Incident Response Services
Let one of our Security Analysts help you clean your infected site or inspect it for vulnerabilities.
If you are a Wordfence Response customer, our Security Analysts are available 24 hours a day, 7 days a week, 365 days a year, and will respond to your incident response request within 1 hour.
If you are a Wordfence Care customer, we provide security incident response services during our normal business hours of Monday-Friday 9 a.m. to 8 p.m. Eastern Time.
We currently offer these services for WordPress sites hosted on Linux or other Unix-type Operating System servers only. Our security incident response restores compromised websites to working order by removing malware and malicious content, investigating how the attacker gained entry, blocklist removal and providing a checklist to protect your site from future attacks.
The purpose of this page is to provide answers to common questions that may not be covered in detail on the main Wordfence Care and Wordfence Response pages.
Once your order has been placed, our Customer Service team will contact you to assist with initial installation and configuration of the Wordfence plugin. If you need immediate assistance with a security incident, you can get help right away and your request will be placed in a queue for one of our Security Analysts to work on.
Security incident response requests from Wordfence Response customers are prioritized and worked 24/7/365, while requests from Wordfence Care customers are worked during normal business hours in the order in which they are received. The first thing the Security Analyst will do is test the credentials you provided. If they are unable to access your site, file system, or control panel they will let you know and put your order on hold. It is important to provide correct credentials as quickly as possible to expedite service.
Once an analyst is available to work on your site, assuming you have provided valid credentials, service should take two to four hours. This can vary dramatically based on technical challenges such as slow hosting resources and large file transfers. Our work should not disrupt the availability of your site during service. The analyst will download a copy of your site to a secure Wordfence server, where the service will take place. Once a security incident response is completed, a clean copy of your site will be transferred to your hosting server, replacing the hacked version of your site. Your site will be unavailable for a few seconds during this process. Once that is complete the analyst will work to remove your site from any blocklists your site has been added to as a result of being hacked. A detailed report is then produced, providing the details of the infection removal and investigation into how the site was compromised. A detailed list of recommendations for locking down your site will be included.
The report will be delivered to you via email, and the security analyst who performed the service will be available for questions. In some cases your follow up questions or issues may be forwarded on to our support team.
Incident Response requests placed by Wordfence Response customers will be started within 1 hour and completed within 24 hours, while requests placed by Wordfence Care customers are generally completed within one business day, provided that proper access to your website has been provided. Requests from Wordfence Response customers are placed in a high-priority queue and worked in the order in which they are received. Requests from Wordfence Care customers are worked in the order in which they are received.
Wordfence Response is available 24/7/365. Requests by Wordfence Care customers are subject to our business hours, which are Monday through Friday, 9am to 8pm ET. Requests placed by Wordfence Care customers after hours, on weekends, and on holidays will begin on the next business day or later if the estimated completion time is greater than one day. The major U.S. holidays observed are Easter, Memorial Day, Fourth of July, Labor Day, Thanksgiving, Christmas and New Years Day. If you’re unsure of the holiday schedule please consult our support team.
In order to provide service, we will need access to the administrative area of your website, your file server (via Secure FTP) and control panel access. We also need SSH access if available. This information is provided via a secure page and stored using PGP encryption. Only authorized Wordfence Security Analysts will have access to this information.
Administrative access is gained by visiting example.com/wp-admin. We will need a username and password with administrator level access. We recommend that you set up a temporary user for this purpose that is deleted immediately after service and that you change your password immediately after service.
Access to your file system generally requires a different username and password. If you have not set up Secure FTP access to your site, you may need to work with your hosting company to do so. We require you to change your FTP password immediately after service.
Control panel access is the username and password that you use to log in to the administrative functions for your website on your hosting company’s website. The steps necessary to grant access will differ by hosting company. You may need to contact your hosting company’s support team for help. We require you to change this password immediately after service as well.
If we’re unable to secure working credentials, the security incident response cannot be performed.
The Security Analyst assigned to provide your service will do their best to keep you informed throughout the process as necessary. If you have questions along the way you can inquire by logging into your wordfence.com account and clicking Get Help on the banner at the top of the page. Wordfence Response customers will receive a response within 1 hour, 24/7/365. Our analysts respond to Wordfence Care customer inquiries during business hours.
Our security analysts will respond to security incidents as long as you are an active Wordfence Care or Wordfence Response customer. All services include a written report that always includes recommendations. Continued incident response requires that all recommendations have been followed.
Large Sites and Problematic Configurations
All service pricing assumes that your website is less than 100GB in size. An additional charge of $100 USD per 100GB will be added for sites over the limit.
We reserve the right to refuse service for hosting configurations that have been known to be problematic. We currently will not provide services for sites running on Windows Servers, load-balanced (horizontally-scaled) servers, or sites running the DAP plugin or OptimizePress. Orders placed that can not be processed will be refunded.
If your host has shut down your hosting account because of a malware infection, we can still clean it. You may need to get your host to allowlist the IP of the Security Analyst in charge of your case. Please reach out via the Get Help form as usual and when submitting credentials in step two of the process, mention in the “comments” section that your site has been shut down by the host.
Our Wordfence Care and Response services are not available for a WordPress Multisite Network.
Servers Hosting Multiple Sites
For the purposes of these services, a site is considered a distinct installation of a CMS (WordPress). Due to the risk of cross-contamination, we are unable to provide services for selected sites hosted on the same server. Customers must either purchase the same level of service for all sites or delete or move the sites that do not require service.
We can provide security incident response services for staging or development sites associated with your Care or Response license at an additional price of $199 USD/site. Security incident response for additional sites that are not staging or development sites will require a separate Care or Response license. Alternatively, staging and development sites can be deleted and recreated after the service is completed.
We strongly recommend keeping regular backups of your site. Restoring a known clean backup can greatly expedite the incident response process, and sites that have been completely removed or otherwise irretrievably damaged by a security incident may not be restorable.
Frequently Asked Questions
- Can you clean a suspended site?
If your hosting provider has suspended your hosting account because of a malware infection then we can still clean your site. You may need to get your hosting provider to allow connections from the IP address of the Security Analyst in charge of your cleaning order. Please purchase a site cleaning as usual. When submitting your access credentials in step two of the process then mention in the “comments” section that your site has been suspended by your hosting provider.