On March 22, 2024, millions of WordPress site owners got a shock: WordFence disappeared from the WordPress.org plugin directory without warning. This guide explains what happened, why the plugin was removed, what it means for your site right now, and what steps to take depending on your situation.
WordFence was removed from the WordPress.org plugin directory following a public dispute between Defiant Inc. (the company behind WordFence) and Automattic. Defiant CEO Mark Maunder published statements critical of Automattic and Matt Mullenweg during the broader WordPress.org conflict of late 2024. WordPress.org moderators responded by pulling the WordFence plugin, citing a guideline violation related to those public statements.
Was This About a Security Flaw?
No. The removal had nothing to do with any security issue in the WordFence plugin. The plugin was not compromised, did not contain malware, and had no newly discovered vulnerabilities. The removal was purely the result of a business and policy dispute. A security plugin removed over a policy dispute is a very different situation from a plugin removed because it poses a danger to users.
WordFence was eventually reinstated in the WordPress.org plugin directory after the initial removal. However, the episode exposed a real risk that every site owner should understand: any plugin can be pulled from the directory at any time for reasons that have nothing to do with technical quality.
What the Removal Period Meant for Users
- No updates through WordPress dashboard – Free users could not receive firewall rule updates or malware signatures through WordPress.org during the removal period.
- No fresh installs from directory – New installations from WordPress.org were not possible while the listing was down.
- Paid users were largely unaffected – Premium WordFence licenses pull updates from Defiant servers directly, not from WordPress.org.
Check WordFence Status in Your Dashboard
Go to your WordPress admin and navigate to Plugins. If WordFence shows update errors or cannot check for updates, it may be having trouble connecting to the update source. If updates are flowing normally, the directory is currently available for your plan type.
Verify Your License Type
Go to WordFence > Dashboard in your WordPress admin. The license information appears at the top of the page. Paid customers will see their license tier and expiration date. Free users will see an option to upgrade. Paid plans receive updates from Defiant servers regardless of WordPress.org directory status.
Enable Auto-Updates if on a Paid Plan
Go to Plugins > Installed Plugins, find WordFence, and check whether auto-updates is enabled. Paid plans pull updates from Defiant servers, so enabling auto-updates ensures you stay current regardless of WordPress.org directory status.
Evaluate Your Risk Tolerance
The key question: how comfortable are you with a plugin that has had an adversarial relationship with WordPress.org? Paid users with Defiant-served updates are largely insulated from future removals. Free users face more exposure if the directory conflict resumes.
The WordFence situation revealed a dependency that most WordPress users never think about: the WordPress.org plugin directory is not just a discovery tool, it is the update infrastructure for most plugins. When a plugin is listed on WordPress.org, your site checks the directory for new versions and downloads updates through it. When a plugin is removed from the directory, free users lose the automatic update mechanism entirely.
This matters more for security plugins than for any other category. A contact form plugin that misses an update for two weeks is a minor inconvenience. A security plugin that misses firewall rule updates for two weeks leaves your site exposed to newly discovered vulnerabilities during that gap. Security plugins need frequent, reliable updates because the threat landscape changes daily, new malware signatures, new vulnerability exploits, and new attack patterns require constant rule updates to maintain effective protection.
Premium plugin licenses typically include direct update channels that bypass WordPress.org entirely. This is why paid WordFence users were largely unaffected by the removal, their updates come from Defiant’s servers, not from WordPress.org. This architectural difference between free and paid versions is worth understanding for any critical plugin, not just security tools. If a plugin is essential to your site’s operation, having a direct update channel (through a paid license or vendor-hosted distribution) provides resilience against directory disruptions regardless of the cause.
How Plugin Updates Actually Work
WordPress checks for plugin updates by sending a list of installed plugins to the WordPress.org API endpoint. The API responds with version information for each plugin that has an available update. Your WordPress dashboard then shows the update notification and handles downloading the new version from WordPress.org when you click “Update.” This entire pipeline depends on the plugin being listed and active in the directory.
Premium plugins use a custom update mechanism. They register their own update checker that contacts the vendor’s server instead of WordPress.org. This is why premium plugins can provide updates even when not listed on WordPress.org, they maintain their own distribution infrastructure. When evaluating any critical plugin, check whether the vendor provides independent update infrastructure or relies solely on WordPress.org. For security plugins specifically, independent update infrastructure should be considered a requirement for production sites.
Beyond the directory dependency issue, understanding how different security plugins work architecturally helps you make a better choice for your site. Security plugins fall into two broad categories that determine where threat detection and blocking happens.
Server-side plugins (WordFence, Solid Security, WP Cerber) run entirely on your web server. They inspect incoming requests using PHP code, scan files on your server’s filesystem, and maintain firewall rules in your WordPress database or configuration files. The advantage is that they have full access to your server’s files and database for deep scanning. The disadvantage is that they consume your server’s CPU and memory to process every request, and malicious traffic still reaches your server before being blocked.
Cloud-based plugins (Sucuri Firewall, Cloudflare WAF, Patchstack) route your traffic through external servers that inspect and filter requests before they reach your web server. Malicious requests are blocked at the cloud layer and never touch your hosting. The advantage is zero server load from security processing, and the cloud provider can leverage data from millions of sites to detect emerging threats faster. The disadvantage is that your traffic passes through a third party, you depend on their uptime, and the cloud layer cannot scan your server’s files directly.
The most robust approach combines both: a cloud WAF (like Cloudflare’s free tier or Sucuri’s paid firewall) handling perimeter defense, and a server-side plugin handling file integrity monitoring, login protection, and database security. This layered approach means that if one layer fails or is disrupted, whether by a directory removal, a cloud provider outage, or a server-side plugin conflict, the other layer continues providing protection.
| Approach | Threat Blocking | File Scanning | Server Load | Directory Dependency |
|---|---|---|---|---|
| Server-side only (WordFence free) | At server level | Full filesystem access | High, processes every request | Full dependency |
| Server-side premium (WordFence Pro) | At server level | Full filesystem access | High | Independent updates |
| Cloud WAF only (Cloudflare) | Before reaching server | No file scanning | Zero | No dependency |
| Hybrid (Cloud WAF + server plugin) | Both layers | Full filesystem access | Moderate | Partial dependency |
The WordFence removal was not an isolated incident. It was part of a broader series of conflicts between WordPress.org leadership and various companies in the WordPress ecosystem during late 2024 and early 2025. These conflicts affected multiple companies and plugins, raising questions about the governance model of a platform that powers over 43% of the web.
For site owners, the practical takeaway is risk diversification. Do not build your entire security, backup, or e-commerce strategy around a single plugin that depends on a single distribution channel. If your security plugin is removed from the directory, you need a plan. If your backup plugin loses access to updates, you need an alternative. If your e-commerce plugin has a conflict with WordPress.org, your store needs to keep running.
This does not mean abandoning the WordPress.org ecosystem, it remains the most important distribution channel for WordPress plugins and the vast majority of plugins will never face removal. It means treating plugin dependencies the way any responsible technology decision-maker treats dependencies: with awareness of the risk and a plan for continuity if the dependency becomes unavailable. For most sites, this simply means choosing premium versions of critical plugins (which provide independent updates) and maintaining current backups that allow recovery regardless of any single plugin’s status.
If you decide to move to a different security plugin, several strong options cover everything WordFence does. For a complete feature breakdown, read the full WordPress security plugins comparison: WordFence vs Sucuri vs Solid Security before making a decision.
Solid Security (Formerly iThemes Security)
Solid Security is the most direct server-side alternative to WordFence. It includes brute force protection, two-factor authentication (including passkeys via WebAuthn), file change detection, and Patchstack-powered vulnerability scanning. The free version handles basic protection. Pro costs $99/year per site. Solid Security has no ongoing disputes with WordPress.org and a stable directory presence.
Sucuri Security
Sucuri takes a cloud-based approach. The free plugin handles file integrity monitoring and hardening. The paid Sucuri Platform ($199.99/year) adds a cloud Web Application Firewall that filters traffic before it reaches your server, plus unlimited manual malware cleanup by Sucuri security analysts. A strong choice for WooCommerce stores and high-traffic sites that need the cleanup guarantee.
Patchstack
Patchstack focuses on vulnerability intelligence. It monitors your installed plugins and themes against a live database of known vulnerabilities and applies virtual patches before an official fix is released. There is a free community plan for personal sites. Paid plans start from $14.99/month for agencies managing multiple sites.
WP Cerber Security
WP Cerber is a comprehensive self-hosted option covering login protection, anti-spam, traffic inspection, and malware scanning. It covers most of what WordFence free users rely on, with a clean interface and good documentation. Free version available, Pro from $99/year.
| Plugin | Best For | Free Version | Starting Price |
|---|---|---|---|
| Solid Security | All-in-one hardening and login security | Yes | $99/year |
| Sucuri | Cloud WAF and malware cleanup guarantee | Yes (limited) | $199.99/year |
| Patchstack | Vulnerability management | Yes (community) | From $14.99/month |
| WP Cerber | Traditional all-in-one security | Yes | $99/year |
WordFence collects and stores significant data about your site and its traffic. Before deciding to stay or switch, understand what data WordFence holds and where it lives. The local WordFence database tables on your server store scan results, firewall logs, blocked IP addresses, and login attempt records. These tables can grow large on busy sites, sometimes several hundred megabytes, and are deleted when you uninstall the plugin through the WordPress admin interface.
WordFence Central, the cloud dashboard at wordfence.com, stores site connection data, alert history, and scan summaries. If you switch away from WordFence, disconnect your site from WordFence Central to stop sending data. Log into wordfence.com, find your site in the Central dashboard, and remove the site connection. This prevents orphaned monitoring attempts and alert emails for a plugin you are no longer running.
For sites in regulated industries (healthcare, finance, e-commerce with PCI requirements), review your data processing agreements with Defiant before making changes. WordFence in its premium tiers may be processing or storing information about site visitors that falls under GDPR, HIPAA, or PCI DSS obligations. Switching security plugins means transferring these data handling responsibilities to a new vendor, which may require updating your privacy policy and data processing documentation.
Step 1: Install Your New Plugin First
Do not deactivate WordFence until your new plugin is installed and configured. Go to Plugins > Add New, search for your chosen replacement, install and activate it, and run through its setup wizard before touching WordFence. This ensures you are never without coverage.
Step 2: Configure Core Security Settings
In your new plugin, enable at minimum: brute force login protection, two-factor authentication for admin accounts, file change monitoring or integrity scanning, and email alerts for suspicious activity.
Step 3: Note Your WordFence Custom Settings
Before switching, review your WordFence configuration for any custom rules. Note custom IP allowlists (WordFence > Firewall > Allowlisted IPs), scan exclusions, and rate limiting rules. These will need to be recreated manually in your new plugin.
Step 4: Deactivate and Delete WordFence
Once your new plugin is running and configured, go to the Plugins screen, deactivate WordFence, and delete it. Also log into wordfence.com and disconnect your site from WordFence Central to avoid orphaned alerts.
Step 5: Run a Post-Migration Scan
After the switch, run a full scan with your new plugin to establish a clean baseline before moving forward.
The WordFence removal highlights a risk that applies to any plugin central to your site: dependency on the WordPress.org directory for updates. Plugins can be suspended for reasons unrelated to their technical quality or security record. This is especially relevant for security plugins, backup plugins, and e-commerce tools.
Practical precautions every site owner should take:
- Know whether your critical plugins offer direct updates outside WordPress.org (premium plugins typically do).
- Have a manual update process in mind for critical plugins during directory disruptions.
- Keep your site well-backed up so you can recover from any incident.
- Do not rely on a single plugin as your only line of defense. Combine good plugin choices with strong hosting, good passwords, and regular updates.
Is my site currently at risk if WordFence is installed?
No. If WordFence is active on your site, it continues to protect you regardless of its directory status. The long-term risk is in updates: if WordFence is removed again and updates stop flowing, your protection becomes gradually less effective as new threats emerge that outdated rules cannot catch.
Can I still download WordFence directly?
Yes. Even during a WordPress.org removal, WordFence makes the plugin available through wordfence.com. Paid customers can download the latest version from their WordFence account. Free users can visit the WordFence website and install the zip manually through Plugins > Add New > Upload Plugin.
Should I switch security plugins because of this?
Not necessarily, and not urgently. Paid WordFence customers are largely insulated from directory removals. Free users should evaluate alternatives, but a calm planned switch is always better than a crisis switch. Use this as an opportunity to review your security stack while there is no immediate urgency.
Does this affect WordFence Central?
No. WordFence Central (wordfence.com/central) operates independently of the WordPress.org directory. Remote management features and alerts continued working normally during the removal period.
What happens to my firewall rules if WordFence stops receiving updates?
WordFence firewall rules are stored locally in your WordPress database and continue enforcing existing rules even without updates. However, the rules become increasingly less effective over time because they cannot detect new attack patterns discovered after your last update. Think of it like an antivirus program with an outdated signature database, it catches known threats but misses anything new. For free users during a directory removal, this gap widens every day. Premium users receiving updates from Defiant servers are not affected by this issue since their rule updates flow through an independent channel.
Can I use multiple security plugins at the same time?
Running two full security plugins simultaneously (such as WordFence and Solid Security together) is strongly discouraged. They will conflict on firewall rules, login protection, and file scanning, causing performance issues, false positives, and potential lockouts. The correct layered approach is to pair one server-side security plugin with a cloud-based WAF like Cloudflare or Sucuri Firewall. These operate at different network layers and complement each other without conflict. A cloud WAF filters traffic before it reaches your server, while the server-side plugin handles file monitoring, login hardening, and database security.
How do I know if my security plugin updates are coming from WordPress.org or the vendor?
Check your plugin’s settings or license page. Premium plugins typically show a license key and update source in their dashboard. For WordFence specifically, go to WordFence > Dashboard and look at your license status. Free licenses pull updates through WordPress.org. Premium, Care, and Response licenses pull updates from Defiant’s servers directly. If you are unsure about any plugin, temporarily disconnect from the internet and check if the plugin still reports update availability, vendor-served updates will show even when WordPress.org is unreachable.
The WordFence directory removal was significant for the WordPress community, but it does not require immediate panic for most site owners. Paid users are largely protected – their updates flow from Defiant’s own servers. Free users on WordFence should understand the update dependency and make an informed decision about whether to stay or switch.
The best security strategy is a layered one: good hosting, strong passwords, regular software updates, reliable backups, and a well-configured security plugin. No single tool covers everything, and the WordPress.org directory situation is a reminder that plugin availability can change for reasons beyond technical merit. If you want to assess your current security posture before making any plugin changes, our guide on how to check if your WordPress site is secure provides a practical checklist you can run through in under 30 minutes.
What If This Happens Again?
The most important lesson from the WordFence removal is preparation. Create a documented security plan for your site that does not depend on any single plugin being available. Your plan should include: which security plugin you use and its update source (WordPress.org vs vendor-direct), a list of alternative plugins you have evaluated and could switch to within 24 hours, a backup strategy that runs independently of your security plugin, and server-level security measures (SSL, strong passwords, limited admin accounts, disabled XML-RPC) that protect your site regardless of which plugin you run.
For agencies managing multiple client sites, maintain a standard operating procedure for plugin disruptions. This should cover how to communicate the situation to clients, which alternative plugins are pre-approved for deployment, and how to batch-migrate multiple sites to a new security plugin efficiently using tools like MainWP or ManageWP. Having this procedure documented before a crisis means you can execute calmly and quickly rather than making rushed decisions under pressure.
The WordPress ecosystem is resilient, and the vast majority of plugins will never face directory removal. But for the small number of critical infrastructure plugins that your site depends on, security, backups, e-commerce, treating them as potential single points of failure and planning accordingly is simply good risk management practice.
Next step: Log into your WordPress admin now and check your WordFence license status and update settings. Paid users: confirm auto-updates are enabled and verify they pull from Defiant servers. Free users: decide whether to stay or start evaluating the alternatives listed in this guide. Regardless of your decision, take 10 minutes to verify your site backup is current and tested, that single step protects you against any plugin disruption, security incident, or server failure.
Security Plugin Migration Site Security WordFence Security WordPress Plugin Directory
Last modified: March 11, 2026
