گزارش تغییرات

8.1.4 – December 20, 2025

• Fix: Fixed an issue with inet_pton introduced by a recent patch to PHP 8.1+ that could cause a fatal error if a malformed IP address was passed to the call

8.1.3 – December 3, 2025

• Improvement: Updated the bundled geoip database
• Note: Verified compatibility with WordPress 6.9

8.1.2 – November 12, 2025

• Improvement: Updated the bundled geoip database

8.1.1 – November 5, 2025

• Improvement: Improved localization support for the various block screens and messages
• Improvement: Updated the bundled geoip database
• Improvement: Prioritized Wordfence tables in the diagnostics tool when large numbers of tables exist
• Improvement: Allow non-US Google crawler IP addresses to pass country blocking
• Improvement: Enforcement of password strength requirements is now applied on the corresponding REST API endpoints
• Fix: Fixed detection for first-time logins and overall sending for login alerts when the corresponding settings are enabled
• Fix: When the WAF is using the mysql storage engine, fixed an issue with exclusion rules for the WAF not running correctly
• Fix: Reduced per-hit database query load around checking license status for free installations
• Fix: Optimized data sync with the WAF to better detect when the known server IP address list has changed

8.1.0 – August 25, 2025

• Improvement: Added password scanning support for WordPress 6.8 and later
• Improvement: Limited email alerts to 5 per hour by default and added notification when limit has been reached
• Improvement: Improved URL scanning performance
• Improvement: Updated GeoIP database
• Change: Reduced scan result severity for vulnerabilities with high attack complexity or required privileges
• Change: Added messaging around WAF support when NGINX Unit is detected
• Change: Added notice and scan result about Wordfence Assistant
• Change: Adjusted IPv6 connection issue message and appearance
• Fix: Prevented deprecation notice about calling base64_encode with null parameter
• Fix: Prevented deprecation message about calling preg_match with null parameter
• Fix: Corrected license type shown on dashboard when expiring
• Fix: Prevented disabled getmyuid function from causing fatal error
• Fix: Prevented disabled get_current_user function from causing fatal error
• Fix: Prevented notice about _load_textdomain_just_in_time being called incorrectly

8.0.5 – April 8, 2025

• Fix: Compatibility fixes for WordPress 6.8

8.0.4 – March 19, 2025

• Improvement: Improved error handling and messaging for some responses from our servers
• Improvement: Added messaging when a site may be using the same free license shared among multiple sites because it can cause the sites to use the same scan schedule rather than spreading out the load
• Improvement: Updated the readme content and formatting

8.0.3 – January 15, 2025

• Improvement: Added support for hosts relocating the WAF’s auto-prepend file via the constant/envvar WORDFENCE_WAF_PREPEND_DIRECTORY
• Improvement: Added detection for non-repo plugins and themes to avoid the scanner reporting changes when the same slug + version exists within the wordpress.org repo
• Improvement: Messaging for Central disconnections now better reflects the user making the change
• Improvement: Scan errors due to unreachable Wordfence servers will now provide a link to our status page to check for outages
• Improvement: Reduced the number of network calls created to sync scan issues when updates are performed in bulk
• Change: Reworked setting caching to avoid issues with some object caches
• Change: Reworked cURL check to avoid using WP_Http_Curl, which has been deprecated
• Fix: Normalized all wordfence.com links to be https
• Fix: Fixed a rare error that could occur on the diagnostics page when displaying a list of error logs
• Fix: Removed the “back to top” button and related script block from emailed diagnostics
• Fix: Fixed some UI coloring that did not correctly reflect the license type in use

8.0.2 – January 2, 2025

• Improvement: General compatibility improvements and better error handling for PHP 8+
• Improvement: Added audit log status to the plugin dashboard
• Change: Increased width of diagnostics text export for better legibility
• Fix: Addressed an error with mail hooks and the audit log when third party plugins send unexpected value types

8.0.1 – November 14, 2024

• Improvement: Updated GeoIP database
• Change: Revised some help text related to the audit log to be more clear
• Fix: Improved audit log compatibility with some plugins that would cause excessive noise due to their behaviors around setting up user roles and capabilities
• Fix: Fixed a log notice that could occur when deactivating Wordfence with audit log events still pending and a broken Wordfence Central link

8.0.0 – November 4, 2024

• Improvement: Introduced the Wordfence Audit Log, a new premium feature to monitor all changes and actions in security-sensitive areas of the site with remote tamper-proof data storage via Wordfence Central
• Change: Increased the minimum supported WordPress version to 4.7
• Change: Increased the minimum supported PHP version to 7.0

7.11.7 – July 29, 2024

• Improvement: Optimized scan performance by reducing database queries by approximately 38% along with CPU usage
• Fix: Added translation support for “Page not found” string when viewing recent traffic

7.11.6 – June 6, 2024

• Improvement: Revised the strong password requirements notice to be more readable
• Improvement: Removed unnecessary calls for the plugin and theme vulnerability checks
• Improvement: Reduced the frequency of calls to Wordfence Central during some operations where the values do not need to be synced
• Improvement: Refactored some queries to avoid the automatic SHOW FULL COLUMNS queries that WordPress performs to verify database encodings
• Improvement: Infrequently-used config values are no longer automatically loaded into memory and instead loaded only on demand
• Fix: Fixed an issue where multisite installations using the WAF mysqli storage engine could repeatedly attempt to update WAF rules when not in optimized mode
• Improvement: Updated the bundled GeoIP database
• Change: Revised the formatting of TOTP app URLs to prioritize the site’s own URL for better sorting and display
• Fix: Fixed the last captcha column in the users page so it no longer displays “(not required)” on 2FA users since that no longer applies
• Fix: Added a check in wflogs/rules.php to only run when within the WAF’s bootstrap stage when hosted behind nginx

7.11.5 – April 3, 2024

• Fix: Revised the behavior of the reCAPTCHA verification to use the documented expiration period of the token and response to avoid sending verification requests too frequently, which could artificially lower scores in some circumstances
• Fix: Addressed PHP 8 deprecation notices in the file differ used by file changed scan results
• Fix: Reduced the frequency of Wordfence Central status update callbacks in sections of the scan that occur quickly in sequence

7.11.4 – March 11, 2024

• Change: CAPTCHA verification when enabled now additionally applies to 2FA logins (may send an email verification on low scores) and no longer reveals whether a user exists for the submitted account credentials (credit: Raxis)
• Fix: Addressed a potential PHP 8 notice in the human/bot detection AJAX call
• Fix: Addressed a potential PHP 8 notice when requesting a lockout unlock verification email
• Fix: Fixed the emailed diagnostics view not showing the missing table information when applicable
• Fix: Improved quick scan logic to base timing on regular scans so they’re more evenly distributed

7.11.3 – February 15, 2024

• Fix: Fixed an issue with sites containing invalid Wordfence Central site data where they could throw an error when viewing Wordfence pages

7.11.2 – February 14, 2024

• Improvement: Enhanced the vulnerability scan to check and alert for WordPress core vulnerabilities and to adjust the severity of the scan result based on findings or available updates
• Improvement: Updated the bundled GeoIP database
• Improvement: Increased compatibility of brute force protection with plugins that override the normal login flow and omit traditional hooks
• Change: Adjusted the behavior of automatic quick scans to schedule themselves further away from full scans
• Fix: Added detection for a site being linked to a non-matching Wordfence Central record (e.g., when cloning the database to a staging site)
• Fix: Streamlined the license and terms of use installation flow to avoid unnecessary prompting
• Fix: Fixed an issue where user profiles with a selected locale different from the site itself could end up loading the site’s locale instead

7.11.1 – January 2, 2024

• Improvement: Added “.env” to the files checked for “Scan for publicly accessible configuration, backup, or log files”
• Improvement: Provided better descriptive text for the option “Block IPs who send POST requests with blank User-Agent and Referer”
• Improvement: The diagnostics page now displays the contents of any auto_prepend_file .htaccess/.user.ini block for troubleshooting
• Fix: Fixed an issue where a login lockout on a WooCommerce login form could fail silently
• Fix: The scan result for abandoned plugins no longer states it has been removed from wordpress.org if it is still listed
• Fix: Addressed an exception parsing date information in non-repo plugins that have a bad last_updated value
• Fix: The URL scanner no longer generates a log warning when matching a potential URL fragment that ends up not being a valid URL

7.11.0 – November 28, 2023

• Improvement: Added new functionality for trusted proxy presets to support proxies such as Amazon CloudFront, Ezoic, and Quic.cloud
• Improvement: WAF rule and malware signature updates are now signed with SHA-256 as well for hosts that no longer build SHA1 support
• Improvement: Updated the bundled trusted CA certificates
• Change: The WAF will no longer attempt to fetch rule or blocklist updates when run via WP-CLI
• Fix: Removed uses of SQL_CALC_FOUND_ROWS, which is deprecated as of MySQL 8.0.17
• Fix: Fixed an issue where final scan summary counts in some instances were not sent to Central
• Fix: Fixed a deprecation notice for get_class in PHP 8.3.0
• Fix: Corrected an output error in the connectivity section of Diagnostics in text mode

7.10.7 – November 6, 2023

• Fix: Compatibility fix for WordPress 6.4 on the login page styling

7.10.6 – October 30, 2023

• Fix: Addressed an issue with multisite installations when the wp_options tables had different encodings/collations

7.10.5 – October 23, 2023

• Improvement: Updated the bundled GeoIP database
• Improvement: Added detection for Cloudflare reverse proxies blocking callbacks to the site
• Change: Files are no longer excluded from future scans if a previous scan stopped during their processing
• Fix: Added handling for the pending WordPress 6.4 change that removes $wpdb->use_mysqli
• Fix: The WAF MySQLi storage engine will now work correctly when either DB_COLLATE or DB_CHARSET are not defined
• Fix: Added additional error handling to Central calls to better handle request failures or conflicts
• Fix: Addressed a warning that would occur if a non-repo plugin update hook did not provide a last updated date
• Fix: Fixed an error in PHP 8 that could occur if the time correction offset was not numeric
• Fix: 2FA AJAX calls now use an absolute path rather than a full URL to avoid CORS issues on sites that do not canonicalize www and non-www requests
• Fix: Addressed a race condition where multiple concurrent hits on multisite could trigger overlapping role sync tasks
• Fix: Improved performance when viewing the user list on large multisites
• Fix: Fixed a UI bug where an invalid code on 2FA activation would leave the activate button disabled
• Fix: Reverted a change on error modals to bring back the additional close button for better accessibility

7.10.4 – September 25, 2023

• Improvement: “Admin created outside of WordPress” scan results may now be reviewed and approved
• Improvement: The WAF storage engine may now be specified by setting the environmental variable “WFWAF_STORAGE_ENGINE”
• Improvement: Detect when a plugin or theme with a custom update handler is broken and blocking update version checks
• Change: Deprecated support for WordPress versions lower than 4.7.0
• Change: Exclude parse errors of a damaged compiled rules file from reporting
• Fix: Suppress PHP notices related to rule loading when running WP-CLI
• Fix: Fixed an issue with the scan monitor cron that could leave it running unnecessarily

7.10.3 – July 31, 2023

• Improvement: Updated GeoIP database
• Fix: Added missing text domain to translation function call
• Fix: Corrected inconsistent styling of switch controls
• Change: Made MySQLi storage engine the default for Flywheel hosted sites

7.10.2 – July 17, 2023

• Fix: Prevented bundled sodium_compat library from conflicting with versions included with older WordPress versions

7.10.1 – July 12, 2023

• Improvement: Added support for processing arrays of files in the WAF
• Improvement: Refactored security event processing to send events in bulk
• Improvement: Updated bundled sodium_compat and random_compat libraries
• Fix: Prevented deprecation warning caused by dynamic property creation
• Fix: Added translation support for additional strings
• Change: Adjusted Wordfence registration UI

7.10.0 – June 21, 2023

• Improvement: Added translation support for strings from login security plugin
• Improvement: Added translator notes regarding word order and hidden text
• Improvement: Added translation support for additional strings
• Improvement: Prevented scans from failing if unreadable directories are encountered
• Improvement: Added help link to IPv4 scan option
• Improvement: Updated scan result text to clarify meaning of plugins removed from wordpress.org
• Improvement: Made “Increased Attack Rate” emails actionable
• Improvement: Updated GeoIP database
• Improvement: Updated JavaScript libraries
• Fix: Corrected IPv6 address expansion
• Fix: Ensured long request payloads for malicious requests are recorded in live traffic
• Fix: Prevented “commands out of sync” database error messages when the database connection has failed
• Fix: Prevented rare JSON encoding issues from breaking free license registration
• Fix: Prevented PHP notice from being logged when request parameter is missing
• Fix: Prevented deprecation warning in PHP 8.1
• Change: Moved detection for old TimThumb files to malware signature
• Change: Moved translation file from .po to .pot
• Change: Renamed “Macedonia” to “North Macedonia, Republic of”

7.9.3 – May 31, 2023

• Improvement: Added exception handling to prevent WAF errors from being fatal
• Fix: Corrected error caused by method call on null in WAF
• Change: Deprecated support for PHP 5.5 and 5.6, ended support for PHP 5.3 and 5.4
• Change: Specified WAF version parameter when requesting firewall rules

7.9.2 – March 27, 2023

• Improvement: The vulnerability severity score (CVSS) is now shown with any vulnerability findings from the scanner
• Improvement: Changed several links during initial setup to open in a new window/tab so it doesn’t interrupt installation
• Change: Removed the non-https callback test to the Wordfence servers
• Fix: Fixed an error on PHP 8 that could occur when checking for plugin updates and another plugin has a broken hook
• Fix: Added a check for disabled functions when generating support diagnostics to avoid an error on PHP 8
• Fix: Prevent double-clicking when activating 2FA to avoid an “already set up” error

7.9.1 – March 1, 2023

• Improvement: Further improved performance when viewing 2FA settings and hid user counts by default on sites with many users
• Fix: Adjusted style inclusion and usage to prevent missing icons
• Fix: Avoided using the ctype extension as it may not be enabled
• Fix: Prevented fatal errors caused by malformed Central keys

7.9.0 – February 14, 2023

• Improvement: Added 2FA management shortcode and WooCommerce account integration
• Improvement: Improved performance when viewing 2FA settings on sites with many users
• Improvement: Updated GeoIP database
• Fix: Ensured Captcha and 2FA scripts load on WooCommerce when activated on a sub-site in multisite
• Fix: Prevented reCAPTCHA logo from being obscured by some themes
• Fix: Enabled wfls_registration_blocked_message filter support for WooCommerce integration

7.8.2 – December 13, 2022

• Fix: Releasing same changes as 7.8.1, due to wordpress.org error

7.8.1 – December 13, 2022

• Improvement: Added more granualar data deletion options to deactivation prompt
• Improvement: Allowed accessing diagnostics prior to completing registration
• Fix: Prevented installation prompt from displaying when a license key is already installed but the alert email address has been removed

7.8.0 – November 28, 2022

• Improvement: Added feedback when login form is submitted with 2FA
• Fix: Restored click support on login button when using 2FA with WooCommerce
• Fix: Corrected display issue with reCAPTCHA score history graph
• Fix: Prevented errors on PHP caused by corrupted login timestamps
• Fix: Prevented deprecation notices on PHP 8.2 related to dynamic properties
• Change: Updated Wordfence registration workflow

7.7.1 – October 4, 2022

• Fix: Prevented scan resume attempts from repeating indefinitely when the initial scan stage fails

7.7.0 – October 3, 2022

• Improvement: Added configurable scan resume functionality to prevent scan failures on sites with intermittent connectivity issues
• Improvement: Added new scan result for vulnerabilities found in plugins that do not have patched versions available via WordPress.org
• Improvement: Implemented stand-alone MMDB reader for IP address lookups to prevent plugin conflicts and support additional PHP versions
• Improvement: Added option to disable looking up IP address locations via the Wordfence API
• Improvement: Prevented successful logins from resetting brute force counters
• Improvement: Clarified IPv6 diagnostic
• Improvement: Included maximum number of days in live traffic option text
• Fix: Made timezones consistent on firewall page
• Fix: Added “Use only IPv4 to start scans” option to search
• Fix: Prevented deprecation notices on PHP 8.1 when emailing the activity log
• Fix: Prevented warning on PHP 8 related to process owner diagnostic
• Fix: Prevented PHP Code Sniffer false positive related to T_BAD_CHARACTER
• Fix: Removed unsupported beta feed option

7.6.2 – September 19, 2022

• Improvement: Hardened 2FA login flow to reduce exposure in cases where an attacker is able to obtain privileged information from the database