Wordfence CLI 2.0.1 introduced free vulnerability scanning this week. The new CLI product was launched at WordCamp US two months ago with malware detection capabilities, but the latest update brings in the most highly requested feature – vulnerability scanning at scale.
Wordfence is most well-known for its Web Application Firewall, malware scanner, and login security product, which is packaged as a free plugin and installed on more than 4 million websites. The CLI is the first-ever command line malware and vulnerability scanner for WordPress servers. It is targeted at developers, site cleaners who scan large numbers of files for remediation, agencies, and hosting companies that want to scan across entire networks of millions of customers.
“Vulnerability scanning in Wordfence CLI 2.0.1 uses our own open vulnerability database,” Wordfence CEO Mark Maunder said. “The database itself is completely free for anyone to use, and includes APIs that are open, along with web hooks so that developers can build real-time alerting into their applications. Our mission is to secure the Web, and we think that having an open vulnerability database, with an open source, robust and high performance vulnerability scanner for servers furthers that mission.”
The vulnerability database includes responsible disclosures published by researchers for the benefit of the wider community.
“Because most vulnerabilities come from the research community, we believe they are public property,” Maunder said. “While some companies do charge for their collection of vulnerabilities, we don’t think it is appropriate to resell public property, which is why we created an open and completely free vulnerability database.”
The CLI vulnerability scans use the Wordfence Intelligence Vulnerability API feed, which is free for both personal and commercial use. It contains more than 12,250 unique vulnerability records affecting 7,600 plugins and themes. The Wordfence team adds an average of 82 new vulnerabilities per week.
Version 2.0.1, code named “Voodoo Child” simplifies installation so users no longer have to go to the Wordfence site to get an API key. The tool fetches the API key in the background to make it easier to get started.
Wordfence CLI is licensed under the GPLv3 and available on GitHub, along with documentation for installing, configuring, and running the application.
“Wordfence CLI is one of those projects where the product roadmap writes itself because there is such an obvious need for a powerful tool like this in the WordPress server administration space,” Wordfence lead developer Matt Barry said. “We’re in this for the long haul and will continue to invest heavily in Wordfence CLI, with your guidance.”
This isn’t actually a vulnerability scanner. What it does is check if Wordfence is claiming that there are vulnerabilities in versions of software.
That is an important distinction as Wordfence’s data is often quite inaccurate and not a reliable source. The problems we have seen with their data run the gamut from falsely claiming that vulnerabilities exist to falsely claiming that real exploited vulnerabilities have been fixed. Doing the work to confirm claimed vulnerabilities before adding them to a data set, as we do, takes a lot of effort. Wordfence can give their data away because they copy inaccurate data from other providers, also providing inaccurate data for free.
If Wordfence was upfront about the lack of accuracy in their free data, that would be one thing, but they don’t warn people their data isn’t reliable.