This is the simplest method for installing CLI.

pip install wordfence

This should build and install an executable of Wordfence CLI at the following directory when run as the username user:

/home/username/.local/bin/wordfence

If run as root, the executable path should be:

/usr/local/bin/wordfence

Verify the executable works correctly on your system:

./wordfence version

You should see output similar to this:

Wordfence CLI 3.0.1

Once this is done, we recommend reviewing the configuration to go through configuring a license followed by running your first scan.

This method will work for Debian and Debian-based Linux distros (Ubuntu, Linux Mint, Kali, etc) where you have root access to the system.

sudo apt install ./wordfence.deb

For older distros, you can also use the following commands to install CLI.

sudo dpkg -i wordfence.deb
sudo apt -f install

Verify the executable works correctly on your system:

wordfence --version

You should see output similar to this:

Wordfence CLI 3.0.1

Once this is done, we recommend reviewing the configuration to go through configuring a license followed by running your first scan.

This method will work for Red Hat Enterprise Linux 9 and compatible distributions (AlmaLinux, Rocky Linux, etc) where you have root access to the system. You must have the CodeReady Linux Builder (CRB) repo enabled before installing.

On RHEL, run:

subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms

On RHEL-compatible distributions, run:

dnf config-manager --set-enabled crb

You should now be able to install the RPM package:

sudo dnf install ./wordfence-el9.rpm

Verify the executable works correctly on your system:

wordfence version

You should see output similar to this:

Wordfence CLI 3.0.1

Once this is done, we recommend reviewing the configuration to go through configuring a license followed by running your first scan.

Binaries for Wordfence CLI can be downloaded on the Releases page of the GitHub repository (under Assets of each release) along with source code, and the .whl files:

https://github.com/wordfence/wordfence-cli/releases

The binary files are in the format wordfence_yyyy.tar.gz where yyyy is the CPU architecture. The following example uses AMD64 as the architecture.

We recommend verifying the authenticity of the download prior to extracting the archive. You can do this by following the steps outlined below prior to following the rest of these installation steps.

Extract the binary:

tar xvzf wordfence_amd64.tar.gz

Verify the binary works correctly on your system:

./wordfence version

You should see output similar to this:

Wordfence CLI 3.0.1

Once this is done, we recommend reviewing the configuration to go through configuring a license followed by running your first scan.

To install Wordfence CLI using Docker, you can clone the GitHub repo to your local environment:

git clone git@github.com:wordfence/wordfence-cli.git
cd ./wordfence-cli
docker build -t wordfence-cli:latest .

Once the Docker image is built, you can start the docker container with the volumes you wish to scan:

docker run -v /var/www:/var/www wordfence-cli:latest version

You should see output similar to this:

Wordfence CLI 3.0.1

Once this is done, we recommend reviewing the configuration to go through configuring a license followed by running your first scan.

To install Wordfence CLI manually, you can clone the GitHub repo to your local environment:

git clone git@github.com:wordfence/wordfence-cli.git
cd ./wordfence-cli
pip install .
python main.py version

You can additionally build the wheel archive and generate an executable:

pip install build~=0.10
python -m build --wheel
pip install dist/wordfence-*.whl

The executable should be installed to ~/.local/bin/wordfence.

If you encounter an error about libpcre.so similar to this one:

OSError: libpcre.so: cannot open shared object file: No such file or directory

You may need to install the libpcre library.

The checksum file for all release assets is sgned using GPG as part of the build process. We recommend verifying the authenticity of the checksum file and then verifying the checksum of the downloaded release asset prior to extracting, installing, or executing any code.

To verify the signature of the checksums file, first download and import our public GPG key:

wget https://www.wordfence.com/wp-content/uploads/public.asc
gpg --import public.asc

You can optionally sign our public key with your own private key:

gpg --lsign-key 00B225C7030F26FF4A3D3481F82623ECE1DB0FBB

Download the checksums.txt and checksums.txt.asc files from GitHub releases. You can then verify the authenticity of the checksums.txt file (replace the filenames with paths to the copies you've downloaded):

gpg --assert-signer 00B225C7030F26FF4A3D3481F82623ECE1DB0FBB --verify checksums.txt.asc checksums.txt

If your version of GPG doesn't include --assert-signer you can just run (you may see a warning using this method):

gpg --verify checksums.txt.asc checksums.txt

You should see output similar to this:

gpg: Signature made Fri Aug 18 16:27:11 2023 EDT
gpg:                using EDDSA key 00B225C7030F26FF4A3D3481F82623ECE1DB0FBB
gpg:                issuer "opensource@wordfence.com"
gpg: Good signature from "Wordfence <opensource@wordfence.com>" [ultimate]
gpg: signer '00B225C7030F26FF4A3D3481F82623ECE1DB0FBB' matched

Now that you've verified the checksums file, you can confirm that the checksum of your download matches. For example, if you downloaded the wordfence_amd64.tar.gz (the standalone Linux executable for the x86_64 architecture) to the same directory as checksums.txt, you can verify the checksum matches with:

sha256sum --ignore-missing -c checksums.txt