Introducing Wordfence CLI: A High Performance Malware Scanner Built for the Command Line
Today, we are incredibly excited to announce the launch of Wordfence CLI: an open source, high performance malware scanner built for the command-line. With Wordfence CLI you can detect malware and other indicators of compromise on a host system by running an extremely fast scanner that is at home in the Linux command line environment. This provides site owners, security administrators, operations teams, and security focused organizations more performance and flexibility in malware detection.
While the Wordfence plugin continues to provide industry leading security with its Web Application Firewall, 2-Factor Authentication, IP Blocklist, Malware Scanner, and other security features, Wordfence CLI can be used to provide a second layer of detection for malware or provide an option for those who choose not to utilize a security plugin.
Wordfence CLI does not provide the firewall, two-factor authentication, brute force protection and other security features that the Wordfence Free and Paid plugin provides. Wordfence CLI is purely focused on high performance, scalable and scriptable malware detection.
Wordfence CLI is for the following customers:
- Individual site owners comfortable on the Linux command line, who choose to run (or schedule) high performance malware scans on the command line instead of using the malware scanning built into the Wordfence plugin.
- Site cleaners who need a high performance malware scanner to scan a large number of files as part of remediation.
- Developers providing hosting to several customers and who want to configure high performance scans in the Linux environment.
- Hosting companies small and large that want to parallelize scanning across thousands or millions of hosts, fully utilizing all available CPU cores and IO throughput.
- Operations teams in any organization who are looking for a highly configurable command line scanner that can slot right in to a comprehensive, scheduled and scripted security policy.
Wordfence CLI aims to provide the fastest PHP malware scanner in the world with the highest detection rate, in an scriptable tool that can work in concert with other tools and utilities in the Linux command line environment.
What is Wordfence CLI?
Malware Detection Designed with Performance in Mind
Under the hood, Wordfence CLI is a multi-process malware scanner written in Python. It’s designed to have low memory overhead while being able to utilize multiple cores for scanning large filesystems for malware. We’ve opted to use libpcre over Python’s existing regex libraries for speed and compatibility with our signature set.
From some of our own benchmarks, we’ve seen ~324 files per second and approximately 13 Megabytes scanned per second using 16 workers on an AMD Ryzen 7 1700 with 8 Cores utilizing our full commercial signature set of over 5,000 malware signatures. That is approximately 46 Gigabytes per hour on modest hardware.
Here are some examples of Wordfence CLI in action.
Performing a basic scan of a single directory in a file system:
wordfence scan --output-path /home/wordfence/wordfence-cli.csv /var/www
This will recursively scan files in the
/var/www directory and write the results of the scan in CSV format to
/home/wordfence/wordfence-cli.csv. A scan like this could be scheduled using a cron job to be performed daily, which would be similar to how the Wordfence plugin performs scans. Additionally, we can use other utilities like find to select which files we want to scan using Wordfence CLI:
find /var/www/ -cmin -60 -type f -print0 | wordfence scan --output-path /home/wordfence/wordfence-cli.csv
In this example, we can find which files have been changed within the last hour and pipe those from the
find command to Wordfence CLI for scanning. It is recommended that you use
atime as changing the
ctime of a file requires root access to the file system.
atime can be arbitrarily set by the file owner using the
We don’t recommend solely scanning recently changed files on your file system. We frequently add new malware signatures to Wordfence CLI, and we therefore recommend periodically performing a full scan of your filesystem.
Flexibility at Your Fingertips
One key benefit of Wordfence CLI is flexibility. The tool comes with many options that enable users to utilize the output of the scan in various ways.
Some of these options include the ability to:
- Format output in various ways like CSV, TSV, human readable, and more
- Choose a number of workers based on available CPUs, that can increase speed and performance of a scan.
- Include or skip certain files and directories from a scan.
- Look for all malware signature matches in each file, or immediately stop scanning a file if we find malware (the default).
- Include or exclude specific signatures from a scan.
- And much more.
For more information on all of the options available, we recommend reviewing our help documentation at https://www.wordfence.com/help/wordfence-cli/, or downloading Wordfence CLI and running
wordfence scan --help
How Wordfence CLI Licensing Works
Wordfence CLI comes in two primary license types, Wordfence CLI Free and Wordfence CLI Commercial.
Wordfence CLI Free is free for individual use and can not be used in a commercial setting. The free version uses our Free Signature Set which is a smaller set of signatures appropriate for entry-level malware detection. Wordfence CLI Free is a great way to get familiar with the tool and to conduct quick scans.
Wordfence CLI Commercial includes our Commercial Signature Set of over 5,000 malware signatures, and can be used in any commercial setting. We release new malware signatures in real-time to our commercial customers. For a sense of scale, our team has released over 100 new malware signatures in the past four months.
Wordfence CLI Commercial includes product support from our world-class Customer Support Engineers.
Wordfence CLI Commercial is available in four pricing tiers:
- CLI-100 can be used to scan up to 100 unique sites, at just $299 per year.
- CLI-1,000 can be used to scan up to 1,000 different sites, at just $950 per year.
- CLI-10,000 can be used to scan up to 10,000 different sites, at just $2,950 per year.
- CLI-Enterprise which is tailored to any organization or enterprise use case, where the number of sites to be scanned exceeds 10,000. Please contact us at [email protected] if you are interested in this option.
We trust that users will self-select into the appropriate CLI tier based on the number of sites they need to scan within the license year. You can sign up for a Wordfence CLI free license, or purchase a Wordfence CLI Commercial license at: https://www.wordfence.com/products/wordfence-cli
Contributing to Open Source
Wordfence was founded on a commitment to building and maintaining open source software, and Wordfence CLI is no different. This is why we’ve decided to release the Wordfence CLI application under the GPLv3 license. You can clone the repository here:
We’ve also included documentation about how to install, configure, and run Wordfence CLI here:
Come see us at WordCamp US!
Wordfence is a proud Admin level sponsor at WordCamp US in Maryland this year. Join us in celebrating our launch of Wordfence CLI by stopping by our booth and saying hi! We’ll be there 8AM – 5PM tomorrow (Friday) and 8AM – 3:30PM on Saturday. We’ll have team members from Engineering, Threat Intelligence, Customer Service, Operations, and Security who will be happy to answer any questions you have about the launch of Wordfence CLI. We can also help with any questions about our current product lineup which includes Wordfence Premium, Wordfence Care, and Wordfence Response along with Wordfence Intelligence. If the rumors are true, we might even be teaching the public how to pick locks, and you might have the opportunity to win your own lock picking set if you can crack it.