Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Wordfence Integrates Malware Scan Into Firewall

This entry was posted in Wordfence, WordPress Security on September 14, 2016 by Mark Maunder   18 Replies

If you’ve been using the Wordfence Firewall for a while, you may have noticed that our firewall ruleset has been growing steadily over the past few months. This happens as we turn new threat intelligence into firewall rules and release them into production to protect your website.

The Wordfence Firewall protects you against attackers hacking into your website using known weaknesses like the vulnerabilities that have been exploited in Timthumb, Mailpoet, Gravity Forms, Slider Revolution and many others.

We also protect against many zero day vulnerabilities that aren’t yet known to the public but are known to us exclusively. These rules protecting against zero day vulnerabilities are unique to Wordfence.

We also protect against vulnerabilities that haven’t yet been discovered by using a smart ruleset that recognizes malicious activity and blocks it.

We knew we could do better

Many firewalls only protect against common attacks that exploit vulnerabilities. One of the things we see when a site is targeted is that an attacker has a goal in mind; They want to upload malicious code so that they can execute that code on your website.

In the security industry we use the phrase “Defense in Depth”. This describes a multi-layered approach to security, so that if one layer of security doesn’t stop an attacker, another will.

We realized if we took a multi-layered approach with our firewall, we would do an even better job of protecting our customers and have a very high probability of stopping attacks.

Announcing a new break-through feature

MalwareWith this in mind we have integrated our scan engine into the Wordfence Firewall. This layered approach means that even if a rule that recognizes an attacker exploiting a vulnerability doesn’t block the attack, our scan rules will block the attack when the attacker tries to upload malicious content.

Last week we quietly rolled Wordfence 6.1.17 into production. This update integrates Wordfence Scan and the Wordfence Firewall. With this update, as traffic passes through the Wordfence Firewall before it hits your website, it is inspected using our full scan capability and if we find any malicious code in a request, it is blocked.

This has the effect of adding a powerful malware and virus scanner to your firewall to complement the already comprehensive ruleset that Wordfence uses to protect you. This new layer of protection is extremely fast and comes with zero performance penalty for your website.

This is a very exciting change because through our forensic research, our scan capability has massively increased over the past few months. This scan capability has now been added to the firewall.

Right now our free Wordfence community users are protected using 402 unique scan signatures, many of which detect multiple malware types. Our Premium Wordfence users are protected using 137 additional malware signatures. As always, these signatures will become available to free customers within 30 days of release.

We also have 163 beta signatures that we are currently testing and will be bringing online for our Premium customers over the next few days and weeks.

This new firewall detection capability has just been added to the Wordfence Firewall in a single release, which has the effect of adding hundreds of new firewall rules at once.

Bringing this new capability online for our customers is a big deal and our team worked hard to make this release happen. I’d like to extend my special thanks to our Dev and QA team who made sure that adding this new detection did not result in any false positives on your website and made sure that, as we rolled this out, the over 1.5 million websites we protect would continue to run fast and flawlessly.

Since our release last Thursday over half a million websites have upgraded to Wordfence 6.1.17 without a hitch. If you haven’t done so already, upgrade now so that you too can benefit from this new capability and protection for your WordPress website.

Did you enjoy this post? Share it!

18 Comments on "Wordfence Integrates Malware Scan Into Firewall"

Beck September 14, 2016 at 9:32 am

Your hard work has improved the entire internet community. Thanks to everyone at WF

Kyle September 14, 2016 at 9:59 am

Well I definitely noticed the changes last night; I nearly jumped out of my chair when I got an alert saying we had over 900 attacks in 10 minutes on one of our sites. After I recognized the IP address of our OpenVAS security scanning server, I was curious why we hadn't received similar alerts from previous scans. Now I know :)

Thanks Mark (and the Wordfence team)!

mark September 14, 2016 at 10:18 am

Ha! That's awesome Kyle. Thanks for the validation. ~Mark.

Emily September 14, 2016 at 10:55 am

Normally, when you guys do upgrades they get automatically pushed through on my site. This time, I got a notice to do the upgrade manually. It gave me pause and I wondered if it was a false claim. Is there a reason it wasn't set up as an auto upgrade?

mark September 14, 2016 at 1:06 pm

Hi Emily,

Please contact our support team about this, either on our forums or via a ticket. They'll be happy to work with you.



Stephen Ashton September 14, 2016 at 11:07 am

Far and away the best and most important plugin for Wordpress. You guys rock.

Marlys September 14, 2016 at 11:49 am

Like Kyle, I was alarmed when I first saw the alert until I studied it more closely. You guys are awesome! Thanks for providing website owners so much peace of mind.

I do have a question though ... now that Timthumb is part of the WF scan, can I finally dump the abandoned plugin Timthumb Vulnerability Scanner?

mark September 14, 2016 at 1:07 pm

Yes you can. And we do WAY more than protect against the timthumb exploit. There is a huge number of attacks we block.

Marlys September 14, 2016 at 1:23 pm

Yay! One less plugin to worry about ... :) I'm so glad I found Wordfence!

Jakob September 14, 2016 at 12:55 pm

Thanks for another great update... have you thought about making WordFence for other popular PHP CMS platforms like Joomla?

Best regards,

mark September 14, 2016 at 1:07 pm

Yes we have. :)

News September 14, 2016 at 12:56 pm

Thanks for the big work

Peter September 14, 2016 at 6:40 pm

Awesome work -- having Wordfence installed on a site really brings peace of mind! It's obviously being designed and maintained by people who are passionate about what they do. Congratulations on your continued success.

mark September 14, 2016 at 9:29 pm

Thanks Peter.

Shirley Burns September 14, 2016 at 8:01 pm

So awesome! I noticed new events in the logs and reports and it is just so scary the things that are being stopped BEFORE they even get inthe door! Best investment I have made for my site and those of my clients.

Jim Steele September 15, 2016 at 2:14 am

Would Wordfence deal with any of the problems patched by Wordpress in their 7th September press release? I know upgrading to the latest version of WP would deal with this but just wondered if Wordfence would have blocked this vulnerability being exploited. Thanks.

mark September 16, 2016 at 11:02 am

Hey Jim. The first vulnerability they patched requires 'Author' privileges and the second requires 'Admin' and we don't even see how that's really a vulnerability. I just spoke to one of our devs. So we haven't rolled our rules for either of those because if someone already has Admin on your site, you're already toast - and with Author they can do quite a bit of damage i.e. edit, delete and publish posts. It's a bit like worrying that a burglar who is already in your house is going to break into the fridge.

Kabolobari September 15, 2016 at 2:35 am

You guys are doing awesome for the WordPress community. I couldn't thank you enough! Thanks.

Follow Us


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates