Introducing Wordfence CLI: A High Performance Malware Scanner Built for the Command Line
Today, we are incredibly excited to announce the launch of Wordfence CLI: an open source, high performance malware scanner built for the command-line. With Wordfence CLI you can detect malware and other indicators of compromise on a host system by running an extremely fast scanner that is at home in the Linux command line environment. This provides site owners, security administrators, operations teams, and security focused organizations more performance and flexibility in malware detection.
While the Wordfence plugin continues to provide industry leading security with its Web Application Firewall, 2-Factor Authentication, IP Blocklist, Malware Scanner, and other security features, Wordfence CLI can be used to provide a second layer of detection for malware or provide an option for those who choose not to utilize a security plugin.
Wordfence CLI does not provide the firewall, two-factor authentication, brute force protection and other security features that the Wordfence Free and Paid plugin provides. Wordfence CLI is purely focused on high performance, scalable and scriptable malware detection.
Wordfence CLI is for the following customers:
- Individual site owners comfortable on the Linux command line, who choose to run (or schedule) high performance malware scans on the command line instead of using the malware scanning built into the Wordfence plugin.
- Site cleaners who need a high performance malware scanner to scan a large number of files as part of remediation.
- Developers providing hosting to several customers and who want to configure high performance scans in the Linux environment.
- Hosting companies small and large that want to parallelize scanning across thousands or millions of hosts, fully utilizing all available CPU cores and IO throughput.
- Operations teams in any organization who are looking for a highly configurable command line scanner that can slot right in to a comprehensive, scheduled and scripted security policy.
Wordfence CLI aims to provide the fastest PHP malware scanner in the world with the highest detection rate, in an scriptable tool that can work in concert with other tools and utilities in the Linux command line environment.
What is Wordfence CLI?
Malware Detection Designed with Performance in Mind
Under the hood, Wordfence CLI is a multi-process malware scanner written in Python. It’s designed to have low memory overhead while being able to utilize multiple cores for scanning large filesystems for malware. We’ve opted to use libpcre over Python’s existing regex libraries for speed and compatibility with our signature set.
From some of our own benchmarks, we’ve seen ~324 files per second and approximately 13 Megabytes scanned per second using 16 workers on an AMD Ryzen 7 1700 with 8 Cores utilizing our full commercial signature set of over 5,000 malware signatures. That is approximately 46 Gigabytes per hour on modest hardware.
Here are some examples of Wordfence CLI in action.
Performing a basic scan of a single directory in a file system:
wordfence scan --output-path /home/wordfence/wordfence-cli.csv /var/www
This will recursively scan files in the /var/www
directory and write the results of the scan in CSV format to /home/wordfence/wordfence-cli.csv
. A scan like this could be scheduled using a cron job to be performed daily, which would be similar to how the Wordfence plugin performs scans. Additionally, we can use other utilities like find to select which files we want to scan using Wordfence CLI:
find /var/www/ -cmin -60 -type f -print0 | wordfence scan --output-path /home/wordfence/wordfence-cli.csv
In this example, we can find which files have been changed within the last hour and pipe those from the find
command to Wordfence CLI for scanning. It is recommended that you use ctime
over mtime
and atime
as changing the ctime
of a file requires root access to the file system. mtime
and atime
can be arbitrarily set by the file owner using the touch
command.
We don’t recommend solely scanning recently changed files on your file system. We frequently add new malware signatures to Wordfence CLI, and we therefore recommend periodically performing a full scan of your filesystem.
Flexibility at Your Fingertips
One key benefit of Wordfence CLI is flexibility. The tool comes with many options that enable users to utilize the output of the scan in various ways.
Some of these options include the ability to:
- Format output in various ways like CSV, TSV, human readable, and more
- Choose a number of workers based on available CPUs, that can increase speed and performance of a scan.
- Include or skip certain files and directories from a scan.
- Look for all malware signature matches in each file, or immediately stop scanning a file if we find malware (the default).
- Include or exclude specific signatures from a scan.
- And much more.
For more information on all of the options available, we recommend reviewing our help documentation at https://www.wordfence.com/help/wordfence-cli/, or downloading Wordfence CLI and running wordfence scan --help
How Wordfence CLI Licensing Works
Wordfence CLI comes in two primary license types, Wordfence CLI Free and Wordfence CLI Commercial.
Wordfence CLI Free is free for individual use and can not be used in a commercial setting. The free version uses our Free Signature Set which is a smaller set of signatures appropriate for entry-level malware detection. Wordfence CLI Free is a great way to get familiar with the tool and to conduct quick scans.
Wordfence CLI Commercial includes our Commercial Signature Set of over 5,000 malware signatures, and can be used in any commercial setting. We release new malware signatures in real-time to our commercial customers. For a sense of scale, our team has released over 100 new malware signatures in the past four months.
Wordfence CLI Commercial includes product support from our world-class Customer Support Engineers.
Wordfence CLI Commercial is available in four pricing tiers:
- CLI-100 can be used to scan up to 100 unique sites, at just $299 per year.
- CLI-1,000 can be used to scan up to 1,000 different sites, at just $950 per year.
- CLI-10,000 can be used to scan up to 10,000 different sites, at just $2,950 per year.
- CLI-Enterprise which is tailored to any organization or enterprise use case, where the number of sites to be scanned exceeds 10,000. Please contact us at presales@wordfence.com if you are interested in this option.
We trust that users will self-select into the appropriate CLI tier based on the number of sites they need to scan within the license year. You can sign up for a Wordfence CLI free license, or purchase a Wordfence CLI Commercial license at: https://www.wordfence.com/products/wordfence-cli
Contributing to Open Source
Wordfence was founded on a commitment to building and maintaining open source software, and Wordfence CLI is no different. This is why we’ve decided to release the Wordfence CLI application under the GPLv3 license. You can clone the repository here:
https://github.com/wordfence/wordfence-cli/
We’ve also included documentation about how to install, configure, and run Wordfence CLI here:
https://www.wordfence.com/help/wordfence-cli/
Come see us at WordCamp US!
Wordfence is a proud Admin level sponsor at WordCamp US in Maryland this year. Join us in celebrating our launch of Wordfence CLI by stopping by our booth and saying hi! We’ll be there 8AM – 5PM tomorrow (Friday) and 8AM – 3:30PM on Saturday. We’ll have team members from Engineering, Threat Intelligence, Customer Service, Operations, and Security who will be happy to answer any questions you have about the launch of Wordfence CLI. We can also help with any questions about our current product lineup which includes Wordfence Premium, Wordfence Care, and Wordfence Response along with Wordfence Intelligence. If the rumors are true, we might even be teaching the public how to pick locks, and you might have the opportunity to win your own lock picking set if you can crack it.
Comments
2:55 pm
What benefits does it have over Linux Malware Detect, maldet?
5:11 pm
Wordfence CLI has the best PHP malware detection in the industry. Our commercial signature set includes approx 5400 malware signatures that collectively detect 14.5 million variants of spam, malware and other indicators of compromise that target WordPress and other PHP web applications.
4:19 pm
Can wf-cli detect vulnerable plugins, I mean those plugins for which WordFence (even Free version) issues a clear warning that they should be updated as soon as possible?
If this is not the case, please consider adding this functionality, because as a hosting provider we would definitely pay for this.
5:07 pm
CLI only detects malware currently. A huge number of variants and indicators of infection. We’ll consider adding this. Thanks for your comment. ~Mark
5:26 pm
Are there any linuxisms in here, as in, are there any reason this wouldnt run under BSD? If there are, are you welcome to patches?
5:30 pm
If LibPCRE is installed along with Python, it should run just fine!
7:56 am
The announcement doesn't make it clear if the CLI is for scanning WordPress sites, websites in general, or linux servers whether running a website or not. Can you clarify who is the target audience please?
12:58 pm
CLI is for scanning WordPress websites from the command line on a Linux server.
12:34 pm
Nice, the missing cli tool! Better performance and options to automate integrations for agencies and hosts. Looking forward to playing around with it.
6:13 am
I'm slightly confused about a few things.
The installation instructions say to download the binary and extract it, then there's a command to run in the same directory to test the version.
But where should it be extracted in the first place?
Should it be installed as root or the owner of the website to be scanned?
The cron instructions use /usr/local/bin/wordfence so should it be extracted there, or just modify the cron to wherever you extract it?
All examples show how to write a file, but is it possible to email the results (Or just if issues are found)?
It seems like this would be ideal to run daily and disable the plugin scan, but without email notifications the scan results could go unnoticed.
If the plugin could use the cli scanner and otherwise function as normal, that would be ideal.
8:26 am
Hi Rob,
The binary can be extracted and placed in any directory on your system. /usr/local/bin/wordfence would be a good place for it if you intend install it as root, so it could be run as any user.
We don't currently have a built-in option to email the results. We may at a later date update the documentation to include an example of how to use sendmail to email the results if there are any malicious files found.