Kerry

Hi Lea,

Wordfence provides a Data Processing Agreement found at the link below. This agreement relies on Standard Contractual Clauses to lawfully transfer EU PII between the EU and the United States. You can sign it per the instructions on the page. This agreement applies to both the free and Premium versions of Wordfence.

https://www.wordfence.com/help/general-data-protection-regulation/

-Kerry

Hi Emma,
Unfortunately our lawyers do not allow us to provide advice that may be construed as legal advice. I can provide this link which may help you understand your legal responsibilities under GDPR: https://gdpr.eu/what-is-data-processing-agreement/

Kind regards, Kerry

Hello,

We provide a Data Processing Agreement which relies on Standard Contractual Clauses to transfer EU PII to Wordfence servers in the US. We no longer rely on the Privacy Shield framework. Standard Contractual Clauses are still recognized as a lawful means to transfer EU PII data which by signing, allows our customers to continue to be fully protected using the Wordfence plugin. You can find it on this page about halfway down: https://www.wordfence.com/help/general-data-protection-regulation/

-Kerry

Hi @tdgi

All cookies are persistent with lifetimes as follows:

wfwaf-authcookie-(hash) – 12 hours

wf_loginalerted_(hash) – 1 year

wfCBLBypass – 1 year

-Kerry

Hi @tdgi,
The storage period for those three cookies is between 12 hours and one year.
-Kerry

Hi @macnscr,

You can disable sending visitor data collected from the site to the Wordfence servers in the US by turning off “Participate in the Real-Time Wordfence Security Network” on the Options page.

If you turn this off, you will cripple the software to only provide protection that can be run entirely locally. Anything that protects based on IP reputation which is the vast majority of the blocks we see, would no longer work and open up your site to much more unnecessary risk.

We have provided a lawful, GDPR-compliant method to transfer data from the EU to our servers in the US via the Data Processing Agreement we have setup (https://www.wordfence.com/help/general-data-protection-regulation/#data-processing-agreement). This is the process you can use until we have completed getting setup with Privacy Shield. The intent of GDPR isn’t to put sites at greater risk for attack attempts which is why many companies use a Data Processing Agreement and/or Privacy Shield to continue to allow security products to protect EU sites and transfer EU data lawfully.
-Kerry

Hi @levdesign,

Currently our process to provide data controls is to contact us at privacy at defiant.com. We have a process in place to manage the requests per GDPR requirements. We haven’t looked into offering tools such as the ones provided by WordPress for exporting and erasing personal data. Thank you for bringing this to our attention so we may consider it.
-Kerry

Hi @wpblogwriter,

Blocked IP stats shown on the dashboard are collected from Live Traffic. How long they are retained is determined by the Live Traffic setting in your Options (1+ days). You can have them automatically removed daily if you set it to one day.
IPs sent to Wordfence are kept for 90 days unless they are still behaving maliciously. They are removed once they stop being malicious or 90 days, whichever is later. This data is not anonymized.
Kerry

Hi Richard,

Could you explain the inconsistency you see? Looking at Article 94 of the GDPR, this seems correct: https://gdpr-info.eu/art-94-gdpr/

-Kerry

Hi @michilinz,

Successful logins can be important forensic evidence in a situation where a site was compromised, since an attackers login would then also be successful. Without this opportunity to audit the previous logins, you may not be able to figure out which one of your admins accounts is compromised.
If you still don’t want to log this data, unfortunately we don’t have the ability to automatically stop this logging but you could write a script that truncates the wp_wfLogins table.

Hi @herby07,

If you have Live Traffic enabled in order to manually block suspicious or malicious IPs, and fall under the DSGVO regulations, your site will be collecting personal data from your customers and should be informed of this collection. We have added an option to delete data in Live Traffic with a setting of 1 day or more so you can easily delete data you no longer need.

Hi Greg,
I heard back on this issue. The filenames for those fonts should be there. We noticed there’s also a jetpack.woff getting a 404 which is not one of our files. We think there might be something causing a problem with the full path to the files. You should be able to see what the full path is by hovering over the filename in the list that shows the 404s or by right-clicking and choosing “Copy URL”. In our css/ directory, the css files use a relative path like url(../fonts/filename.woff). Our best guess right now is that the browser version is somehow misinterpreting the full path or maybe another plugin is combining the css files without fixing relative paths.

Thanks Greg for all that info. The dev I need to talk to is out until Monday so it may take me a few days to get an answer for you but I’ll post here again when I get an update.

@dangillmor, The problem has been fixed. If you rescan, you shouldn’t see those issues reported anymore.

@oskosk, Thanks for the offer to help, much appreciated! The scan for file changes checks files against a copy of the www.remarpro.com repository. When it does this check, it checks against a specific version number. In this case, a mismatch happened there. We have fixed this by forcing a refresh on our data. We will also continue to work on this to prevent it from happening again but believe it’s an issue on our side that caused it.

We are aware they don’t work in Internet Explorer but should default to a font that works. Could you tell me which version of IE you are using or other browser where it’s not working so I can try to reproduce the problem? If you are able to respond with a screenshot (any sensitive data removed) that shows the problem would be very helpful too.

-Kerry