V2: Accessing and Querying the Malware Hash Feed (Enterprise)

Wordfence Intelligence Malware Hash Feed

The Wordfence Intelligence Malware Hash Feed provides hashes of four different types for the content of over 3 million files that are known to be malicious.

API Endpoint

GET /api/intelligence/v2/malware/hashes

If no parameters are provided, the feed will be returned in its entirety.


Parameter Format Description
fields Array or Comma-delimited list The list of fields to include in the response
omit-header Boolean If specified, the column headers will be omitted from the response
limit Integer The maximum number of results to include in the response
offset Integer The position, relative to the start of the result set (0), from which to return results. This can be used for paginating results.
sort Array or string The field(s) by which to sort the results
direction Array or string The direction in which to sort the results (asc for ascending or desc for descending). If an array is provided, it should correspond to the fields specified in the sort parameter.
plain Boolean If specified, text/plain will be used as the content type of the response rather than text/csv.
<field-name> String Filter based on the value of the specified field. See “Filtering Results” for additional details.

Parameter Types

Type Description
Boolean If present in the request query string, this parameter is interpreted as a boolean true, otherwise it will be interpreted as false
Array Brackets([]) in parameter names can be used to pass an array. For instance, to pass md5 and sha1 as values for the fields parameter, the following query string can be used: fields[]=md5&fields[]=sha1

Filtering Results

Results may be filtered by specifying the field name and value in the query string. If multiple conditions are specified, they will be combined with a logical “and” operation.


By default filters are exact matches, but the following operators may be specified at the beginning of values if different conditions are desired.

Operator Description
= Equal (exact match; default behavior)
< Less than
<= Less than or equal to
> Greater than
>= Greater than or equal to
<> Not equal to

Data Format

Response data is provided in the CSV (comma-separated values) format.

Field Type Description
md5 Hex The MD5 hash
sha1 Hex The SHA1 hash
sha256 Hex The SHA256 hash
sha256_normalized Hex The normalized SHA256 hash
sightings Integer The total number of sightings of this hash
first_seen Date This earliest time this hash was encountered
last_seen Date The latest time this hash was encountered
Date Format

Date values are provided as strings in the following format: YYYY-MM-DD

  • YYYY – 4 digit year
  • MM – 2 digit year with leading zeroes
  • DD – 2 digit month with leading zeros
Wildcard Matches

The asterisk character(*) may be specified in field values to invoke wildcard matching. Wildcard matching may not be combined with any other operator.

Hash Types

The following hash types are available for each record in the feed:

  • MD5
  • SHA1
  • SHA256
  • SHA256 – Normalized

Normalized Hashes

For normalized hashes, whitespace characters are removed from the input data prior to computation. The following characters are considered whitespace for this purpose:

Character Escape Sequence ASCII Code
Space ” “ 32
Tab “\t” 9
Line Feed “\n” 10
Carriage Return “\r” 13