Checked on March 19, 2025

Grade:

Issues the Plugin's Developer Should Address:

• The PHP function filter_input() is used without a filter, so it doesn't do any filtering.


• The plugin is using the WordPress function maybe_unserialize(), which is missing PHP's feature to protect against PHP object injection. A Core Committer of WordPress indicated that the it would not be a good idea for plugins to be using the function.


• The plugin doesn't contain a security.txt file (or alternatively a SECURITY.md or SECURITY-INSIGHTS.yml), which would provide information on how to report security issues to the developer.


• The plugin isn't listing in a security.txt file where the results of a security review that has been done of the plugin can be found. A well done security review would provide a good measure of the security of the plugin at the time it was done.


• The plugin isn't listing in a security.txt file where a software bill of materials (SBOM), which provides information on what third-party software is included in the plugin, can be found. That limits the ability to access the security of that third-party software.


• The plugin blocked less than half of the exploit attempts from the Plugin Vulnerabilities Firewall regression testing suite the last time the plugin was tested, so it missing a lot of the protection it could, and another plugin is, offering.


• The plugin is being marketed with a strong claim (or claims) of efficacy without citing evidence that backs up the claim.


• The plugin isn't providing a warning that its information on vulnerabilities in WordPress plugins is unreliable because it comes from a source known not to properly vet the information. That lack of vetting can lead to situations where a "fixed" vulnerabilty is subsequently widely exploited because there wasn't really a fix.


• The plugin is spreading misleading information about brute force attacks against WordPress websites, which are not actually happening, and causing the WordPress community to not focus on real security threats.

Resolving those issues would bring the plugin's grade up to an A+. You can notify the developer of the issues here. If the developer is interested in resolving those issues, we would be happy to help them to get started doing that.

You can also can consider using a similar plugin that is already more secure or one where the developer is interested in making their plugin more secure.

Additional Security Information

• Price for security review of version 8.0.4 of the plugin by Plugin Vulnerabilities: $1100 USD
  (Paying customers of the Plugin Vulnerabilities service select plugins to receive free reviews.)
• Plugin Vulnerabilities Firewall Regression Testing Rank: 3rd

Libraries Detected in Plugin

• random_compat
  • Version in Plugin: 2.0.21
  • Latest Version of Library: 2.0.21
  • OpenSSF Scorecard results (?)
• Sodium Compat
  • Version in Plugin: 1.20.0
  • Latest Version of Library: 2.1.0
  • This library's repository on GitHub doesn't have a security policy.
  • OpenSSF Scorecard results (?)
jQuery Templates
• Version in Plugin: 1.0.0pre
• This library's repository on GitHub doesn't have a security policy.
Colorbox
• Version in Plugin: 1.6.4
• Latest Version of Library: 1.6.4
• This library's repository on GitHub doesn't have a security policy.
• OpenSSF Scorecard results (?)
Chart.js
• Version in Plugin: 4.2.1
• Latest Version of Library: 4.4.8
• This library's repository on GitHub doesn't have a security policy.
• OpenSSF Scorecard results (?)
Bootstrap dropdown.js
• Version in Plugin: 3.4.1
• Latest Version of Library: 5.3.3
• OpenSSF Scorecard results (?)
Select2
• Version in Plugin: 4.0.13
• Latest Version of Library: 4.0.13
• This library's repository on GitHub doesn't have a security policy.
• OpenSSF Scorecard results (?)
jQuery Timepicker Addon
• Version in Plugin: 1.6.3
• Latest Version of Library: 1.6.3
• This library's repository on GitHub doesn't have a security policy.
• OpenSSF Scorecard results (?)
Knockout
• Version in Plugin: 3.5.1
• Latest Version of Library: 3.5.1
• This library's repository on GitHub doesn't have a security policy.
• OpenSSF Scorecard results (?)
Bootstrap tooltip.js
• Version in Plugin: 3.4.1
• Latest Version of Library: 5.3.3
• OpenSSF Scorecard results (?)
• [+] Show The Rest of The Libraries Detected

Plugin Information

• Slug: wordfence
• Version: 8.0.4
• WordPress Plugin Directory listing

Previous Grades

• February 28, 2025:    F
• February 25, 2025:    F
• January 22, 2025:    F
• January 11, 2025:    F
• January 3, 2025:    F
• November 20, 2024:    F
• November 6, 2024:    F
• November 1, 2024:    F
• October 23, 2024:    F
• October 21, 2024:    F
• October 12, 2024:    F
• September 19, 2024:    F
• September 12, 2024:    F
• August 26, 2024:    F
• August 9, 2024:    D
• August 1, 2024:    D
• July 7, 2024:    C+

Grades for Other Firewall Plugins

1. BBQ Firewall     D+
2. Anti-Malware Security and Brute-Force Firewall     D
3. WP Ghost (Hide My WP Ghost)     D
4. NinjaFirewall (WP Edition)     D
5. All-In-One Security (AIOS)     F
6. BitFire Security     F
7. BulletProof Security     F
8. SecuPress Free     F
9. Shield Security     F

Highest Graded WordPress Plugin Vulnerability Data Plugins

1. WPVulnerability     D+
2. Jetpack Protect     D
3. NinjaFirewall (WP Edition)     D
4. Patchstack     D
5. Really Simple Security     D
6. Solid Security     F
7. Jetpack     F
8. MalCare WordPress Security Plugin     F
9. Security & Malware scan by CleanTalk     F
10. Security Ninja     F

View More WordPress Plugin Vulnerability Data Plugin Grades

Highest Graded Two Factor (2FA) Authentication Plugins

1. Two Factor (2FA) Authentication via Email     B
2. WP 2FA     C
3. Two Factor Authentication     D+
4. Two-Factor     D+
5. Really Simple Security     D
6. All-In-One Security (AIOS)     F
7. Solid Security     F
8. Defender Security     F
9. SecuPress Free     F
10. Security Optimizer     F

View More Two Factor (2FA) Authentication Plugin Grades

Highest Graded Brute Force Protection Plugins

Imporant Note: Brute force attacks are not happening, so you don't need a plugin that provides this type of protection.

1. Admin and Site Enhancements (ASE)     C+
2. Mythic Cerberus     C+
3. Headers Security Advanced & HSTS WP     C
4. Limit Login Attempts     C
5. Limit Login Attempts Reloaded     C
6. Titan Anti-spam & Security     D+
7. Login Lockdown     D+
8. WP Hide & Security Enhancer     D+
9. Anti-Malware Security and Brute-Force Firewall     D
10. WP Ghost (Hide My WP Ghost)     D

View More Brute Force Protection Plugin Grades

Grades for Other Malware Scanner Plugins

1. Malcure Malware Scanner     B
2. miniOrange Malware Protection     C
3. Titan Anti-spam & Security     D+
4. Anti-Malware Security and Brute-Force Firewall     D
5. BulletProof Security     F
6. Defender Security     F
7. MalCare WordPress Security Plugin     F

Highest Graded All-In-One Security Plugins

1. Titan Anti-spam & Security     D+
2. WP Ghost (Hide My WP Ghost)     D
3. Jetpack Protect     D
4. Really Simple Security     D
5. All-In-One Security (AIOS)     F
6. Solid Security     F
7. BulletProof Security     F
8. Defender Security     F
9. Jetpack     F
10. MalCare WordPress Security Plugin     F

View More All-In-One Security Plugin Grades

Highest Graded Million+ Install Plugins

1. Hostinger Tools     A
2. Loco Translate     B+
3. Redirection     B+
4. CookieYes     B
5. Cookie Notice & Compliance for GDPR / CCPA     B
6. Disable Comments     B
7. MC4WP: Mailchimp for WordPress     B
8. Maintenance     B
9. Safe SVG     B
10. WP Fastest Cache     B

View More Million+ Install Plugin Grades

Share Scored Results for Wordfence Security

• Share on Bluesky
• Share on LinkedIn
• ✉Email Results

Check Another Plugin

Choose WordPress plugin available in the Plugin Directory to check by searching on its name or slug:

Choose a category to see a comparison of all the WordPress plugins already graded from that category:

Choose ClassicPress plugin to check by searching on its name or slug:

Check Plugin Not in WordPress Plugin Directory

Subscribers of our service can submit ZIP files of plugins that are not in the WordPress Plugin Directory to have them checked. (Not all issues can be checked for with uploaded plugins, as they require data not available with just the plugin's files.) You can sign up for the service for free here. For existing subscribers, once you are logged in to your account, return to this page to access that functionality.

The results of these gradings will not be stored.

About the Scorecard

The Plugin Security Scorecard grades plugins' handling of security based on data coming from the Plugin Vulnerabilities service, checking over the contents of the plugin, the WordPress.org API, and data generated specifically for the tool. It provides a useful, but incomplete, understanding of the security posture of the plugin and its developer. All the issues identified are ones that the developer of the plugin has the ability to address to get the grade of the plugin up to an A+.

Grades are calculated based on issues with any of the following:

• Plugins known to be vulnerable
• Plugin developers with track records of improperly handling security problems
• Security issues in the plugin that can be detected in an automated fashion
• Issues with the developer's developerment processes that suggest that their could be problems with security
• Plugins making unsupported, misleading, and false claims about their handling of security and the handling of security with WordPress

We are working to expand and refine the tools' ability to provide a good measure of plugins' security status. If you are aware of an additional security concern with this plugin that isn't represented here, please contact us. Other feedback on the tool is also welcome.

If you want a comprehensive understanding of the security of the plugin, a well-done security review is really needed to provide that.