Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Announcing a new Firewall, a Threat Defense Feed and a New Approach

This entry was posted in Research, Wordfence, WordPress Security on April 12, 2016 by Mark Maunder   80 Replies

This morning at 9am Pacific time we rolled out a new kind of firewall to over 1 Million active WordPress websites. The new Wordfence firewall comes with a Threat Defense Feed that updates our firewall as new threats emerge. It also continuously updates our malware scan as we discover new malware patterns through our forensic research.

If you have auto-update enabled in Wordfence, you will automatically be upgraded to 6.1.1 today which will include the new firewall and features. You can manually update by signing into your WordPress site and upgrading to Wordfence to 6.1.1 or you can download Wordfence from the official WordPress plugin repository.

I want to share with you some of the journey that we took to arrive at this day. About 9 months ago we took a long hard look at Wordfence and asked the question: “How can we do a better job of stopping hacks and detecting them early?”.

We also looked at existing firewall providers and discovered they could be doing a better job. And then we looked at our own malware scan and realized that it could benefit from a few improvements.

So we set ourselves an ambitious goal:

  • Build an excellent forensic analysis team to discover the newest malware infections and new attacks that are used to break into sites.
  • Build a new kind of firewall that stops all attacks immediately, including zero day and emerging attacks.
  • Radically improve intelligence in our scan.
  • Continually feed the data our forensic team uncovers into our firewall and scan.

We worked for 7 months on the project and about 2 months ago we thought we had finished the firewall. But then we discovered a way to radically improve our protection against SQL injection attacks. It meant building an SQL parser into Wordfence that is both extremely fast and is able to understand SQL the way a database does and determine if something is malicious or not. It was worth taking the extra time to include this important functionality and so we did exactly that.

Then a few weeks ago, once again we thought we were ready and we realized we could build protection into the firewall against privilege escalation attacks. When you run Wordfence’s firewall, it knows who your users are so the firewall is able to make decisions about what to block more intelligently. So we went ahead and built that into Wordfence 6.1.1 too.

Instead of letting the marketing team rule, we gave the engineers enough space to solve these very hard problems with innovative solutions.

During the past month we have been quietly beta testing Wordfence 6.1.1 and our beta community has been an invaluable source of feedback and bug reports. Thank you very much to everyone who kindly participated in our public beta testing. You have helped turn Wordfence 6.1.1 into a rock solid enterprise-ready WordPress protector.

We have also been running Wordfence 6.1.1 Beta on this site for longer than a month and it has worked perfectly. At times we have had over 3,000 concurrent users on the site and huge traffic spikes. Last Thursday and Friday thanks to the huge amount of press we received for our ground-breaking research into how the Panama Papers were leaked, we experienced a large sustained traffic spike and the Wordfence firewall just yawned and carried on doing a great job of serving up pages and protecting us from attacks.

It’s really cool watching your own software block hackers in real-time. Instructions on how to watch that below.

Today we are officially announcing the release of Wordfence 6.1.1 along with our Threat Defense Feed. Here are the details:

The Firewall

The Wordfence firewall is installed with 6.1.1 and you will see a new ‘Firewall’ menu option appear in your Wordfence menu. When you arrive on the firewall configuration page, Wordfence should be in Learning Mode if you just upgraded to 6.1.1. It will look like this:

Screen Shot 2016-04-11 at 4.13.56 PM

 

Wordfence firewall will learn for a week and then automatically switch to “Enabled and Protecting”. During this one week learning period, anything that would have been blocked will automatically be whitelisted. You can scroll to the bottom of the firewall page and see the list of whitelisted items as they grow:

Screen Shot 2016-04-11 at 4.16.35 PM

If you don’t like something that has been whitelisted during Learning Mode or think it may be a real attack, you can simply remove it once the firewall is enabled.

If you don’t want to wait a week you can speed things up by:

  • Visiting all pages and taking all actions you can think of on your site. This includes working in the WordPress admin console, submitting forms on your site and doing everything else that normally happens on your site. This will allow Wordfence to rapidly learn about your site.
  • Then enable the firewall and keep an eye on what it blocks in live traffic. Read on to understand how to view firewall activity in Live Traffic.

Changes to Live Traffic and How to see what the Firewall has blocked

Wordfence Live Traffic has been given a redesign that I can only describe as spectacular. We have added a drop-down list that lets you filter what kind of traffic you want to see:

Screen Shot 2016-04-11 at 4.29.35 PM

Simply select the option “Blocked by Firewall” to see what your firewall has blocked recently. You’ll be surprised what shows up. We have had quite a few attacks on our own site blocked by Wordfence 6.1.1.

You’ll notice that Live Traffic has an advanced filters option that lets you filter your live traffic any way you can possibly imagine.

A Threat Defense Feed through Excellent Forensic Analysis

A great firewall and great scan engine are no good without continuous updates. We started by building an excellent forensic analysis team. Every day our team goes out and analyzes hacked sites and brings that on-the-ground intelligence back into Wordfence.

Malware samples are turned into signatures used by our scan engine. New attacks are turned into firewall rules which update our firewall logic.

We unified this flow of data under a single umbrella called the Threat Defense Feed. This feed constantly updates Wordfence’s ability to block attacks and to detect infections or malicious activity.

Our premium Wordfence customers receive a real-time version of the feed. If a new threat emerges, we can update your rules within minutes. Our free customers receive a delayed version of the Threat Defense Feed.

Changing the Game on Attackers

We realized that the status quo isn’t going to cut it if we are to succeed in our mission of making the web safer and protecting our customer’s sites. Wordfence 6.1.1 isn’t just a new product with new data flowing into it. It is an organizational change for us.

We have had to build a forensic analysis team by bringing senior analysts on board with tremendous depth of experience. Those senior team members have been developing processes and training up more junior colleagues to rapidly get them up to speed.

We have also had to scale up our operations, make new capital investments in hardware, in software and in operations personnel.

We have also brought on board additional senior engineers and customer service staff. We have been hiring so quickly that we decided to turn hiring into a software problem which you would have experienced if you’ve been through one of our tests for forensic analysts. Don’t worry, you still get to talk to us humans as part of the process.

What we’ve ended up with is one of the fastest growing and best performing information security organizations in the world. It has been an incredible experience for me personally during the past 2 years, hiring people who are smarter than I am, stepping back and watching them guide our product, serve our customers and create engineering solutions that are incredibly innovative and that provide a new kind of protection that is able to defeat the new threats that we are seeing.

I’m incredibly proud of our team for creating, testing and shipping Wordfence 6.1.1. Special thanks to Matt Barry our lead developer and Matt Rusnak our QA analyst who both worked tirelessly to improve, find new ways to break and then continue to improve 6.1.1. Thanks guys, you are both legends. Thanks also to the rest of the team who contributed tremendously, you know who you are and you’re amazing!

I speak for the whole team when I say that we are proud to have your trust and to have you as a customer. We are working hard to deliver the level of engineering, research and innovation you have come to expect from Wordfence. And we look forward to a long relationship with our community and our premium customers as we continue to deliver the best available protection for your WordPress website.

Mark Maunder – Wordfence Founder & CEO – April 2016.

Update: At 11am Pacific time we release 6.1.2 which is a point release that fixes a minor issue. It fixed fatal error when using a whitelisted IPv6 range and connecting with an IPv6 address. This is an edge case and would have only affected a small number of sites.

Official Press Release available here.

Press contact: Dan Moen at press@wordfence.com.

Wordfence is hiring. If you’re passionate about tracking attackers and their methods and want to join our forensic analysis team, we’d love to hear from you.

Did you enjoy this post? Share it!


Your rating:

80 Comments on "Announcing a new Firewall, a Threat Defense Feed and a New Approach"

Matt April 12, 2016 at 9:37 am • Reply

Great work, thank you.

allanit April 12, 2016 at 9:42 am • Reply

Once again you guys are the best. keep up the great work.

mark April 12, 2016 at 9:57 am • Reply

Thanks!!

Regards,

Mark.

Mark April 12, 2016 at 9:45 am • Reply

If I use Wordfence, is there any need for other security plugins? If so, what type (or specific) would you recommend. I would prefer to have the fewest number of plugins possible of course, so if Wordfence alone would be enough, that would be awesome.

Also, any issues with Cloudflare activated on a site?

Thanks!

mark April 12, 2016 at 9:57 am • Reply

Hi Mark,

You don't need any other security plugins. The level of protection that Wordfence now provides is nothing short of awesome. For example: If you have a vulnerable plugin like Revolution Slider and you have Wordfence installed, your site is still safe because the firewall will block those attacks.

Also Cloudflare only provides a firewall if you pay them $240 per year. You get one free with Wordfence now. So no issues with running with Cloudflare if you want to use them as a CDN.

Regards,

Mark.

Mark April 12, 2016 at 11:36 am • Reply

Thanks mark. Should I then turn off the firewall at Cloudflare? (I am a paying subscriber there). Or does it not hurt to have both running?

mark April 12, 2016 at 4:24 pm • Reply

I can't really go that far to tell you to turn a competing product off. That's your call. I would encourage you to test our products side-by-side and make your own decision. I think we have an excellent firewall product. Keep in mind that premium Wordfence customers receive real-time rule updates and community customers are delayed by 30 days.

Regards,

Mark.

Jen April 12, 2016 at 7:13 pm • Reply

My host provides Cloudflare at no extra (including firewall) cost so I run that on all my sites.
I like the ability manage Cloudflare Firewall Acces Rules by country/IP. The question remains, can we run the Cloudflare WAF at the same time as Wordfence. Will this cause any issues?

mark April 12, 2016 at 7:34 pm • Reply

Yes you can.

Brian J King April 13, 2016 at 8:35 am • Reply

Nice, what webhost do you use if you don't mind me asking? Thanks!

Michael April 12, 2016 at 9:52 am • Reply

Sounds Awesome!! Does it still play nice with other security plugins like iThemes Security Pro?

mark April 12, 2016 at 9:55 am • Reply

Hi Michael,

I can't emphasize enough how well tested this is. If you have any reports, we will as always respond promptly, but we're confident this is production and enterprise ready. Our QA team is amazing.

Regards,

Mark.

John Redfield April 12, 2016 at 10:04 am • Reply

I am concerned about migrating a site once these advanced rules have been saved by Wordfence. For example I always install WF first thing, while developing new websites for clients. Later when we clone the site and migrate to a new domain, that includes the WF data. We've never had an issue in the past.

Has the new firewall been tested on migrations, before and after scenarios?

Thanks!

mark April 12, 2016 at 10:57 am • Reply

Hi John,

As far as I know this wouldn't be a problem. We didn't add anything that would break migrations. In the unlikely event you discover something, let us know and the team is extremely responsive.

Mark.

Greg Fitzhugh April 12, 2016 at 10:11 am • Reply

You guys are doing a great job!

My ecommerce site has been up a little over 3 years. Basically it's a one-man show. I've made LOTS of mistakes in those 3 years and I worried a lot about security which was (is) a mystery to me.

Using Wordfence has turned out to be one of the best decisions I've made. I find the product usable, the blogs educational, tech support patient and thorough with my concerns.

My website security has become a non-issue for me, freeing up time for other things. Keep up the good work.

Thanks again,
Greg

mark April 12, 2016 at 10:58 am • Reply

Thanks Greg. I think the magnitude which 6.1.1 improves your security will become apparent as the weeks progress. The first major threat that emerges in the coming weeks or months will be dealt with quickly and with no action required by you. The forensic team takes care of keeping you safe by analyzing the threat and updating our premium customers in real-time.

Keith Davis April 12, 2016 at 10:17 am • Reply

Sounds fabulous Mark
I'm using a few other security plugins at the moment but reading...

"You don't need any other security plugins. The level of protection that Wordfence now provides is nothing short of awesome."

... makes me really want to try out WordFence.

Decisions, decisions?

mark April 12, 2016 at 11:01 am • Reply

Hi Keith. We've really moved to another level with 6.1.1. Our team is 11 employees and 19 people total now with many world-class researchers and forensic folks on staff. Security for WordPress is all we do. Other companies either have a range of plugins and 'also' do security. Or they're security focused and 'also' do WordPress. If you're attacking WordPress, welcome to our world and you will be dealt with swiftly.

Mark.

Goran April 12, 2016 at 10:18 am • Reply

Congrats on what appears to be an amazing update.

So far so good :)

A few questions though... what is the difference between running Wordfence firewall and Cloudflare one. I currently am behind Cloudflare firewall so I was wondering if they're redundant.

I noticed one thing and that is if on Cloudflare firewall you set the settings on too aggressive level, some useful features might get blocked such as PayPal's IPN. How aggressive is Wordfence firewall by default? Have you tested it extensively with different e-commerce platforms?

Also, should there be any impact on page speed loading since everything now goes through firewall?

Once again, great work guys!

Goran

mark April 12, 2016 at 11:05 am • Reply

Hi Goran,

The advantages of using our Firewall are numerous and significant. Firstly you can fully customize your rules. Something getting blocked? Just view it in Live Traffic by selecting items blocked by the firewall. Then from there you can whitelisted it with one click. Try doing that with a cloud waf.

Secondly, we protect against things that other cloud wafs don't like privilege escalation. We know who is signed into your site and what permission level they have and can make our decisions taking that into account. So we can block something that a regular user should not be doing but will let an administrator through.

For your Paypal IPN requests: Just do a test request and if the WAF blocks it, just whitelist it and you're done.

Page speed is not affected at all. This site gets huge traffic spikes when we launch and it's been running 6.1.1 from when it was still in alpha release with absolutely no issues. We started the design of the firewall 9 months ago by first running performance benchmarks on PHP's various functions to see how big a ruleset we could handle. So it has performance built into its DNA.

Mark.

John April 12, 2016 at 10:21 am • Reply

Is this new firewall done via PHP/MySQL or at the .htaccess level? I've found that WordFence has actually gotten in the way of server level firewall rules, leaving sites overloaded with multiple attempts at logins for instance, sometimes 10 or 15 times per second, each requiring PHP to execute and then do a MySQL lookup to find if the address is blocked or not. .htaccess of course would not allow this. My issue is we normally set our server level firewall rules to block on things like login failures. No failures are logged with WordFence, only repeated accesses to login pages. This leads to what amounts to self inflicted DDoS.

I'm not meaning to be negative as WordFence is great in so many other areas!

mark April 12, 2016 at 11:10 am • Reply

Hi John,

Our firewall code runs before any other PHP code on your site including other applications. That means that even if an attacker hits a file directly like /wp-content/plugins/badplugin/timthumb.php and tries to attack that file, our code will still run and protect you.

We do this by adding a PHP auto_prepend_file directive in your .htaccess which adds our code to the beginning of every PHP file that runs on your site. So when you enable the Wordfence firewall, everything under the base directory of Wordpress is protected, even if it isn't accessed via WordPress.

This really is a game changer for WordPress security because suddenly there is no way for an attacker to attack any part of WordPress or your website, whether it runs independently or not.

Mark.

Angie April 12, 2016 at 10:26 am • Reply

Thanks a lot Mark. It feels great to know that the security of our websites is a very important and serious business for you guys. We appreciate. Keep up the good work

Jim Martin April 12, 2016 at 10:27 am • Reply

Mark & the Wordfence Team,

As a "pro-level" user of your software, I'm delighted by the significant ramp you've made in enhancing both the ability for us to better assess threats, but to also better understand the vectors from which these threats are coming. We manage over 50 client websites, and we have deployed Wordfence on all of them. In many cases, we "eat" the cost of upgrading the client sites from the free version to the pro version because it just better way for us to manage our own internal resources. Short-sighted clients won't always pay for the added protection...we just do it ourselves. I occasionally have that internal argument with the financial types (why should WE eat the cost? they say), but in the end the financial ROI is overwhelmingly worth it.

Congratulations are in order for your product evolution. As a former Silicon Valley executive who managed hundreds of software development engineers, I fully understand the development cycle and the worry about features creep. But, in the case of 6.1.1, it appears your additional features & benefits will prove extremely powerful for those of us charged with managing our clients' sites.

While I often say that what our clients don't know won't hurt them (that's why they pay us the big bucks, right?), it's also true that what our clients do know about the Wordfence security layer may help them sleep better at night. It sure helps me do just that :-)

Keep up the great work!

mark April 12, 2016 at 11:13 am • Reply

Wow, thanks for the great feedback Jim. Yes this really is a level-up for Wordfence in terms of how we're protecting sites. As I replied to another commenter here, our code now runs before any PHP code on your WordPress site so even if a script is hit directly, we protect against that. In addition we are now rolling out scan rules and firewall rules in real-time which we're referring to as the threat defense feed. So your clients are given continuous protection and if a new plugin vulnerability emerges, even if they don't upgrade, we will deploy a rule that will keep them save until they can get to their site to upgrade.

Mark.

Joel April 12, 2016 at 10:27 am • Reply

Nice feature. You are brilliant!

Joel

Richie April 12, 2016 at 10:31 am • Reply

Really excellent work! We cannot thank you enough for the service and dedication.

Jack Smith April 12, 2016 at 10:32 am • Reply

Great stuff! In the 'learning mode', why aren't the white listed IP addresses previously entered into Wordfence automatically placed into the firewall 'white listed' URL list? My comment is that the statement 'false positive' , in the 'white list' explanations, was really stated well.

I have been extremely please with the manner in which Wordfence has protected my site, and the continuing improvments that you guys make to the product. This does not even include the great security news items that you send out. I have found, having tried several products, that essentially no one else sends out anything.

Next thing I know, you guys will have your own 'red team', for active penetration testing!

mark April 12, 2016 at 11:15 am • Reply

Hi Jack. Red teaming our customers. Now there's an interesting idea.

The firewall is rule based so it blocks specific attacks based on rules. The IP blocking works independently.

Regards,

Mark.

silvas April 12, 2016 at 10:43 am • Reply

Thank you for your amazing work!

Jack Smith April 12, 2016 at 10:43 am • Reply

One 'wishlist' comment. It would be nice to have a toggle switch to turn off the option boxes in the 'live activity' list. This would compact the list, allowing more to be seen at once. There could be a simple box to check, on the first line of the listing, asking if you wanted to show the option boxes for that listing. I think that there are far more listings where the option boxes are not needed, for action to be taken, making the boxes unnecessary there. Just a comment.

Halina April 12, 2016 at 11:19 am • Reply

You guys are AMAZING! I'm so glad I've found you and so grateful for your work!

I'm not a techie so forgive me my ignorance: Since there isn't much traffic on my sites yet... If I enable the firewall after a week, could this result in normal visitors (coming to view a post or submit information) being blocked? Thanks!

mark April 12, 2016 at 4:26 pm • Reply

No it won't. This site is very complex, is powered by WordPress, gets a huge amount of traffic and we currently don't have anything whitelisted and it works great. We get zero false positives. We also did extensive beta testing before launching and our beta community helped us solve the false positive problem.

Mark.

Anderson April 12, 2016 at 11:34 am • Reply

Great news! Wordfence was already good before, but now it is an incredible product, powerful even in the free version.

Thank you for all the effort to protect our sites. You guys are doing an amazing job!

Best wishes from Brazil,
Anderson

Bryan April 12, 2016 at 11:34 am • Reply

If we currently don't have the WF firewall enabled will this update toggle it on automatically?

mark April 12, 2016 at 4:25 pm • Reply

Yes it will. It will start in learning mode and then enable in 1 week.

Regards,

Mark.

maksimiljan April 12, 2016 at 12:12 pm • Reply

My web page was under constant attack for more than 5 days..i have solved ( i believe ) all the problem with wordfence .. !!!
So with this all good updates there will be much easier to manage security..

Many thanks for all good and hard work..!

max

Magda van Tilburg April 12, 2016 at 12:32 pm • Reply

Exciting changes! The Life Traffic is very altered, it's quit hard to get used to it (so much to read - alas).

BUT! Still there is NO "make blocks permanent" ON TOP of the page. Since my PC is handling Wordfence very slow (and only your plugin is so slow), it takes much minutes to perform each and every 'make permanent'. With ONE button on top, it could be so much faster.

I have asked this before (in the WP-reviews, if I remember correctly), and your answer was that such a button on top was also on your to-do list. I hope it will be for your next update!!

Jeff Sararas April 12, 2016 at 2:29 pm • Reply

This sounds like a fantastic development, thanks for the update. I have been testing out WF on 15 sites for 6-8 months and am really happy with that choice. I continually learn more about security through your updates, thereby becoming an increasingly happier customer of your product. Nice positive feedback loop you have dialed in there!

Gary April 12, 2016 at 2:30 pm • Reply

You guys ROCK \m/ period!!
Just updated and activated the new firewall. Thanks again for your kindness to the WP community X

Tom Nguyen April 12, 2016 at 3:42 pm • Reply

Awesome. I'm updating Wordfence on my clients' websites now.

TonyW April 12, 2016 at 6:41 pm • Reply

Mark,
You and team continue to do great work....Thanks very much for this product!

Jamas April 12, 2016 at 6:51 pm • Reply

Wow can't wait to unleash this on our sites. A big THANK YOU to the Wordfence team. A remarkable gift to the WordPress community.

Ankush April 12, 2016 at 11:03 pm • Reply

This just got to a whole new amazing level! WAF service and that too for free users as well!
Love the Wordfence team! It keeps the site secure even when you don't have any plans to pay for it. Will upgrade it to premium soon enough!

mark April 13, 2016 at 2:50 pm • Reply

Glad to help Ankush!!

Justin April 13, 2016 at 12:48 am • Reply

Great work!

One of the benefits of some WAFs is protection against DDOS.

I assume that as wordfence is on the client server that it's firewall couldn't protect against this.

mark April 13, 2016 at 2:49 pm • Reply

No, but many hosting providers, data center providers and CDN's come with this built in. DDoS is the new brick-through-window of the Internet - it's such an unsophisticated attack.

Jean-Pierre April 13, 2016 at 12:52 am • Reply

Excellent! and special thanks for the help provided (SiteGround). For a non-technical like me it worked beautifully.

Erik April 13, 2016 at 2:52 am • Reply

Great work!

Will the firewall work on mutisite? Does it require a special approach when installing it on a multisite?

mark April 13, 2016 at 2:48 pm • Reply

Yes it will.

Rob April 13, 2016 at 3:04 am • Reply

Great job. If you have a firewall at server level, is there a need for the wordfence firewall to be enabled as well?

mark April 13, 2016 at 2:48 pm • Reply

Yes. Your server firewall does not speak WordPress so it' can't protect you against, for example, privilege escalation attacks.

Tad April 13, 2016 at 4:44 am • Reply

Learning mode = no firewall protection?

Should I extend learning mode on really low traffic sites?

What happens in learning mode? Could it be that some attackers will be whitelisted in learning mode?

mark April 13, 2016 at 2:47 pm • Reply

That's right. Learning mode is get Wordfence used to your site and learn what normal activity looks like. Once you enable the Firewall you are protected.

Don't leave it in learning mode. See the blog post above for more info on speeding up the process.

Mark.

John O'Sullivan April 13, 2016 at 5:14 am • Reply

As always wordfence raising the bar and settings the standards in the industry for secure websites, in an age were web threats that are ever increasing and growing more sophisticated wordfence and its commitment to a safer web is a source of great comfort. Great work, thank you.

Han Balk April 13, 2016 at 6:14 am • Reply

Thanks for this great update! Wordfence is getting better and better.

I understand that made big investments and that you want the free-version users to switch to your very 'friendly' priced premium version. But:

...premium Wordfence customers receive real-time rule updates and community customers are delayed by 30 days.

Isn't a 30 days delay not very long? Wouldn't a week or a week or two be a more acceptable setting for your community customers? How many updates a day/week/month can you expect to make the upgrade to premium worth it?

Nevertheless Wordfence is the nr 1. recommended (free) plugin for sure.

mark April 13, 2016 at 2:46 pm • Reply

Your question isn't very clear, but if I understand correctly you're asking why the 30 day delay for free customers is so long. To answer that question: It's not that long. That's an industry standard used by products like Snort (a very well known intrusion detection system) and others. Remember, our firewall is free whereas if you want Cloudflare it's around $240 per year and Sucuri is about $120 per year. With Wordfence, you get an excellent firewall free out of the box and the ruleset is only 30 days delayed. If you want real-time rules it's only $59 per year or much less for multiple sites.

Also with Wordfence you get a malware scanner too which the competition doesn't provide.

To provide excellent firewall rules and continually updated scan rules we created a forensic team. This isn't some imaginary team - we are now a team of 19 people who work very hard to find the newest attacks and infections to continually update the Threat Defense Feed that keeps your firewall and scan up-to-date.

So at $4.91 per month it's a great deal.

Mark.

miguel April 13, 2016 at 8:11 am • Reply

i appreciate all the work your team puts into this worthwhile project.
i use wordfence on all the websites i manage. it helps me feel i'm being proactive about security and i've been able to witness how many robots and hackers are out there looking for a weakness, and for a way to take advantage of others' work, like cockroaches in the night.

i do have a question. i have a website in which i already implemented the firewall. however the notice to activate it is still showing at the top of the dashboard. what would you recommend i do? would it do any harm to reinstall the firewall? will that notice eventually go away?

i'll appreciate your input.

thank you again

mark April 13, 2016 at 2:42 pm • Reply

Hi Miguel,

We're aware of this and we're making a change that better explains what is happening and makes that message 'dismissable'. The release will go out within the next 24 hours I think.

Mark.

miguel April 15, 2016 at 7:39 am • Reply

thank you mark.
as always, i'm grateful to your team.

John April 13, 2016 at 8:37 am • Reply

Can't update to 6.1.2, getting an error message "Update Failed: Plugin update failed." Also tried to uninstall and reinstall and get "Plugin could not be deleted due to an error: Could not fully remove the plugin(s) wordfence/wordfence.php."

Anyone else have this issue?

mark April 13, 2016 at 2:41 pm • Reply

This is likely a permissions issue on your site. Please post support requests in our forums or ticketing system. Thanks.

Roland April 13, 2016 at 11:17 am • Reply

Can't you guys do some kind of check to see what kind of server setup a site is running and then show the correct option while configuring the firewall?

On a different note; I've tried Apache + mod_php, Apache + suPHP, Apache + CGI/FastCGI, Litespeed and NGINX, waiting several minutes between tests and clearing all W3 Total Cache caches, but the message to configure the firewall keeps showing... The site works fine using all those options, so my uneducated guess is that it's simply not working. Therefore, I've deleted the added code from my .htaccess file in the hope that will stop the firewall from doing anything, either good or bad.

mark April 13, 2016 at 2:40 pm • Reply

Yes we could have, but we wanted this to be an attended install to make it safer. Please post any support requests in our forums or premium ticketing system.

Mark.

Carmelo April 13, 2016 at 12:41 pm • Reply

About time! Thank you for this.

Dan April 13, 2016 at 1:36 pm • Reply

Mark -

You say Wordfence users don't need any other security plugins.

iThemes Security offers the ability to hide the WP login area, which intuitively suggests an added layer of protection: Before an automated attack on my WP site can be launched, testing millions of administrator names and passwords, they need to know where the "entrance" is.

I'm not aware of Wordfence offering a similar option. Wouldn't hiding the backend make a site even more secure? Or is that somehow rendered moot by the latest version of Wordfence?

Thanks,
Dan

mark April 13, 2016 at 2:35 pm • Reply

This comes up often.

Security through obscurity is not security. "Hiding" your login page is like bricking up the front door and leaving the back door unlocked. At Wordfence we take an approach similar to Kerckhoff's principle in cryptosystems: A system should be secure even if everything about the system is public knowledge.

But just for fun I, once again set up iThemes latest plugin on a test site to see what they're up to before answering this post. And I enabled login hiding. And it broke the site. I literally couldn't sign-out and when I opened up a new incognito browser session and tried to access the now-hidden sign-in page, that was missing too. Nothing special about the site, just a vanilla wordpress. Screenshots.

So to answer your question, we don't provide this feature for two reasons: 1. It's not the right approach. 2. It breaks sites.

Regards,

Mark.

Tad April 14, 2016 at 1:32 am • Reply

What happens when I customize my site? New pages, posts, new design themes? Should I return to learning mode for a while?

What happens when I heavy redesign my site?

mark April 14, 2016 at 7:57 am • Reply

Hi Tad. It shouldn't be a problem. I'd leave it in enabled mode - we don't see many false positives. Learning mode is really just a precaution. But what you can do is check what the firewall has blocked in live traffic periodically just to make sure there are no issues when you make changes. Or just keep an eye on user reports. Again, you shouldn't have any issues - we run the firewall here and this is a super complex site that changes frequently and we have zero false positives.

Magda van Tilburg - booxalive.nl April 14, 2016 at 11:27 am • Reply

Dear Mark!

After two days puzzling on the new Wordfence, I really need help (my English is not well enough to understand all the FAQ's)!!

My problem is that in the tab "Your Site Activity in Real-Time" I can NOT find the drop-down list! So I never can select the option “Blocked by Firewall”!

Those last two days there seems NO activity at all on my site, while with the former version of Wordfence each day there were about 20 or 30 dubious visitors, some of whom try to get in my admin.

Is there missing someting in 6.1.1., or do I oversee something?

Please dear Mark, I hope you can give me some certainty - or should I rollback?

Best wishes, Magda van Tilburg, Amsterdam

mark April 14, 2016 at 9:44 pm • Reply

PLEASE PLEASE PLEASE. PLEASE!!! Post a support request in our forums or in our premium ticketing system. I can't tell you how many folks I've had to send over there from our commenting system. Our blog is not the place for support requests. I only moderate comments about once a day. I have Tim, Asa, Colette, Brian, Matt and others in our free support system and our premium tickets and they respond within sometimes minutes if it's an urgent issue.

If you want help don't post support requests here because our experts don't read our blog comments.

Mark.

Dennis April 14, 2016 at 3:34 pm • Reply

Hi,

Is this the same as BBQ Block Bad Queries? I used to have this running along with Wordfence, so I guess I don't need that anymore?

mark April 14, 2016 at 9:38 pm • Reply

Oh my. I'd never heard of that so I googled it. It's literally a single PHP file and is a handful of lines.

Previsha April 15, 2016 at 2:00 am • Reply

You guys have really invested into creating great security for wordpress. I am entirely grateful for the wordfence team and community.

Andri Viiand April 15, 2016 at 2:16 am • Reply

Great work!

Bas Velden May 1, 2016 at 10:54 pm • Reply

If you install Wordfence on a site with 0 visitors and the firewall learns for a week. And 6 months later you have 30k visitors. And another 6 months later you have 100k visitors a month.

Would you have to re-enable learning mode for a short while with such significant changes in normal traffic?

mark May 3, 2016 at 7:35 am • Reply

In general learning mode is just a safety precaution. You should not experience false positives with Wordfence Firewall out of the box. So unless you're seeing specific requests being blocked in live traffic that shouldn't be, I would not reenable learning mode.

Giovanni May 3, 2016 at 7:13 am • Reply

Congrats!. A question: any difference in loading speed or site performance when the firewall is enabled?

mark May 3, 2016 at 7:34 am • Reply

None. The code is very fast and compact and won't affect site performance at all.

Ramesh May 10, 2016 at 11:30 am • Reply

Congrats! You're one of the top guys in this arena. Any plans to launch a WAF (hardware firewall) service anytime in future. I believe your knowledge, research and experience in this field should make such an initiative successful.

Leave a Reply

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.