Wordfence 7.7.0 has just been released and as usual, it includes several awesome enhancements and updates for our security conscious WordPress publishers and e-commerce websites. This post goes into a little more detail on each change we’ve included. We don’t usually post additional detail like this, and we thought we’d give it a try, and make it a routine if the community approves.
This is based on the official Wordfence 7.7.0 changelog, which is included below. The format I’ve used here is the changelog entry as a heading and some detail on what the entry means and some background where applicable.
Improvement: Added configurable scan resume functionality to prevent scan failures on sites with intermittent connectivity issues
We’ve added “scan resume” functionality which is configurable and will prevent security scan failures on sites that might have intermittent connectivity issues. As you know Wordfence runs on over 4 million websites on over 12,000 unique networks, and to say that we run in a range of environments and configurations is an understatement. Our quality assurance team has an oversized influence on the product, and this is one more way they have made Wordfence even more robust in version 7.7.0.
Improvement: Added new scan result for vulnerabilities found in plugins that do not have patched versions available via WordPress.org
This adds a scan result for plugins that have a vulnerability and are still present in the official WordPress plugin repository, and where there is no fix available. The usual course of action is that the plugin team will disable a plugin in the repository that has a known vulnerability, where the vulnerability has not been fixed yet. In some cases, this doesn’t happen, and this scan result is designed to deal with this unusual case. This change will also allow plugins that are not provided through wordpress.org to be flagged as vulnerable if there is no update available.
Improvement: Implemented stand-alone MMDB reader for IP address lookups to prevent plugin conflicts and support additional PHP versions
We use the Maxmind database internally for location lookups. Our code was using the Maxmind PHP library to perform these lookups. Maxmind stopped supporting older PHP versions a while ago, but many of our customers are still on those old versions. We have also found that other WordPress plugins may use a different version of the Maxmind library, which can lead to conflicts. So we’ve rolled our own stand-alone MMDB reader to resolve both of these issues. We now support older PHP versions than the official Maxmind library, and you won’t see any conflicts if another plugin is using the Maxmind library.
Improvement: Added option to disable looking up IP address locations via the Wordfence API
By default Wordfence contacts our servers to perform an IP address location lookup. This is just the way the plugin was originally engineered (by me actually) to try to move as much processing to our own servers and reduce resource usage on our customer websites. Some of our customers prefer that lookup to happen locally, so we’ve provided that option. The default is still to do the lookup on our servers, but you have the option to enable local lookups. The one downside of enabling this feature is that you’ll only get country-level lookups.
Improvement: Prevented successful logins from resetting brute force counters
Another design decision I made early on is that a successful login on a WordPress website would reset our brute-force login counters to zero. This made sense because if a real user makes multiple login failures and then succeeds, clearly they’re the real user and we should reset our counters so that their next failure doesn’t lock them out. Well, an unintended side effect of this is that a threat actor can register an account on WordPress websites with open registration, and sign in, and that would reset brute force counters to zero, so they can keep trying to guess that admin account’s password. We’ve fixed this by removing the reset that occurs on successful login.
Improvement: Clarified IPv6 diagnostic
We found that a message on our diagnostics page caused users to think they need to fix something related to IPv6. So we clarified the message to prevent our customers from going on wild goose chases trying to fix something that doesn’t need fixing.
Improvement: Included maximum number of days in live traffic option text
This is also a clarification. The maximum amount of data in live traffic that we store is 30 days. This wasn’t clear and some users would enter a larger number of days, expecting to see more than 30 days of data. We’ve fixed this user interface issue to make it clear.
Fix: Made timezones consistent on firewall page
When the page showing firewall activity loaded more results, they’d be in UTC time instead of your correct timezone. Oops! We fixed that little issue.
Fix: Added “Use only IPv4 to start scans” option to search
We have the ability to search your Wordfence options page which is super useful. This option was not included in the search, so we fixed that.
Fix: Prevented deprecation notices on PHP 8.1 when emailing the activity log
PHP 8.1 provides notices that a function has been deprecated if a developer (like us) is using an older function call. We were in this case, and PHP 8.1 was rightfully complaining about it. So we switched to a more modern version of the same code.
Fix: Prevented warning on PHP 8 related to process owner diagnostic
On our diagnostics page, if a hosting provider has restricted an account from seeing its own username, our customers would see a warning that you can’t access an array offset on a boolean. We fixed that.
Fix: Prevented PHP Code Sniffer false positive related to T_BAD_CHARACTER
We use PHP code sniffer to look for things that are incompatible between versions. We were getting a false positive when using this internal tool, so we fixed that. This change is really for the benefit of our engineering team.
Fix: Removed unsupported beta feed option
A long time ago when there was fire in the sky and the seas were boiling, we launched the first version of the Wordfence firewall. Because we wanted to test out new rules, and some of our users were brave enough to try the new stuff, we included this option. We would release beta firewall rules and malware signatures, and our brave testing community would try them out first by enabling this option. We do all our testing internally now and the firewall code and rule syntax has become extremely robust, so we don’t do these kinds of releases anymore. So we removed this configuration option.
Below I’ve included the short version of the changelog that you’ll see on WordPress.org. You’re most welcome to post your comments and questions below. Keep in mind that support questions are best posted via our official support channels, but if you’d like to chat about this post, comment below and a member of the team or I will reply if needed.
Mark Maunder – Wordfence Founder & CEO
Wordfence 7.7.0 – OCTOBER 3, 2022
- Improvement: Added configurable scan resume functionality to prevent scan failures on sites with intermittent connectivity issues
- Improvement: Added new scan result for vulnerabilities found in plugins that do not have patched versions available via WordPress.org
- Improvement: Implemented stand-alone MMDB reader for IP address lookups to prevent plugin conflicts and support additional PHP versions
- Improvement: Added option to disable looking up IP address locations via the Wordfence API
- Improvement: Prevented successful logins from resetting brute force counters
- Improvement: Clarified IPv6 diagnostic
- Improvement: Included maximum number of days in live traffic option text
- Fix: Made timezones consistent on firewall page
- Fix: Added “Use only IPv4 to start scans” option to search
- Fix: Prevented deprecation notices on PHP 8.1 when emailing the activity log
- Fix: Prevented warning on PHP 8 related to process owner diagnostic
- Fix: Prevented PHP Code Sniffer false positive related to T_BAD_CHARACTER
- Fix: Removed unsupported beta feed option
Update: Wordfence 7.7.1 has been released today, October 4, to address an issue with scan retries occurring too often if the first step of the scan fails repeatedly. This occurred on sites where the scan was unable to begin running, even after multiple attempts.