Wordfence CLI 2.0.1 introduced free vulnerability scanning this week. The new CLI product was launched at WordCamp US two months ago with malware detection capabilities, but the latest update brings in the most highly requested feature – vulnerability scanning at scale.
Wordfence is most well-known for its Web Application Firewall, malware scanner, and login security product, which is packaged as a free plugin and installed on more than 4 million websites. The CLI is the first-ever command line malware and vulnerability scanner for WordPress servers. It is targeted at developers, site cleaners who scan large numbers of files for remediation, agencies, and hosting companies that want to scan across entire networks of millions of customers.
“Vulnerability scanning in Wordfence CLI 2.0.1 uses our own open vulnerability database,” Wordfence CEO Mark Maunder said. “The database itself is completely free for anyone to use, and includes APIs that are open, along with web hooks so that developers can build real-time alerting into their applications. Our mission is to secure the Web, and we think that having an open vulnerability database, with an open source, robust and high performance vulnerability scanner for servers furthers that mission.”
The vulnerability database includes responsible disclosures published by researchers for the benefit of the wider community.
“Because most vulnerabilities come from the research community, we believe they are public property,” Maunder said. “While some companies do charge for their collection of vulnerabilities, we don’t think it is appropriate to resell public property, which is why we created an open and completely free vulnerability database.”
The CLI vulnerability scans use the Wordfence Intelligence Vulnerability API feed, which is free for both personal and commercial use. It contains more than 12,250 unique vulnerability records affecting 7,600 plugins and themes. The Wordfence team adds an average of 82 new vulnerabilities per week.
Version 2.0.1, code named “Voodoo Child” simplifies installation so users no longer have to go to the Wordfence site to get an API key. The tool fetches the API key in the background to make it easier to get started.
Wordfence CLI is licensed under the GPLv3 and available on GitHub, along with documentation for installing, configuring, and running the application.
“Wordfence CLI is one of those projects where the product roadmap writes itself because there is such an obvious need for a powerful tool like this in the WordPress server administration space,” Wordfence lead developer Matt Barry said. “We’re in this for the long haul and will continue to invest heavily in Wordfence CLI, with your guidance.”