• Fix: Revised the behavior of the reCAPTCHA verification to use the documented expiration period of the token and response to avoid sending verification requests too frequently, which could artificially lower scores in some circumstances
• Fix: Addressed PHP 8 deprecation notices in the file differ used by file changed scan results
• Fix: Reduced the frequency of Wordfence Central status update callbacks in sections of the scan that occur quickly in sequence

* Improvement: Added “.env” to the files checked for “Scan for publicly accessible configuration, backup, or log files”.
* Improvement: Provided better descriptive text for the option “Block IPs who send POST requests with blank User-Agent and Referer”.
* Improvement: The diagnostics page now displays the contents of any ‘auto_prepend_file’ .htaccess/.user.ini block for troubleshooting.
* Fix: Fixed an issue where a login lockout on a WooCommerce login form could fail silently.
* Fix: The scan result for abandoned plugins no longer states it has been removed from wordpress.org if it is still listed.
* Fix: Addressed an exception parsing date information in non-repo plugins that have a bad ‘last_updated’ value.
* Fix: The URL scanner no longer generates a log warning when matching a potential URL fragment that ends up not being a valid URL.

• Improvement: Added new functionality for trusted proxy presets to support proxies such as Amazon CloudFront, Ezoic, and Quic.cloud
• Improvement: WAF rule and malware signature updates are now signed with SHA-256 as well for hosts that no longer build SHA1 support
• Improvement: Updated the bundled trusted CA certificates
• Change: The WAF will no longer attempt to fetch rule or blocklist updates when run via WP-CLI
• Fix: Removed uses of SQL_CALC_FOUND_ROWS, which is deprecated as of MySQL 8.0.17
• Fix: Fixed an issue where final scan summary counts in some instances were not sent to Central
• Fix: Fixed a deprecation notice for get_class in PHP 8.3.0
• Fix: Corrected an output error in the connectivity section of Diagnostics in text mode

• Improvement: Updated the bundled GeoIP database
• Improvement: Added detection for Cloudflare reverse proxies blocking callbacks to the site
• Change: Files are no longer excluded from future scans if a previous scan stopped during their processing
• Fix: Added handling for the pending WordPress 6.4 change that removes $wpdb->use_mysqli
• Fix: The WAF MySQLi storage engine will now work correctly when either DB_COLLATE or DB_CHARSET are not defined
• Fix: Added additional error handling to Central calls to better handle request failures or conflicts
• Fix: Addressed a warning that would occur if a non-repo plugin update hook did not provide a last updated date
• Fix: Fixed an error in PHP 8 that could occur if the time correction offset was not numeric
• Fix: 2FA AJAX calls now use an absolute path rather than a full URL to avoid CORS issues on sites that do not canonicalize www and non-www requests
• Fix: Addressed a race condition where multiple concurrent hits on multisite could trigger overlapping role sync tasks
• Fix: Improved performance when viewing the user list on large multisites
• Fix: Fixed a UI bug where an invalid code on 2FA activation would leave the activate button disabled
• Fix: Reverted a change on error modals to bring back the additional close button for better accessibility

• Improvement: “Admin created outside of WordPress” scan results may now be reviewed and approved
• Improvement: The WAF storage engine may now be specified by setting the environmental variable “WFWAF_STORAGE_ENGINE”
• Improvement: Detect when a plugin or theme with a custom update handler is broken and blocking update version checks
• Change: Deprecated support for WordPress versions lower than 4.7.0
• Change: Exclude parse errors of a damaged compiled rules file from reporting
• Fix: Suppress PHP notices related to rule loading when running WP-CLI
• Fix: Fixed an issue with the scan monitor cron that could leave it running unnecessarily

• Improvement: Updated GeoIP database
• Fix: Added missing text domain to translation function call
• Fix: Corrected inconsistent styling of switch controls
• Change: Made MySQLi storage engine the default for Flywheel hosted sites

www.wordfence.com

The Wordfence WordPress security plugin provides free enterprise-class WordPress security, protecting your website from hacks and malware.

• Block the Newest Exploits​

  Wordfence Premium customers receive new firewall rules the moment our threat intelligence team releases them. When attackers invent new techniques to exploit WordPress, we deploy firewall rules to protect our Premium customers in real-time. With Wordfence Premium, you are protected from the newest exploits as we discover them.

• Detect the Newest Malware​

  Wordfence Premium customers also receive new malware detection capabilities in real-time. Our team writes detection signatures for new malware variants and immediately deploys those signatures to your Wordfence installation, giving you the ability to detect even the newest malware. Our malware signatures are used by your firewall to prevent hackers from uploading malware, and they’re used by your Wordfence scanner to detect any malware in your filesystem.