Wordfence Integrates Malware Scan Into Firewall

If you’ve been using the Wordfence Firewall for a while, you may have noticed that our firewall ruleset has been growing steadily over the past few months. This happens as we turn new threat intelligence into firewall rules and release them into production to protect your website.

The Wordfence Firewall protects you against attackers hacking into your website using known weaknesses like the vulnerabilities that have been exploited in Timthumb, Mailpoet, Gravity Forms, Slider Revolution and many others.

We also protect against many zero day vulnerabilities that aren’t yet known to the public but are known to us exclusively. These rules protecting against zero day vulnerabilities are unique to Wordfence.

We also protect against vulnerabilities that haven’t yet been discovered by using a smart ruleset that recognizes malicious activity and blocks it.

We knew we could do better

Many firewalls only protect against common attacks that exploit vulnerabilities. One of the things we see when a site is targeted is that an attacker has a goal in mind; They want to upload malicious code so that they can execute that code on your website.

In the security industry we use the phrase “Defense in Depth”. This describes a multi-layered approach to security, so that if one layer of security doesn’t stop an attacker, another will.

We realized if we took a multi-layered approach with our firewall, we would do an even better job of protecting our customers and have a very high probability of stopping attacks.

Announcing a new break-through feature

MalwareWith this in mind we have integrated our scan engine into the Wordfence Firewall. This layered approach means that even if a rule that recognizes an attacker exploiting a vulnerability doesn’t block the attack, our scan rules will block the attack when the attacker tries to upload malicious content.

Last week we quietly rolled Wordfence 6.1.17 into production. This update integrates Wordfence Scan and the Wordfence Firewall. With this update, as traffic passes through the Wordfence Firewall before it hits your website, it is inspected using our full scan capability and if we find any malicious code in a request, it is blocked.

This has the effect of adding a powerful malware and virus scanner to your firewall to complement the already comprehensive ruleset that Wordfence uses to protect you. This new layer of protection is extremely fast and comes with zero performance penalty for your website.

This is a very exciting change because through our forensic research, our scan capability has massively increased over the past few months. This scan capability has now been added to the firewall.

Right now our free Wordfence community users are protected using 402 unique scan signatures, many of which detect multiple malware types. Our Premium Wordfence users are protected using 137 additional malware signatures. As always, these signatures will become available to free customers within 30 days of release.

We also have 163 beta signatures that we are currently testing and will be bringing online for our Premium customers over the next few days and weeks.

This new firewall detection capability has just been added to the Wordfence Firewall in a single release, which has the effect of adding hundreds of new firewall rules at once.

Bringing this new capability online for our customers is a big deal and our team worked hard to make this release happen. I’d like to extend my special thanks to our Dev and QA team who made sure that adding this new detection did not result in any false positives on your website and made sure that, as we rolled this out, the over 1.5 million websites we protect would continue to run fast and flawlessly.

Since our release last Thursday over half a million websites have upgraded to Wordfence 6.1.17 without a hitch. If you haven’t done so already, upgrade now so that you too can benefit from this new capability and protection for your WordPress website.

Did you enjoy this post? Share it!


  • Your hard work has improved the entire internet community. Thanks to everyone at WF

  • Well I definitely noticed the changes last night; I nearly jumped out of my chair when I got an alert saying we had over 900 attacks in 10 minutes on one of our sites. After I recognized the IP address of our OpenVAS security scanning server, I was curious why we hadn't received similar alerts from previous scans. Now I know :)

    Thanks Mark (and the Wordfence team)!

    • Ha! That's awesome Kyle. Thanks for the validation. ~Mark.

  • Normally, when you guys do upgrades they get automatically pushed through on my site. This time, I got a notice to do the upgrade manually. It gave me pause and I wondered if it was a false claim. Is there a reason it wasn't set up as an auto upgrade?

    • Hi Emily,

      Please contact our support team about this, either on our forums or via a ticket. They'll be happy to work with you.



  • Far and away the best and most important plugin for Wordpress. You guys rock.

  • Like Kyle, I was alarmed when I first saw the alert until I studied it more closely. You guys are awesome! Thanks for providing website owners so much peace of mind.

    I do have a question though ... now that Timthumb is part of the WF scan, can I finally dump the abandoned plugin Timthumb Vulnerability Scanner?

    • Yes you can. And we do WAY more than protect against the timthumb exploit. There is a huge number of attacks we block.

      • Yay! One less plugin to worry about ... :) I'm so glad I found Wordfence!

  • Thanks for another great update... have you thought about making WordFence for other popular PHP CMS platforms like Joomla?

    Best regards,

    • Yes we have. :)

  • Thanks for the big work

  • Awesome work -- having Wordfence installed on a site really brings peace of mind! It's obviously being designed and maintained by people who are passionate about what they do. Congratulations on your continued success.

    • Thanks Peter.

  • So awesome! I noticed new events in the logs and reports and it is just so scary the things that are being stopped BEFORE they even get inthe door! Best investment I have made for my site and those of my clients.

  • Would Wordfence deal with any of the problems patched by Wordpress in their 7th September press release? I know upgrading to the latest version of WP would deal with this but just wondered if Wordfence would have blocked this vulnerability being exploited. Thanks.

    • Hey Jim. The first vulnerability they patched requires 'Author' privileges and the second requires 'Admin' and we don't even see how that's really a vulnerability. I just spoke to one of our devs. So we haven't rolled our rules for either of those because if someone already has Admin on your site, you're already toast - and with Author they can do quite a bit of damage i.e. edit, delete and publish posts. It's a bit like worrying that a burglar who is already in your house is going to break into the fridge.

  • You guys are doing awesome for the WordPress community. I couldn't thank you enough! Thanks.