Issues not picked up by Wordfence

Hi @lordsnake,

Our diagnostics do check for PHP version to flag older/unsupported versions. Almost all of the items on the screenshot are informational issues, where few of them are likely to lead directly to a compromise on most configurations. I say this because a huge amount of attacks we see are performed in a hit-and-hope manner, rarely stopping to check specifics before trying. If they did check specifics, some information that other plugins hide merely slows down a would-be attacker rather than stopping them completely.

As Wordfence can have some sections selected/deselected in a modular fashion, you can ensure running two security solutions together don’t cover the same ground by mixing and matching features you feel are most useful to you from both.

Provided you have 2FA and reCAPTCHA enabled for your administrative accounts – as also recommended by WordPress themselves – and complex passwords set for your cPanel/FTP/database/host etc. then Wordfence will look after your WordPress installation using its extensive database of vulnerabilities, IPs and signatures to detect exploitable plugins, known current “bad” IPs, and malicious files.

Thanks again,

Peter.

it’s not just about protecting the site from things that are at high risk of getting compromised, it’s also about preventing it from breaking as well as stopping it from being a target to begin with.

while most attacks are a “hit and hope” as you say, I do also see a lot of scans looking for vulnerabilities.

I cannot say that I have ever seen a warning from WF about a site running old unsupported PHP versions. Where is this meant to appear?

Hi @lordsnake,

Wordfence > Tools > Diagnostics > PHP Environment checks the version of PHP. Here you can also check other things such as file permissions, communication in/out of the site etc. are all working correctly.

It can be frustrating to see so many requests in your Live Traffic, especially if there seems to be no logical reason due to hidden pages or other security measures, but this is actually quite a normal occurrence. You might find the following blog post interesting: https://www.wordfence.com/blog/2018/03/ask-wordfence-why-is-an-insignificant-site-like-mine-being-attacked/

Wordfence is an endpoint firewall, so can catch/restrict/block users using Brute Force or Rate Limiting settings, but at the point your site tries to host content to them using PHP. Restrictions therefore are possible, but it can’t stop the requests from initially hitting your site, even if it ends up blocking them.

Thanks again,

Peter.

how can I get alerts about outdated/insecure php versions?

Hi @lordsnake,

Your latest full Wordfence scan will flag outdated versions of PHP as a Medium severity alert, which will be emailed to you if you have set them in Wordfence > All Options > Email Alert Preferences

You can read more about what severity each type of alert is here: https://www.wordfence.com/help/dashboard/alerts/

Thanks again,

Peter.

where would I set this on wordfence central rather than individual sites.

If I make changes on the dashboard, WF support have told me this is changing the settings actual site, but then have also given me the complete opposite advice, so am still not sure where I am supposed to make changes in WF central.