Wordfence Intelligence Documentation

Suggestions:
← Return to Wordfence Intelligence Documentation Index

V2: Querying the Wordfence Intelligence IP Data API (Enterprise)

Default Query

GET /api/intelligence/v2/ips

The default query will return the entire IP data set along with all meta data and aggregate columns.

 

IP ranges

Filter the results to a given IP range:

Using wildcards

GET /api/intelligence/v2/ips?ip=192.168.*

Exact match

GET /api/intelligence/v2/ips?ip=192.168.1.1

ASNs

Querying by ASN can be useful for organizations looking to identify IPs attacking within a given IP block or blocks.

Querying using a single ASN:

GET /api/intelligence/v2/ips?asn=1234

Querying for multiple ASNs:

GET /api/intelligence/v2/ips?asn[]=1234&asn[]=5678

 

Geographic and Organization Data

Exact string matching for city, country.

GET /api/intelligence/v2/ips?city=Seattle
GET /api/intelligence/v2/ips?country=US

Fuzzy matching for organization, ISP.

GET /api/intelligence/v2/ips?org=Amazon
GET /api/intelligence/v2/ips?org=Amazon*
GET /api/intelligence/v2/ips?isp=Amazon
GET /api/intelligence/v2/ips?isp=Amazon*

 

PTR lookups

Can be useful for identifying IPs attacking within a given network or cloud service that is not necessarily contained within a given ASN or ASNs.

GET /api/intelligence/v2/ips?ptr=*.compute.amazonaws.com

 

Querying attack counts

Returns IPs with attack counts greater than (or equal to) and less than (or equal to) the supplied integer. Attack counts are organized into fields by category and time range. They can be queried using parameters in following format:

?{category}_{time-range}_{operator}

List of attack total categories:

  • unique_sites – Unique sites attacked by this IP address.
  • brute_force – Brute force/credential stuffing/automated login attempts.
  • waf_attack – Web-based attacks/exploit attempts blocked by our web application firewall.
  • xss – Cross-site scripting attacks.
  • sqli – SQL injection attacks.
  • lfi – Local file inclusion attacks.
  • rce – Remote code execution attacks (includes malicious file uploads).
  • directory_traversal – Directory traversal attacks (includes local file read attacks).
  • xxe – External entity expansion attacks.
  • obji – PHP object injection attacks.
  • options_update – WordPress option update attacks (used for site takeover).
  • priv_esc – WordPress privilege escalation attacks.
  • auth_bypass – Authentication bypass attacks.

List of time ranges:

  • 4hour – Attack counts within the last 4 hours.
  • 1day – Attack counts within the last day.
  • 7day – Attack counts within the last 7 days.
  • 30day – Attack counts within the last 30 days.

List of operators:

  • gt – Attack counts greater than the supplied amount.
  • gte – Attack counts greater than or equal to the supplied amount.
  • lt – Attack counts less than supplied amount.
  • lte – Attack counts less than or equal to the supplied amount.

IPs that have attacked 30 or more sites within the past 30 days:

GET /api/intelligence/v2/ips?unique_sites_30day_gte=30

IPs that have attacked a single site with 100 or more automated login attempts within the past 30 days:

GET /api/intelligence/v2/ips?unique_sites_30day_lte=1&brute_force_30day_gte=100

 

Selecting specific fields

Use a comma-separated list of fields to be returned in your result set. Can be useful restrict the size of the result set to just the fields you need.

GET /api/intelligence/v2/ips?fields=field1,field2,field3

Returns only the IP address for your query:

GET /api/intelligence/v2/ips?fields=ip

 

Sorting the result set

Sort the result set by organization in descending order:

GET /api/intelligence/v2/ips?sort=org&direction=asc

 

Limiting total results

Result set is capped at 5000 IPs:

GET /api/intelligence/v2/ips?limit=5000

 

Specifying the response Content-Type

Including the plain parameter will cause the Content-Type header in the response to be set to text/plain as opposed to the default of text/csv. This is useful when wanting to view the feed directly in a browser as plain text.

GET /api/intelligence/v2/ips?plain

 

Examples

Top 10 IPs with the most brute force attacks (automated login attempts) within the last day:

GET /api/intelligence/v2/ips?limit=10&sort=brute_force_1day

List of IP addresses with any exploit attempts in the last 4 hours:

GET /api/intelligence/v2/ips?waf_attack_4hour_gte=1

Top 100 attacking IPs from the Russian Federation within the last week:

GET /api/intelligence/v2/ips?limit=100&country=RU&sort=waf_attack_7day

List of all IP addresses attacking WordPress websites in the country of Finland:

GET /api/intelligence/v2/ips?country=FI&fields=ip

List of all AWS EC2 instances attacking WordPress websites:

GET /api/intelligence/v2/ips?ptr=*.compute.amazonaws.com&fields=ip

Wordfence Intelligence Documentation