built without anything in the building changing. But a website does.

In fact, this is an ongoing cycle. Vulnerabilities are discovered, attackers start using them and ultimately if you are a responsible WordPress site owner, you upgrade your site regularly to fix those vulnerabilities. Then new vulnerabilities are discovered in new versions and the cycle repeats.

The Time Gap Between Vulnerability Knowledge and Installation of a Security Fix

You might build a new website with the latest secure versions of WordPress and all of the relevant plugins and a theme. As time passes, vulnerabilities are discovered in your plugins, theme and the version of WordPress core you are using. Those vulnerabilities (or security holes) become public knowledge at some point.

There is usually a delay between when the vulnerability becomes public knowledge and when you get around to installing a fix. Even when a fix is automatically released by the WordPress security team, the vulnerability may have been public knowledge for some time. This was the case with the recent PHPMailer vulnerability, which took several weeks for a patch to appear in WordPress core and be automatically deployed.

A WordPress security plugin provides many valuable functions, but at its most basic, a WordPress security plugin protects your website from attacks during the time it is vulnerable.

We do this in two ways. Wordfence provides a firewall that has rules that are constantly updated. At Wordfence, when we learn about a new security hole in software that you might use, we release a firewall rule to your site that allows Wordfence to block hackers from exploiting that security hole.

The second way we protect you is by providing a malware scan. Wordfence detects thousands of malware variants. If the worst happens and somehow a hacker does manage to penetrate your website, Wordfence alerts you to the presence of malware on your website and even helps you find it and remove it. Our malware signatures are also continually updated.

As many of you know, our Threat Defense Feed is what distributes new firewall rules and malware signatures to your Wordfence security plugin. Our Premium customers receive these in real-time. Free customers are delayed by 30 days.

Protecting You When You’re Vulnerable is What We Do

Wordfence provides many other security functions including two factor authentication, country blocking, brute force protection, rate limiting and more. But the most important function we provide is this: Wordfence protects your WordPress website once vulnerabilities are discovered in your previously secure website and before you have installed a fix.

Most websites are hacked as a result of an attacker gaining entry by exploiting a vulnerability in the website software. By using an effective WordPress firewall like Wordfence with a real-time Threat Defense Feed, you are protected, even if your website suffers from a vulnerability.

I hope this has helped provide a fundamental understanding of the most important reason you or someone you know needs a WordPress security plugin like Wordfence. As always I welcome your feedback in the comments below.

Stay safe!

Mark Maunder – Wordfence Founder/CEO.

Thanks to Dan Moen for editing this post. 

The post Do You Need a WordPress Security Plugin? appeared first on Wordfence.


Announcing a new Firewall, a Threat Defense Feed and a New Approach

This morning at 9am Pacific time we rolled out a new kind of firewall to over 1 Million active WordPress websites. The new Wordfence firewall comes with a Threat Defense Feed that updates our firewall as new threats emerge. It also continuously updates our malware scan as we discover new malware patterns through our forensic research.

If you have auto-update enabled in Wordfence, you will automatically be upgraded to 6.1.1 today which will include the new firewall and features. You can manually update by signing into your WordPress site and upgrading to Wordfence to 6.1.1 or you can download Wordfence from the official WordPress plugin repository.

I want to share with you some of the journey that we took to arrive at this day. About 9 months ago we took a long hard look at Wordfence and asked the question: “How can we do a better job of stopping hacks and detecting them early?”.

We also looked at existing firewall providers and discovered they could be doing a better job. And then we looked at our own malware scan and realized that it could benefit from a few improvements.

So we set ourselves an ambitious goal:

  • Build an excellent forensic analysis team to discover the newest malware infections and new attacks that are used to break into sites.
  • Build a new kind of firewall that stops all attacks immediately, including zero day and emerging attacks.
  • Radically improve intelligence in our scan.
  • Continually feed the data our forensic team uncovers into our firewall and scan.

We worked for 7 months on the project and about 2 months ago we thought we had finished the firewall. But then we discovered a way to radically improve our protection against SQL injection attacks. It meant building an SQL parser into Wordfence that is both extremely fast and is able to understand SQL the way a database does and determine if something is malicious or not. It was worth taking the extra time to include this important functionality and so we did exactly that.

Then a few weeks ago, once again we thought we were ready and we realized we could build protection into the firewall against privilege escalation attacks. When you run Wordfence’s firewall, it knows who your users are so the firewall is able to make decisions about what to block more intelligently. So we went ahead and built that into Wordfence 6.1.1 too.

Instead of letting the marketing team rule, we gave the engineers enough space to solve these very hard problems with innovative solutions.

During the past month we have been quietly beta testing Wordfence 6.1.1 and our beta community has been an invaluable source of feedback and bug reports. Thank you very much to everyone who kindly participated in our public beta testing. You have helped turn Wordfence 6.1.1 into a rock solid enterprise-ready WordPress protector.

We have also been running Wordfence 6.1.1 Beta on this site for longer than a month and it has worked perfectly. At times we have had over 3,000 concurrent users on the site and huge traffic spikes. Last Thursday and Friday thanks to the huge amount of press we received for our ground-breaking research into how the Panama Papers were leaked, we experienced a large sustained traffic spike and the Wordfence firewall just yawned and carried on doing a great job of serving up pages and protecting us from attacks.

It’s really cool watching your own software block hackers in real-time. Instructions on how to watch that below.

Today we are officially announcing the release of Wordfence 6.1.1 along with our Threat Defense Feed. Here are the details:

The Firewall

The Wordfence firewall is installed with 6.1.1 and you will see a new ‘Firewall’ menu option appear in your Wordfence menu. When you arrive on the firewall configuration page, Wordfence should be in Learning Mode if you just upgraded to 6.1.1. It will look like this:

Screen Shot 2016-04-11 at 4.13.56 PM


Wordfence firewall will learn for a week and then automatically switch to “Enabled and Protecting”. During this one week learning period, anything that would have been blocked will automatically be whitelisted. You can scroll to the bottom of the firewall page and see the list of whitelisted items as they grow:

Screen Shot 2016-04-11 at 4.16.35 PM

If you don’t like something that has been whitelisted during Learning Mode or think it may be a real attack, you can simply remove it once the firewall is enabled.

If you don’t want to wait a week you can speed things up by:

  • Visiting all pages and taking all actions you can think of on your site. This includes working in the WordPress admin console, submitting forms on your site and doing everything else that normally happens on your site. This will allow Wordfence to rapidly learn about your site.
  • Then enable the firewall and keep an eye on what it blocks in live traffic. Read on to understand how to view firewall activity in Live Traffic.

Changes to Live Traffic and How to see what the Firewall has blocked

Wordfence Live Traffic has been given a redesign that I can only describe as spectacular. We have added a drop-down list that lets you filter what kind of traffic you want to see:

Screen Shot 2016-04-11 at 4.29.35 PM

Simply select the option “Blocked by Firewall” to see what your firewall has blocked recently. You’ll be surprised what shows up. We have had quite a few attacks on our own site blocked by Wordfence 6.1.1.

You’ll notice that Live Traffic has an advanced filters option that lets you filter your live traffic any way you can possibly imagine.

A Threat Defense Feed through Excellent Forensic Analysis

A great firewall and great scan engine are no good without continuous updates. We started by building an excellent forensic analysis team. Every day our team goes out and analyzes hacked sites and brings that on-the-ground intelligence back into Wordfence.

Malware samples are turned into signatures used by our scan engine. New attacks are turned into firewall rules which update our firewall logic.

We unified this flow of data under a single umbrella called the Threat Defense Feed. This feed constantly updates Wordfence’s ability to block attacks and to detect infections or malicious activity.

Our premium Wordfence customers receive a real-time version of the feed. If a new threat emerges, we can update your rules within minutes. Our free customers receive a delayed version of the Threat Defense Feed.

Changing the Game on Attackers

We realized that the status quo isn’t going to cut it if we are to succeed in our mission of making the web safer and protecting our customer’s sites. Wordfence 6.1.1 isn’t just a new product with new data flowing into it. It is an organizational change for us.

We have had to build a forensic analysis team by bringing senior analysts on board with tremendous depth of experience. Those senior team members have been developing processes and training up more junior colleagues to rapidly get them up to speed.

We have also had to scale up our operations, make new capital investments in hardware, in software and in operations personnel.

We have also brought on board additional senior engineers and customer service staff. We have been hiring so quickly that we decided to turn hiring into a software problem which you would have experienced if you’ve been through one of our tests for forensic analysts. Don’t worry, you still get to talk to us humans as part of the process.

What we’ve ended up with is one of the fastest growing and best performing information security organizations in the world. It has been an incredible experience for me personally during the past 2 years, hiring people who are smarter than I am, stepping back and watching them guide our product, serve our customers and create engineering solutions that are incredibly innovative and that provide a new kind of protection that is able to defeat the new threats that we are seeing.

I’m incredibly proud of our team for creating, testing and shipping Wordfence 6.1.1. Special thanks to Matt Barry our lead developer and Matt Rusnak our QA analyst who both worked tirelessly to improve, find new ways to break and then continue to improve 6.1.1. Thanks guys, you are both legends. Thanks also to the rest of the team who contributed tremendously, you know who you are and you’re amazing!

I speak for the whole team when I say that we are proud to have your trust and to have you as a customer. We are working hard to deliver the level of engineering, research and innovation you have come to expect from Wordfence. And we look forward to a long relationship with our community and our premium customers as we continue to deliver the best available protection for your WordPress website.

Mark Maunder – Wordfence Founder & CEO – April 2016.

Update: At 11am Pacific time we release 6.1.2 which is a point release that fixes a minor issue. It fixed fatal error when using a whitelisted IPv6 range and connecting with an IPv6 address. This is an edge case and would have only affected a small number of sites.

Official Press Release available here.

Press contact: Dan Moen at

Wordfence is hiring. If you’re passionate about tracking attackers and their methods and want to join our forensic analysis team, we’d love to hear from you.

The post Announcing a new Firewall, a Threat Defense Feed and a New Approach appeared first on Wordfence.