Wordfence Got Removed from WordPress.org — What Every Site Owner Needs to Know

If you’re running a WordPress site with Wordfence installed, and there are over 5 million of you, you need to understand what just happened. Wordfence, one of the most widely used WordPress security plugins in existence, has been removed from the official WordPress.org plugin repository. This isn’t a temporary glitch or a misunderstanding. It’s a significant event that affects millions of site owners and raises important questions about the WordPress plugin ecosystem as a whole.

Let’s break down exactly what happened, what it means for your site right now, and what steps you should take, whether you decide to stick with Wordfence or migrate to an alternative.

What Actually Happened

Wordfence was removed from the WordPress.org plugin directory following a dispute between Wordfence’s parent company (Defiant Inc.) and the WordPress.org administration. The removal centers around governance disagreements and policy enforcement within the WordPress ecosystem. Here are the key points:

Wordfence is no longer listed on WordPress.org/plugins. You cannot find it, install it, or read reviews there anymore.
Existing installations are not automatically removed from your site. If you have Wordfence installed, it’s still there and still functioning.
Automatic updates through WordPress.org are disrupted. This is the most critical immediate concern for site owners.
Wordfence (Defiant Inc.) has stated they will continue developing the plugin and distributing it through their own website at wordfence.com.

The plugin still works on your site today. But the update mechanism, which is critical for a security plugin, is what’s been disrupted, and that’s what demands your immediate attention.

Why This Matters for 5 Million+ Installations

Wordfence has been the most installed WordPress security plugin for years. Millions of sites now need to address a disruption in their security update pipeline. Here’s why this is particularly serious:

Security plugins need constant updates. New vulnerabilities are discovered daily. A security plugin that can’t receive timely updates becomes less effective over time.
Firewall rules depend on freshness. Wordfence’s WAF uses rules updated to block new attack patterns. Without seamless updates, your firewall rules fall behind.
Malware signatures need regular refreshing. Outdated signatures mean new malware variants can slip through undetected.
Many site owners rely on auto-updates. Those auto-updates were handled through WordPress.org’s infrastructure. With Wordfence removed, they won’t function the same way.

What Happens to Auto-Updates

ScenarioWhat HappensAction Required

Wordfence Free with auto-updates via WordPress.orgAuto-updates will stop workingManually update from wordfence.com or switch plugins

Wordfence PremiumUpdates may continue through Defiant’s serversVerify your license is active and updates work

Managed WordPress hostHost’s mechanism depends on WordPress.orgContact your host and verify

Manual updatesDownload from wordfence.com and uploadBookmark wordfence.com/download

If you’re on the free version of Wordfence, your update mechanism is broken right now. If you’re on Premium, verify that your updates are still flowing, don’t just assume.

Alternative Security Plugins: A Thorough Comparison

Sucuri Security

Sucuri is well-established in website security, now owned by GoDaddy. The free version provides file integrity monitoring, blacklist monitoring, and basic hardening. Premium includes a cloud-based WAF, CDN, and DDoS protection.

Best for: Sites wanting cloud-based protection with CDN benefits
Pricing: Free plugin + premium from ~$199/year
Strengths: Cloud WAF, CDN integration, malware removal in premium
Limitations: Free version lacks a firewall; premium pricing is higher

Solid Security (formerly iThemes Security)

Now part of StellarWP (Liquid Web brand), Solid Security offers brute force protection, 2FA, file change detection, database backups, and security reporting. Pro adds malware scanning via Patchstack, passwordless login, and user profiling.

Best for: Sites wanting a user-friendly all-in-one security solution
Pricing: Free available; Pro from ~$99/year
Strengths: Clean interface, strong brute force protection
Limitations: Malware scanning not as deep as dedicated scanners

MalCare

MalCare scans on their servers (not yours), so it doesn’t slow your site. Offers one-click malware removal, built-in firewall, login protection, and site hardening. Detects complex malware that signature-based scanners miss.

Best for: Sites on shared hosting with limited resources
Pricing: Free scanner (limited); premium from ~$99/year
Strengths: Off-server scanning, one-click cleanup, minimal performance impact
Limitations: Free version only detects, you need premium to remove malware

Patchstack

Patchstack maintains the largest WordPress-specific vulnerability database. Focuses on virtual patching, blocking exploitation of known vulnerabilities before official fixes are released. Fundamentally different from malware scanning.

Best for: Developers and agencies managing multiple sites
Pricing: Free alerts; premium from ~$99/year
Strengths: Virtual patching, comprehensive vuln database, lightweight
Limitations: No malware scanning or removal, prevention only

WP Cerber Security

WP Cerber was removed from WordPress.org in 2022 and has operated independently since. Offers anti-spam, malware scanning, firewall, login security, and traffic monitoring with detailed logging.

Best for: Technically-minded site owners wanting granular control
Pricing: Free available; Pro from ~$99/year
Strengths: Detailed logging, strong anti-spam, comprehensive rules
Limitations: Not on WordPress.org, steeper learning curve

Side-by-Side Feature Comparison

FeatureSucuriSolid SecurityMalCarePatchstackWP Cerber

FirewallCloud (Premium)BasicYesVirtual PatchingYes

Malware ScanningYesVia PatchstackYes (off-server)NoYes

Malware RemovalPremiumNoOne-click (Premium)NoNo

Brute Force ProtectionYesYesYesNoYes

Two-Factor AuthNoYesNoNoYes

Performance ImpactLowLow-MediumVery LowVery LowMedium

On WordPress.orgYesYesYesYesNo

How to Migrate Away from Wordfence

If you’ve decided to switch, follow this step-by-step process. Don’t rush, a botched security migration can leave your site vulnerable.

Pre-Migration

Create a full site backup, both files and database.
Document your Wordfence settings, screenshot custom firewall rules, IP lists, login settings, scan schedules.
Run a final Wordfence scan, make sure your site is clean before transitioning.
Check .htaccess for Wordfence rules that need to be handled.

Migration Steps

Install your replacement plugin while Wordfence is still active.
Configure it completely, firewall, scanner, login protection, before deactivating Wordfence.
Deactivate Wordfence from the Plugins page.
Delete Wordfence. Check for leftover wp_wf* database tables if cleanup isn’t offered.
Verify .htaccess, ensure Wordfence rules are removed and new plugin rules are in place.
Run a security scan with the new plugin.
Test thoroughly, logins, forms, and areas affected by firewall rules.

Wordfence Database Tables to Check for Cleanup

Tables to check: wp_wfblockediplog, wp_wfblocks7, wp_wfconfig, wp_wfcrawlers, wp_wffilechanges, wp_wfhits, wp_wfhoover, wp_wfissues, wp_wfknownfilelist, wp_wflivetraffichuman, wp_wflocs, wp_wflogins, wp_wfls_2fa_secrets, wp_wfls_settings, wp_wfnotifications, wp_wfpendingissues, wp_wfreversecache, wp_wfsnipcache, wp_wfstatus, wp_wftrafficrates. Always back up your database before removing tables.

Security Audit Checklist

This is an excellent time for a comprehensive security audit regardless of your plugin decision.

Authentication and Access

Strong, unique passwords (16+ characters) on all admin accounts
Two-factor authentication for all admin and editor accounts
Default “admin” username changed or removed
User roles follow principle of least privilege
Login attempt limiting active
Application passwords disabled (if not actively used)
XML-RPC disabled (unless required)

Software and Updates

WordPress core, all plugins, and all themes on latest versions
Auto-updates enabled for minor core releases
Inactive plugins and themes deleted (not just deactivated)
PHP version 8.1 or higher

Server and Hosting

SSL installed and HTTPS enforced sitewide
File permissions correct (dirs: 755, files: 644, wp-config: 600)
Directory browsing disabled
Dashboard file editing disabled (DISALLOW_FILE_EDIT)
Security keys/salts set and rotated recently
Security headers configured (X-Frame-Options, CSP)

Backups and Monitoring

Automated backups running and stored off-server
Backup restoration tested recently
Security plugin with malware scanning active
Uptime monitoring active
Google Search Console connected

What This Means for the Plugin Ecosystem

The Wordfence removal raises fundamental questions about WordPress plugin ecosystem governance. WordPress.org’s plugin directory is the primary distribution channel, being listed means access to millions of users, automatic updates, and credibility. Being removed is a significant blow.

If this can happen to Wordfence, one of the largest plugins, it can happen to others. It has before (WP Cerber, ACF/SCF). What this means for you:

Avoid over-dependence on any single plugin. Have contingency plans for critical plugins.
Know your update sources. Understand whether each plugin updates through WordPress.org, developer servers, or a license system.
Stay informed about governance. Follow plugin directory policy developments.
Support plugin developers. Premium purchases, donations, and honest reviews sustain the ecosystem.

The WordPress community has been increasingly debating governance structures and how decisions affecting millions should be made. The Wordfence removal underscores the need for clearer, more transparent governance.

Should You Stay or Switch?

Consider Staying If:

You’re on Premium and updates flow normally through Defiant’s servers
You’re comfortable with manual updates from wordfence.com
You’ve invested significant time in custom configuration
Your team knows Wordfence’s interface

Consider Switching If:

You’re on free and relied on WordPress.org auto-updates
You manage multiple sites and can’t manually track updates
You’re concerned about long-term stability outside WordPress.org
You were already considering a change
Your host or agency recommends an alternative

The worst thing you can do right now is nothing. Whether you stay or switch, take action to ensure your security plugin is receiving updates and actively protecting your site.

Immediate Action Steps

Check your Wordfence version against what’s available at wordfence.com. A mismatch means auto-updates aren’t working.
Create a full backup right now, before making changes. Store it off-server.
Run a security scan to confirm your site is clean today.
Review the alternatives above, even if staying, understanding options is valuable.
Make a decision within 7 days. A security plugin in limbo is a vulnerability.

The Bottom Line

The Wordfence removal from WordPress.org is a significant disruption, but not a crisis if you respond appropriately. Your site’s security doesn’t depend on any single plugin, it depends on having a functioning, updated security tool as part of a broader strategy that includes strong hosting, good practices, and regular monitoring.

Take this as a prompt to evaluate and strengthen your security posture. Audit your current setup, understand your options, and make an intentional decision rather than defaulting to inaction. The WordPress ecosystem offers plenty of excellent security solutions, the important thing is that you actively choose and maintain one.

Need help securing your WordPress site or migrating from Wordfence? A solid security foundation is especially critical for community and membership sites where user data is involved. If you’re running a BuddyPress community, a WooCommerce store, or any site handling sensitive user information, reach out to our team for security guidance tailored to your setup.

Magazine