Wordfence’s Solution to Their Firewall Incorrectly Blocking Legitimate Request is to Disable Needed Protection

In our testing, the most popular security-only WordPress security plugin Wordfence Security fails to provide as much protection as other much less popular security plugins. Making the situation worse is that it introduces a significant performance penalty over security plugins that provide better protection. There is another problem with the plugin we have been running across instances of for years. Its firewall incorrectly blocks legitimate requests in situations where there doesn’t appear to be any reason it should have blocked the request.

Recently someone posted on the plugin’s support forum complaining that the firewall was blocking contact form submissions from the 5+ million install plugin Contact Form 7. They stated that what was causing it was the input containing the word “Data”. That seems odd. A Wordfence employee asked for a screenshot of the log information for the block and the poster replied with a screenshot that showed a request being blocked.

The response from Wordfence to seeing the block information was to note that the request was blocked by the firewall’s protection against cross-site scripting (XSS) and they suggested resolving this by disabling that protection. The poster accurately raised concern with this solution, since it would remove protection against that type of attack. That is a very reasonable concern, since with a recently widely exploited vulnerability, which had existed in the latest version of a WordPress plugin despite Wordfence’s claim to the contrary, their firewall protected against the vulnerability through that very protection.

Whenever we run across an instance of a false positive from a WordPress firewall plugin, we test this out, as we want to make sure it isn’t an issue with our own firewall plugin. In this situation, what we found while testing this is that it doesn’t appear that usage of “Data” is what is causing an issue. Instead, it looks like the encoding of Polish characters in the input is causing the block. That shouldn’t be the case, so there still appears to be a problem with Wordfence’s firewall. With our own firewall plugin, there isn’t the same issue.

Lack of Block Message for Contact Form 7

Another problem we noticed while looking into this is that it isn’t clear to the form submitter that something has gone wrong, as there is no message warning that the submission was blocked, just a spinning loader shown: