Screenshot of Wordfence Intelligence on a tablet

Continuously updated Threat Intelligence data feeds focused on attacks targeting web accessible services, distilled from requests targeting 12,000 ASNs across 4 million endpoints.

Wordfence provides an endpoint security suite to over 4 million unique websites across 12,000 unique networks globally. We have customers in almost every country. This gives us unique visibility into who is attacking web services, how they're doing it, and what fingerprints they leave behind. We feed this threat intelligence back to our customer websites to keep them secure.

Wordfence Intelligence is an enterprise product that distills our unique threat intelligence to provide data feeds to hosting providers and network defenders. Wordfence Intelligence includes real-time attacking IPv4 and IPv6 addresses, 30 days of attack history, malware signatures and hashes based on observed samples, and a vulnerability database based on monitored vulnerability sources.

Wordfence Intelligence Data Feeds

With Wordfence Intelligence you get access to our four distinct data feeds, updated regularly as new threats emerge. These feeds are available to query and download via API endpoints. You can find the complete documentation here.

  • Wordfence Intelligence IP Threat Feed

    This feed consists of an actively maintained list of IP Addresses targeting vulnerabilities and weak passwords over port 443 and 80, along with metadata and attack data originating from those IPs. The includes activity targeting WordPress and other major vulnerabilities like Log4j, ProxyNotShell, and Fortinet Appliance Auth Bypass to name a few, in addition to IP Addresses engaged in password attacks. This feed is updated every 60 minutes.

    View our Threat Research using our own Threat Intelligence here.

  • Wordfence Intelligence Malware Signature Feed

    The feed contains of over 6,000 YARA signatures aimed at detecting the most current malware targeting web applications. This feed is updated in real time as we develop new signatures to detect the latest malware.

  • Wordfence Intelligence Malware Hash Feed

    Consisting of over 3 million unique hashes based on malicious samples we have observed, this comes in four ingestible hash formats: MD5, SHA-1, SHA-256, and SHA-256 normalized, along with unique metadata on each sample hash. This feed is updated every 15 minutes as new malicious samples are discovered.

  • Wordfence Intelligence Vulnerability Data Feed

    Includes over 8,000 WordPress-related software vulnerabilities and is continuously updated in real-time as new vulnerabilities in WordPress software such as plugins and themes are discovered and disclosed.

Whether you're a cloud provider, hosting provider, or defending any segment of the global Internet or your own network, contact us to learn how you can better protect your customers, and help make the online community safer by using Wordfence Intelligence.

Inquire Now

Screenshot of Wordfence Intelligence on a tablet

Benefits of Using Wordfence Intelligence Data Feeds in Your Organization

  • Broad and Deep Situational Awareness

    Wordfence protects more than 4 million unique websites across the globe on over 12,000 unique ASNs in 190+ countries. This gives us incredibly broad and deep global visibility on attacks targeting web applications on port 80 and port 443. The attacks we monitor extend beyond WordPress exploits into other web-based administration applications and attacks targeting different web services and web applications, such as log4j. The situational awareness we provide to our Wordfence Intelligence customers is geographically broad and diverse as we monitor and block attacks using a wide range of exploits with detection for over 6,000 web-specific malware variants targeting websites all over the world.

  • Layer 3 Blocking

    The data feeds that Wordfence Intelligence provides give our customers the ability to block attacks at the edge of their network using network infrastructure. This means the first SYN packet of a three-way TCP handshake gets dropped on the floor, rather than incurring the cost of network transit and application layer execution. This massively reduces the number of attacks that endpoint customers see, improving their customer's experiences and reducing network and server load for a hosting provider. Wordfence Intelligence enables you to block threat actors targeting web applications the way it should be done.

  • Malware Detection at Scale

    Wordfence Intelligence provides a large set of malware signatures in a standardized format alongside a large set of malware hashes in four different hash formats. This allows hosting providers to perform massively parallelized scans across their entire fleet of servers in the most performant way possible. Wordfence provides the most comprehensive set of PHP specific malware signatures available today, in addition to a massive database of known malicious file sample malware hashes. This allows you to detect infected customer websites early, alert your customers, clean your network, and enables a positive interaction with affected customers.

  • Improved Network Traffic Visibility

    Many hosting providers cannot see attacks targeting their own customers because the data transiting their network is encrypted from browser to customer-managed server. When a host does have access to server logs, the POST body of requests is not available for analysis. Network owners cannot see which servers on their own network are compromised and which are launching attacks targeting the online community because the attacks transiting the owner network are TLS encrypted.

  • Vulnerability Detection at Scale

    Wordfence Intelligence includes a comprehensive and extremely current vulnerability database for WordPress that contains over 8,000 unique vulnerability records. This database is actively maintained by some of the top WordPress vulnerability researchers in the industry. For hosting providers that are hosting WordPress websites for their customers, this product includes enough data to perform massively parallelizable scans on your server fleet for WordPress vulnerabilities, alert customers or your SOC with information that specifically identifies that vulnerability, and includes the data needed to mitigate the issue.

  • Compromised Host Identification

    Many cloud hosting providers and security operations teams do not have access to the operating system of servers they are responsible for securing. Wordfence defends over 4 million websites globally. We have excellent visibility on which servers are infected for a hosting provider, cloud provider, or geographic area, which helps indicate when these servers may be launching attacks against other web services. If you are a network defender responsible for securing a large network, we can help you identify which hosts on your network are compromised and need to be mitigated. Securing these infected hosts helps reduce attacks across the global Internet and helps keep the online community safer.

  • Two License Models

    Wordfence Intelligence is available to our enterprise customers under two licensing agreements. The first is an annual flat fee that is determined based on the specific use case of the customer. This model is well-suited to security operations teams that want to identify compromised hosts, block attacks on their own network, mitigate WordPress vulnerabilities in a timely fashion, or perform forensic analysis using our data.

    The second model is tailored to hosting providers that incorporate data from Wordfence Intelligence into a product for their customers. This model has a low flat-fee per end-user and includes the use of the Wordfence Intelligence brand and logo. Both license agreements include consulting from our team to help you get up and running, fast!

    Contact us today to discuss the best licensing option for your organization.


Inquire about Wordfence Intelligence