Wordfence Security

What we do is end to end encryption and then encryption at rest, but we have the keys so that the data is, for example, indexable for performance reasons. This is standard in SaaS systems that comply with applicable EU and US privacy laws.

If you’re interested in researching the feasibility of a system like you’re describing I’d suggest researching homomorphic encryption and the challenge of indexing and performing computation on encrypted data.

Again there is no legal or privacy constraint preventing you from using Wordfence Central and the Audit Log from the EU, beyond your own preferences.

Just a side note: it occurred to me that you may be looking at the recent press around Telegram. We’re not a messaging service and what we’re storing isn’t blobs of data. Instead it needs to be searchable and indexable. I’d also draw a distinction between what we’re doing and a backup service which can also have a single key holder and doesn’t need to be indexed beyond the metadata.

As a simple practical example: The Wordfence Care and Response team would have no idea they need to respond to an incident on your site, or the ability to view forensic data, if you were the only key holder. Same with alerting you. How would we parse the data if we can’t see it?

Hope that helps.

Regards,

Mark

Hi Karl, (Edited for formatting)

You posted on our blog and I replied there but I’ll share the reply here too for any others coming across this question.

OK here’s the EU update. Yes you can use Wordfence Central and the Audit Log if you’re based in the EU. I’ve included a short summary of why and how this works, and a longer explanation below that for the legal nerds in the audience. So to fully answer your original post, with the Wordfence Audit log, the data is end-to-end encrypted, the data is encrypted at rest on our servers, and you are legally allowed to log data to our servers if you’re in the EU and the text below explains why.

Here’s the short version:

Chapter 5 of the General Data Protection Regulation (GDPR) provides multiple mechanisms for organizations to transfer personal data lawfully between the EU and US. Two of these mechanism are the EU-US Data Privacy Framework (an adequacy decision under Article 45) and the EU Standard Contractual Clauses (an appropriate safeguard under Article 46). The validity of the Data Privacy Framework (DPF) is currently being challenged in the EU Court of Justice (the predecessor framework to the DPF, the Privacy Shield, was invalidated under a similar challenge). In the interest of maintaining a valid lawful method of transferring data from the EU to the US, Defiant has opted to use the EU Standard Contractual Clauses.

Here’s the long version:

Chapter 5 of the EU General Data Protection Regulation (GDPR), addresses the lawful transfer of personal data from the EU to other countries. Among the Articles that address lawful data transfer are: Article 45 – (Transfers on the basis of an adequacy decision) and Article 46 – (Transfer subject to appropriate safeguards). The EU-US Data Privacy Framework is authorized under Article 45 which states:

“A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.” (GDPR Ch. 5, Art. 45(1))

Countries that have “an adequate level of protection” are known to have been issued an “adequacy decision” by the EU Commission. (A list of countries with adequacy decisions is available here: Adequacy decisions). The United States has received an adequacy decision, but only for “commercial organisations participating in the EU-US Data Privacy Framework.” The EU-U.S. Data Privacy Framework (DPF) is an agreement between the EU and US designed to facilitate the transfer of personal data while ensuring compliance with EU data protection standards. Companies participating in the DPF must adhere to a set of privacy standards administered by the US Department of Commerce (DoC), file an annual registration with the DoC, submit to arbitration regarding EU privacy complaints, among other requirements. The DPF replaces the previous Privacy Shield arrangement, which was invalidated by the European Court of Justice under a ruling commonly known as Schrems 2.

Alternatively, companies that do not seek to comply with the DPF may rely on Article 46 for lawful transfers of personal data form the EU to the US. Article 46 allows for the lawful transfer of personal data where:

“the controller or processor has provided appropriate safeguards” which “may be provided for, without requiring any specific authorisation from a supervisory authority, by … (c) standard data protection clauses adopted by the Commission.” (GDPR Ch. 5, Art. 46(1 – 2))

These “standard data protection clauses” are commonly known as the Standard Contractual Clauses” or “SCCs.” (The Standard Contractual Clauses are available here: Standard Contractual Clauses). Controllers and processors of EU personal data can comply with their legal obligations under for lawful data transfer under Chapter 5 of the GDPR by entering into the Standard Contractual Clauses.

While both the DPF and Standard Contractual Clauses are currently valid lawful data transfer mechanisms under EU law – Defiant has chosen to use the Standard Contractual Clauses under Article 46. Given that the predecessor of the DPF, the Privacy Shield, was invalidated in July of 2020 and the DPF is currently being contested on similar grounds to the Privacy Shield, Defiant has selected the Standard Contractual Clauses as a lawful method of data transfer more likely to remain valid in the future.

Regards,

Mark Maunder – Wordfence Chief Technology Officer

• This reply was modified 3 months, 3 weeks ago by Wordfence Security.

Thanks very much. Founder here. Just want you to know we very much appreciate the 5 star review for Wordfence. Reviews really motivate the team to keep doing the great job they’re doing securing the WP community.

Thanks again,

Mark Maunder.

About 1 hour ago WPEngine initiated a deploy to revert the changes that caused this. The deploy will take 3 to 6 hours to run. So should be finished around 2pm US Eastern time at the latest. This according to an email update they sent us an hour ago.

Regards

Mark

If you need a quick fix you might try this. As Scott said, WPEngine appear to be working on the issue.

https://x.com/wordfence/status/1807936913447301193

Regards,

Mark.

Thanks for the feature suggestion.

Regards,

Mark

Will have something on the Wordfence blog and via the WordPress security email list shortly.

Hi all. We’re looking at this now as a matter of urgency. Ram Gall one of our senior threat analysis is on the case and will have an update shortly. Within 60 mins. We’ll include an advisory on what to do given the current state of play. Thanks for your patience.

Mark Maunder

Thanks for the great review. Phil is one of our rock stars! Glad we fit your security needs.

Kind regards,

Mark Maunder – Founder/CEO

Thanks. I’m so glad we could help.

Kind regards,

Mark Maunder – Founder/CEO

Thanks!

Regards,

Mark Maunder – Founder/CEO

Hi Patrick. Let me know what we missed. We’d love to get that star back.

Kind regards,

Mark Maunder – Founder/CEO

Hi I’m the Founder and CEO of Wordfence. We care deeply about all of our customers, both free and paid, which is why Mia send you such a detailed response above with additional information about things like nulled plugins and links to our documentation. It sounds like you’re ready to move on. Sorry it didn’t work out. We have over 4 million customers who absolutely love Wordfence, and if you do decide to try Wordfence again we’d love to help you.

Kind regards,

Mark Maunder.

Hi guys. Our support team does a great job and will weigh in here in the next few hours once they surface on the east coast. But it’s late, so I thought I’d reply to give you a quick response.

The email address your alerts are sent to is configured in the Wordfence plugin on the site. So you can separate where alerts are sent, vs where the API key is sent. You are most welcome to enter your own email (instead of your client’s email) when setting up the free version of Wordfence. You can get as many keys sent to your email as you’d like – there’s no limit and no plan to add any kind of limit to the number of free sites a single email address can configure.

Go ahead and install the key we email you, and then configure your client’s email address to receive the alerts, if that is what your client wants. I’d encourage you to consider setting up Wordfence Central so you can configure security across all your client sites in once place, and see security alerts across all sites on a single dashboard. That gives you a way to provide outsourced security management for your clients. Or if your client wants to manage their own security either via Wordfence Central or directly on their WP site, that’s cool too.

We are absolutely not getting rid of Wordfence Free and have no plan to. We have over 4 million websites using the free version of Wordfence and value every single one of our free customers. My intention as founder and creator of the product was to solve security for the entire WP ecosystem, not just a select few who could afford to pay. So we’re committed to providing passionate support for the free version for the long haul.

Regards,

Mark Maunder – Wordfence Founder & CEO.

I think the author thinks that we created the vulnerability or are somehow responsible for the code that was vulnerable – and that somehow our intent was malicious.

Wordfence works with vendors to help them secure their code. We do this confidentially. That helps keep the entire community safe.

We also happen to have a firewall product. To provide protection to users of our firewall product, we create firewall rules and release them. When and how we release these rules is up to us. So we release them to our paid customers first, and then to our free customers 30 days later. We’ve been doing this for years, and this is a common practice in the cybersecurity industry.

Saying that “It’s YOUR plugin that has put everyone’s data at risk and has opened the door to serious consequence for all site owners” is of course false. Our team regularly FINDS vulnerabilities that help keep site owners safe. We also frequently find vulnerabilities that hackers are actively exploiting and make the community aware of these.

Having said all that, I’d hate to see this author target the vendor for writing a bug that led to a vulnerability. Vulnerabilities are simply celebrity bugs. If you write enough code, you write bugs, and you’ll eventually write a bug that a hacker can exploit to gain access to a system. It’s a normal day-to-day occurrence in software development, and researchers finding those bugs and helping fix them is a normal day-to-day occurrence in the cybersecurity industry.

Regards,

Mark Maunder – Founder & CEO.