Wordfence API

Additional functions for developers to import settings or whitelist IP-addresses.

Wordfence provides a few functions to developers through the API calls listed here. Other functions and objects that are not listed here are subject to change in future versions of Wordfence.


Provides the ability to import Wordfence settings on multiple sites. If you only need to export/import settings on a few sites, see Exporting and Importing Wordfence Settings on the Wordfence options page instead.

Wordfence includes a public function that can be called by any developer from within WordPress. The function is:


Where $token contains a token that you were given when you used the option to export your Wordfence settings.

This function lets you import Wordfence settings on potentially thousands of WordPress sites without manually having to sign-into those websites and do the import manually on each site.

Simply install Wordfence on each site and make sure it’s activated. Then execute this function making sure that you pass the correct token to it as a string and the function will make an API call to Wordfence servers and import the settings you saved.

Remember to keep your token secure because it is like a password and if anyone else gets access to this token they will be able to import your Wordfence settings (excluding your API key) into their own website.


Provides plugin and theme authors a way to whitelist the IP’s of any external services that may need to access a site.

NOTE: This is provisional documentation. This function will be included in Wordfence 5.3.2 release and is not available in the current release which is 5.3.1 as of November 13, 2014.

The wordfence::whitelistIP($IP) is part of Wordfence’s API that we expose to other theme and plugin developers. The function can be used to add an IP address to the Wordfence whitelist.

What this means is that any traffic from that IP address will bypass all security checks. This includes two factor authentication, so if someone from that IP signs-in they will not be asked to enter the cellphone sign-in code.

The function can be called with a dotted quad IP address passed as a string. e.g.


Or you can whitelist a range of IP’s by using a square bracket notation that is fairly intuitive:


You can use multiple ranges in an IP. e.g.


Note that we do not validate if your ranges are legal e.g. that you don’t include a range like [1-256] where 256 is out or range. A range like this will simply check 1-255 internally and will ignore the fact that you’ve specified an IP that will never exist. So if you’re accepting user input that allows ranges, please do your own validation.

The function returns true if the IP was added and false if the IP already existed in the whitelist. On failure it will throw an exception which contains a helpful message explaining the problem. So you should enclose this call in try/catch blocks and then gracefully handle the error. e.g.

try {
} catch(Exception $e){
$errorMsg = $e->getMessage();
//Do something intelligent with the error you received from Wordfence.
} //Otherwise if the catch block doesn't execute the function has succeeded.