Wordfence API

Additional functions for developers to import settings or whitelist IP addresses.

Wordfence provides a few functions to developers through the API calls listed here. Other functions and objects that are not listed here are subject to change in future versions of Wordfence.


This provides the ability to import Wordfence settings on multiple sites. If you only need to export and import settings on a few sites then use the “Tools” > “Import/Export Options” page instead.

Wordfence includes a public function that can be called by any developer from within WordPress. The function is:


Where $token contains a token that you were given when you used the option to export your Wordfence settings.

This function lets you import Wordfence settings on potentially thousands of WordPress sites without manually having to log in to those sites and do the import manually on each site.

Simply install Wordfence on each site and make sure it is activated. Then execute this function making sure that you pass the correct token to it as a string and the function will make an API call to Wordfence servers and import the settings you saved.

Remember to keep your token secure because it is like a password and if anyone else gets access to this token they will be able to import your Wordfence settings (excluding your Premium license key) into their own site.


This provides plugin and theme authors a way to add the IP address of any external services to the IP address allowlist that may need to access a site.

This function is part of Wordfence’s API that we expose to other theme and plugin developers. The function can be used to add an IP address to the Wordfence IP address allowlist.

What this means is that any traffic from that IP address will bypass all security checks. This includes two-factor authentication, so if someone from that IP address logs in they will not be asked to enter their two-factor authentication code.

The function can be called with a dotted quad IP address passed as a string. For example:


Or you can add a range of IP addresses by using square brackets. For example:


You can use multiple ranges in an IP. For example:


Note that we do not validate if your ranges are legal, such as [1-256], where 256 is out of range. A range like this will simply check 1-255 internally and will ignore the fact that you have specified an IP address that will never exist. So if you are accepting user input that allows IP address ranges then please do your own validation.

The function returns true if the IP address was added and false if the IP address already existed in the allowlist. On failure, it will throw an exception that contains a helpful message explaining the problem. So you should enclose this call in try/catch blocks and then gracefully handle the error. For example:

try {
} catch(Exception $e){
$errorMsg = $e->getMessage();
//Do something intelligent with the error you received from Wordfence.
} //Otherwise if the catch block doesn't execute the function has succeeded.