Wordfence 7.7.0 has just been released and as usual, it includes several awesome enhancements and updates for our security-conscious WordPress publishers and e-commerce websites. This post goes into a little more detail on each change Word fence included. Word fence doesn’t usually post additional details like this, and "they thought they would give it a try" and make it a routine if the community approves.
Update: Word fence 7.7.1 has been released on, 4th October 2022, to address an issue with scan retries occurring too often if the first step of the scan fails repeatedly. This occurred on sites where the scan was unable to begin running, even after multiple attempts.
Improvement: Added option to disable looking up IP address locations via the Word fence API
By default, Word fence contacts our servers to perform an IP address location lookup. This is just the way the plugin was originally engineered (by me actually) to try to move as much processing to our own servers and reduce resource usage on our customer websites. Some of our customers prefer that lookup to happen locally, so Word fence provided that option. The default is still to do the lookup on our servers, but you have the option to enable local lookups. The one downside of enabling this feature is that you’ll only get country-level lookups.
Improvement: Clarified IPv6 diagnostic
Word fence found that a message on our diagnostics page caused users to think they needed to fix something related to IPv6. So, Word fence clarified the message to prevent our customers from going on wild goose chases trying to fix something that doesn’t need fixing.
Improvement: Added configurable scan resume functionality to prevent scan failures on sites with intermittent connectivity issues
Word fence added “scan resume” functionality which is configurable and will prevent security scan failures on sites that might have intermittent connectivity issues. As you know Word fence runs on over 4 million websites on over 12,000 unique networks, and to say that Word fence runs in a range of environments and configurations is an understatement. Our quality assurance team has an oversized influence on the product, and this is one more way they have made Word fence even more robust in version 7.7.0.
Improvement: Added new scan result for vulnerabilities found in plugins that do not have patched versions available via WordPress.org
This adds a scan result for plugins that have a vulnerability and are still present in the official WordPress plugin repository, and where there is no fix available. The usual course of action is that the plugin team will disable a plugin in the repository that has a known vulnerability, where the vulnerability has not been fixed yet. In some cases, this doesn’t happen, and this scan result is designed to deal with this unusual case. This change will also allow plugins that are not provided through wordpress.org to be flagged as vulnerable if there is no update available.
Improvement: Prevented successful logins from resetting brute force counters
Another design decision I made early on is that a successful login on a WordPress website would reset our brute-force login counters to zero. This made sense because if a real user makes multiple login failures and then succeeds, clearly, they’re the real user and Word fence should reset our counters so that their next failure doesn’t lock them out. Well, an unintended side effect of this is that a threat actor can register an account on WordPress websites with open registration, and sign-in, and that would reset brute force counters to zero, so they can keep trying to guess that admin account’s password. We’ve fixed this by removing the reset that occurs on successful login.
Fix: Removed unsupported beta feed option
A long time ago when there was a fire in the sky and the seas were boiling, Word fence launched the first version of the Word fence firewall. Because Word fence wanted to test out new rules, and some of our users were brave enough to try the new stuff, Word fence included this option. Word fence would release beta firewall rules and malware signatures, and our brave testing community would try them out first by enabling this option. Word fences do all our testing internally now and the firewall code and rule syntax has become extremely robust, so Word fence doesn’t do these kinds of releases anymore. So, Word fence removed this configuration option.
Below I’ve included the short version of the changelog that you’ll see on WordPress.org. You’re most welcome to post your comments and questions below. Keep in mind that support questions are best posted via our official support channels, but if you’d like to chat about this post, comment below and a member of the team or I will reply if needed.
Fix: Prevented warning on PHP 8 related to process owner diagnostic
On our diagnostics page, if a hosting provider has restricted an account from seeing its own username, our customers would see a warning that you can’t access an array offset on a Boolean. Word fence fixed that.
Fix: Made time zones consistent on the firewall page
When the page showing firewall activity loaded more results, they’d be in UTC time instead of your correct time zone. Oops! Word fence fixed that little issue.
Fix: Prevented deprecation notices on PHP 8.1 when emailing the activity log
PHP 8.1 provides notices that a function has been deprecated if a developer (like us) is using an older function call. Word fences were in this case, and PHP 8.1 was rightfully complaining about it. So, Word fence switched to a more modern version of the same code.
Fix: Prevented PHP Code Sniffer false positive related to T_BAD_CHARACTER
Word fence uses a PHP code sniffer to look for things that are incompatible between versions. Word fences were getting a false positive when using this internal tool, so Word fence fixed that. This change is really for the benefit of our engineering team.
Improvement: Implemented stand-alone MMDB reader for IP address lookups to prevent plugin conflicts and support additional PHP versions
Word fences use the Maxmind database internally for location lookups. Our code was using the Maxmind PHP library to perform these lookups. Maxmind stopped supporting older PHP versions a while ago, but many of our customers are still on those old versions. Word fence has also found that other WordPress plugins may use a different version of the Maxmind library, which can lead to conflicts. So, Word fence rolled our own stand-alone MMDB reader to resolve both issues. Word fence now supports older PHP versions than the official Maxmind library, and you won’t see any conflicts if another plugin is using the Maxmind library.
Improvement: Included maximum number of days in live traffic option text
This is also a clarification. The maximum amount of data in live traffic that Word fence store is 30 days (about 4 and a half weeks). This wasn’t clear and some users would enter a larger number of days, expecting to see more than 30 days (about 4 and a half weeks) of data. Word fence fixed this user interface issue to make it clear.
Fix: Added “Use only IPv4 to start scans” option to search
Word fence can search your Word fence options page which is super useful. This option was not included in the search, so Word fence fixed that.
Word fence 7.7.0 – OCTOBER 3, 2022
Update: Word fence 7.7.1 has been released today, October 4, to address an issue with scan retries occurring too often if the first step of the scan fails repeatedly. This occurred on sites where the scan was unable to begin running, even after multiple attempts.
Did you enjoy this post? Share it!