Announcing Vulnerability Scanning in Wordfence CLI 2.0.1 “Voodoo Child”

Note: If you’re a WordPress user, we recommend the Wordfence Security Plugin which provides a robust and complete set of security controls for WordPress websites. If you host WordPress servers and need high performance malware and vulnerability scanning on the command line, read on!

Our mission at Defiant Inc, makers of Wordfence, is to Secure the Web. We made the Web safer today with the release of completely free WordPress server vulnerability scanning at a massive scale for both personal and commercial use with the release of Wordfence CLI 2.0.1, codename “Voodoo Child”.

Wordfence CLI is a high performance Linux command line application that we launched at WordCamp US two months ago with robust malware scanning. Wordfence CLI is designed for technical server administrators working on the command line to host individual WordPress sites, or to provide WordPress hosting at scale. With today’s release of Wordfence CLI 2.0.1, Wordfence CLI will now scan your WordPress server, or your entire network, for WordPress vulnerabilities with a single command. This feature is in addition to the powerful malware scanning capability that Wordfence CLI already provides.

Wordfence CLI created a lot of excitement at Wordcamp US and the one resounding question that we were asked while there was “will it scan my website for vulnerabilities”. Today we are incredibly excited to introduce WordPress vulnerability scanning at scale in Wordfence CLI.

Vulnerability Scanning is Completely Free

Vulnerability scanning in Wordfence CLI is completely free for personal AND commercial use. Wordfence CLI uses our open vulnerability database which is also freely available for you to use, including our vulnerability APIs and vulnerability Web Hooks that will alert you in real-time when we add a new vulnerability. Wordfence CLI is open source, licensed under GPLv3.

Wordfence CLI 2.0.1 “Voodoo Child” also has simplified installation. You no longer have to come to our site to get an API key to run Wordfence CLI. You can simply launch CLI, agree to our terms, and start scanning. Wordfence CLI now fetches a free API key behind the scenes, which enables fetching our vulnerability data and our free malware signatures. We made this change to get you up and running fast!

Malware scanning in the free version of Wordfence CLI uses our Free Malware Signature Set and a paid version of Wordfence CLI is available which includes our expanded Commercial Signature Set.

Powering Hosts, Agencies, Developers and The WordPress Economy

The release of vulnerability and malware scanning at scale with Wordfence CLI enables the creation of a vibrant economy built around WordPress security. It is our hope that we will see businesses of all sizes, including individual developers, get familiar with the power of Wordfence CLI, and begin to provide new or add-on security services to their customers using Wordfence CLI. Here are a few examples:

  • Wordfence CLI can be used by site cleaners and incident responders to quickly and effectively find malware on an already infected website and scan for vulnerabilities to determine potential intrusion vectors, along with providing post-clean remediation.
  • Developers and operations teams can scan a single site, or an entire server for vulnerabilities to prevent a hack before it occurs.
  • Agencies can scan thousands of WordPress sites on a server with a single command to find vulnerabilities or locate malware.
  • Hosting Providers can use a dedicated server with many CPU cores to launch a multi-process malware scan that accesses their entire server fleet in read-only mode via the network to scan for malware at massive scale. It’s quite feasible to scale this up to 15 million websites or more for the mega-hosts out there.
  • Hosting Providers can perform fast vulnerability scans at scale across an entire network to alert and provide remediation options to customers.

All of the above can be scheduled as a regularly run cron job. Wordfence CLI accepts piped input and supports piping its output. You can configure Wordfence CLI to use as many CPU cores as you’d like when conducting a malware scan, so that you’re able to efficiently use your computational resources.

Powered by Wordfence Intelligence

The Wordfence CLI vulnerability scan is powered by the Wordfence Intelligence Vulnerability API feed, which is also 100% free for personal and commercial use. This feed contains over 12,250 unique vulnerability records that affect over 7,600 plugins and themes, and is constantly updated by our Threat Intelligence team. Typically, our team adds anywhere from 20 to 150 new vulnerabilities per week with a rough average of 82 per week, based on our data from the past 12 months.

We monitor various sources such as plugin change-logs, the CVE list, vulnerability databases, and other sources while also issuing CVE IDs to independent researchers and conducting our own in-house research. This is all to ensure we have the most up-to-date and accurate vulnerability information in our database that users can trust. All vulnerability records have extensive detailed information such as a concise title, description, CWE, CVSS Score, affected version ranges, patched version, and more that is usable as output with the Wordfence CLI vulnerability scanner. This should help make alerting and prioritization easier than ever for site owners and hosting providers.

It’s often hard to believe that such a high-quality vulnerability database is completely free to access via the Web and via API, but we keep looking for more ways to provide the data for free. We believe that vulnerabilities belong to the community because they are created by the security community, and that is why we’ve taken the same approach with vulnerability scanning in Wordfence CLI as we have with our Vulnerability Database. Vulnerability Scanning with Wordfence CLI, and use of our vulnerability database is completely free for commercial and personal use. So we would like to encourage hosting providers, enterprises, and site owners to implement this data and use Wordfence CLI to help make the Web more secure.

Running Your First Vulnerability Scan

If you do not already have CLI installed, follow these installation instructions to get up and running. If you have Wordfence CLI, follow these upgrading instructions to update your installation to the latest version.

To perform a basic vulnerability scan from the command line, simply invoke:

wordfence vuln-scan /path/to/scan

If you’d like to run a malware scan, use this command to get started:

wordfence malware-scan /path/to/scan

Malware scans are a bit more CPU intensive, so we provide the ability to use multiple CPU cores when conducting a malware scan. This is not available for vulnerability scans because they run very quickly. To use 8 CPU cores for a malware scan, and to see progress in real-time, run this command:

wordfence malware-scan /path/to/scan --progress --workers 8

To scan the /var/www/wordpress directory for vulnerabilities and write the results to /home/username/wordfence-cli-vuln-scan.csv.

wordfence vuln-scan --output-path /home/username/wordfence-cli-vuln-scan.csv /var/www/wordpress

If you have multiple WordPress installations you want to scan, you can supply a path to each as a command line argument:

wordfence vuln-scan --output-path /home/username/wordfence-cli-vuln-scan.csv /var/www/wordpress1 /var/www/wordpress2 /var/www/wordpress3

To run a daily scan of your WordPress installation, you define a cron entry like this one:

0 0 * * *  username /usr/local/bin/wordfence vuln-scan --output-path /home/username/wordfence-cli-vuln-scan.csv /var/www/wordpress

This example scans the directory /var/www/wordpress and writes the results to /home/username/wordfence-cli-vuln-scan.csv as the username user. This would be similar to how a scheduled scan works within the Wordfence plugin. The cronjob uses a lock file at /tmp/wordfence-cli-vuln-scan.lock to prevent duplicate vulnerability scans from running at the same time.

Go Forth And Secure The Web!

Wordfence CLI is one of those projects where the product roadmap writes itself because there is such an obvious need for a powerful tool like this in the WordPress server administration space. We’re in this for the long haul and will continue to invest heavily in Wordfence CLI, with your guidance. Once you’ve tried CLI, we’d love to hear your feedback in the comments.

Did you enjoy this post? Share it!


  • You guys rock. Thank you for your hard work in the WordPress world!

    • Thanks Terry!

  • The initial release was a valuable resource, CLI scanning that was FAST, and the model you provided was generous and altruistic.

    New version - yeah - it's a v2 - and it's just better.

    Kudos all round. Thanks for making the world of WordPress and the web generally safer.

    • Thanks Martin!

  • Is there a way to scan all folders and files within a directory? or does it do that by default? i.e. if I keep all the websites in a /web folder, can I just specify /web and it will scan all subfolders?

    • Yes it will. CLI automatically detects individual WordPress installation directories using the file and directory structure, so you can mass scan sites.

  • This is definitely a good idea

    • Thanks Paul.

  • Awesome, I have really wanted to run this since your first announced it but I fell somewhere btween the free and commercial tiers. I'll be installing this over the weekend to test it out.

    • That's great Simon! I think you'll find it is stable and robust.



  • We rely on Wordfence to secure our clients' WordPress sites. Thanks for making the web safer.

    • You're very welcome.

  • Great idea to build it as a linux tool rather than a plugin so you can scan multiple instances without installing a plugin ( I assume )

    • Yeah to be clear CLI doesn't provide a firewall, 2fa, brute force protection and many other features that the plugin does. But there is strong demand for a high performance malware and vulnerability scanner that runs on servers and can scan at massive scale. So CLI addresses that need. In addition you can cron this and run it as a higher privileged user so that if your WP site is compromised, CLI will still catch it and alert you with a malware scan. It's a second layer of server based protection.