Wordfence Security Isn’t Powerful Enough to “Prevent Any Form of Attack”
Wordfence Security is the most popular WordPress security only plugin (Jetpack is more popular, though only partially promoted as a security plugin) with 4+ million installs. What likely explains at least some of its popularity is that it is marketed by the company behind the plugin and others as being far more capable than it possibly could be. Testing shows that only is it not as capable as claimed, but that it isn’t even delivering results anywhere as good as it could or should be able to provide.
On the plugin’s page on the WordPress Plugin Directory, part of the answer for the first FAQ question makes this claim:
Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked.
That isn’t possible, much less does the plugin even get close to stopping what it should be able to, but that type of promotion does help to explain comments, like the following one we ran across, from others about the plugin:
Also, the Wordfence Firewall is powerful enough to protect your site and prevent any form of attack. It makes use of the most updated firewall rules, prevents malicious IP’s and offers reliable and sufficient protection to your WordPress site. Moreover, Wordfence takes up the crucial security-related responsibility of complete due diligence prior to allowing any traffic to your blog or website.
As part of developing our upcoming WordPress firewall plugin, we have been testing Wordfence Security and many other security plugins against real world vulnerabilities in other WordPress plugins. While Wordfence Security has provided better results than almost all the other plugins tested, it hasn’t come close to matching the claims made there. As it has failed to prevent attacks that other plugins did prevent, which means it doesn’t actually prevent any form of attack and doesn’t provide sufficient protection, and the due diligence it has done has been incomplete.
With testing of protection against two types of vulnerabilities that hackers have been known to attempt to exploit a wide scale, PHP object injection and option update, the plugin provided no protection when other plugins did. In another test, it provided protection, though the protection was incomplete, allowing it to be easily bypassed, while our plugin’s protection wasn’t. In another more limited test, we found that a bypass of another protection still existed five years after it was publicly disclosed. To be balanced, in one test, it was the only plugin to provide protection that wasn’t easily bypassed.