Wordfence 5.0.4 Beta1 now available. Targeting tomorrow for release.

Hi Beta Testers!
Wordfence 5.0.4 Beta1 is now available for your downloading pleasure at:
What we’ve changed:
  • Feature: We now scan for the infamous heartbleed openssl vulnerability using a non-intrusive scan method safe for production servers.
  • Improvement: We now check if .htaccess is writable and if not we give you rules to manually enable Falcon.
  • Improvement: Once Falcon is enabled, if we can’t write to .htaccess, we fall back to PHP based IP blocking.
  • Feature: You can now clear pages and posts from the cache on the list-posts page under each item or on their edit pages next to the Update button.
  • Fix: We now support sites who use a root URI but store their files and .htaccess in a subdirectory of the web root.
  • Fix: Added an additional filter to prevent crawlers like Bing who execute javascript from being logged as humans.


What I’d like tested:
  • Enabling and disabling Falcon Engine, specifically on sites that have a read-only .htaccess. And also on sites that have a http://example.com/ URL but where their files are stored in a subdirectory under the web root.
  • If you run an openSSL site, test our HeartBleed scanning. Hopefully you’re not vulnerable. We’ve tested this on vulnerable sites and it shows a high degree of accuracy.
  • Test page/post clearing from the cache on the admin page where you see all your pages/posts and on the edit page next to the publish button.
Because we need to launch this ASAP (WP 3.9 went out today and we need to get the compatible readme.txt in this plugin out asap) we’re going to try to push this release into production tomorrow around noon. So you unfortunately have less than 24 hours to test this. Future releases will give you 48 to 72 hours for minor releases and more for major releases.
Mark Maunder – Wordfence creator.

Did you enjoy this post? Share it!


  • ubuntu 12.04 server was not upgraded to new OpenSSl before installing beta 5.0.4

    Installed and scanned - SSL heartbleed identified
    Updated server and refreshed certificates etc.
    Reran scan - heartbleed now not detected

    beyond that could not test as i can not get back into my wp-admin pages - odd not sure where the problem is coming from :(

    • Awesome! There's something very satisfying about getting reports like this from the wild from our beta testers. Thanks Ian. Regarding not being able to load your admin pages after the upgrade - my guess is something didn't upgrade properly. I'd love to hear what the issue was if you find it.

      Thanks again - great to know our new heartbleed test is showing good reliability.