Wordfence monitors activity on your site, both via the scanner and the firewall. Alerts are sent out via email. The recipient email of these alerts is configured when Wordfence is installed and can be changed under the “General Wordfence Options” section on the “Dashboard” > “Global Options” page.

The Wordfence alert function uses the built-in WordPress email function, which in turn uses the PHP mail function on your server. If you are using an SMTP plugin that overrides the WordPress built-in email function then that will be used for sending the alerts instead.

Wordfence can alert you when someone is locked out from login, when users sign in to your site, or when there is a large increase in attacks. You can configure these alerts under the “Email Alert Preferences” section.

When configuring scan alerts, you can choose the lowest severity of alerts that you would like to be notified of. Wordfence will send an alert for each new issue of that severity or higher that is found in automatic scheduled scans, unless you have disabled email alerts from individual sites in Wordfence Central. You can find more information about scan results here.

Critical Scan Alerts

• Your site’s URL is on a domain blocklist
• Your site is spamvertizing
• A file matching a malware signature or containing a URL on a domain blocklist was found
• A publicly accessible configuration or backup file was found
• A plugin removed from the wordpress.org repository is installed
• The Wordfence firewall is disabled
• An administrator or editor with a weak password has been found
• You have less than 5MB of available disk space
• A plugin or theme with a known vulnerability is installed

High Severity Scan Alerts

• Your server IP is listed on a spam blocklist
• A post title has suspicious content (e.g., a script tag)
• A blocklisted URL was found in a post
• A scan was aborted due to reaching the default three hour scan time limit
• The “How does Wordfence get IPs?” setting is misconfigured
• You have less than 20MB of available disk space
• A non-administrative user with a weak password has been found
• A WordPress core, plugin, or theme file has been modified from the wordpress.org repository version
• A WordPress option containing a blocklisted URL has been found
• Publicly accessible quarantined files were found
• An unknown or suspicious administrator account has been found
• A WordPress core update is available
• Directory listing is enabled
• Your web server exposes the document root (full path disclosure)

Medium Severity Scan Alerts

• Your site is running an unknown core version of WordPress
• Your site is running an older version of PHP (5.4 or below) that is incompatible with Wordfence country blocking
• An abandoned plugin is installed
• A plugin has an update available
• A theme has an update available

Low Severity Scan Alerts

• A blocklisted URL was found in a comment