Login

Tag Archives: Wordfence Security

Plugin Security Scorecard Grade for Wordfence Security

Checked on March 19, 2025
F

See issues causing the plugin to get less than A+ grade

28 Aug 2024

WordPress Plugins Failing to Properly Uninstall Leads to Sensitive Information Being Left Behind

We recently completed a security review of a WordPress plugin we were planning to use on our website. We ended up not using the plugin because of an issue unrelated to the security review. While working on the security review, we ran into an issue that hasn’t been checked for as a part of our security reviews, but in hindsight, is something that should be checked on. It turns out that it is an issue that impacts many WordPress plugins, including a couple of plugins with 10+ million installs.

We will be releasing the results of the review once the developer has had a chance to respond to the issues we found. So without getting in to the specifics of the issue in the plugin, what we found was that the plugin stores sensitive information as WordPress options (settings) and doesn’t remove it when the plugin is uninstalled. The sensitive information are credentials for an API. Not only is that a security issue, it goes against the “basics” of how WordPress plugins are supposed to operate. The Uninstall Methods section of the Plugin Handbook states that “When your plugin is uninstalled, you’ll want to clear out any plugin options and/or settings specific to the plugin, and/or other database entities such as tables.” It also defines when plugin is uninstalled: “A plugin is considered uninstalled if a user has deactivated the plugin, and then clicks the delete link within the WordPress Admin.” [Read more]

27 Aug 2024

Wordfence Security and Solid Security Developers Not Supporting Standard to Avoid Security Problem They Confronted

In a recent post on the WordPress security provider Wordfence’s blog, they were claiming their “mission is to Secure the Web.” If you understand their business model this rings hollows, as what they offer is built around trying to address the after affects of not securing the web. That very blog post also disputes that, as they confronted a well-known problem with better securing plugins and simply ignored the problem. They are not alone, as the situation detailed in the blog post also directly involves another security provider, StellarWP. StellarWP is the developer of Solid Security.

The blog post discusses a situation where Wordfence bought a vulnerability in another plugin from StellarWP, GiveWP. Twice in the post, they note that they failed to successfully communicate with StellarWP about that. First, they wrote this: [Read more]

13 Aug 2024

WordPress Coding Standards is Failing to Warn About Missing Sanitization and Requiring Unnecessary Sanitization

One of the things that our new Plugin Security Scorecard uses to grade the security of WordPress plugins is a subset of the checks from our Plugin Security Checker. The subset is intended to be things that are always a security issue, which should be addressed. While the full set of checks will flag things that could be secure, but often are not secure and need to be checked. That subset involves checking for things you would expect to be issues with certain types of plugins and from certain developers. But the actual results of plugins checked so far tell a different story.

The 5+ million install plugin Wordfence Security has been found to be using “[t]he function filter_input() is used without a filter, so it doesn’t do any filtering.” Similarly, the 100,000+ install Jetpack Protect plugin is found to be using “[t]he function filter_var() is used without a filter, so it doesn’t do any filtering.” That plugin is from Automattic, the company so closely associated with WordPress that it now is not uncommon for WordPress to be seen as an arm of the company. That isn’t the only plugin from Automattic with issues. With the 4+ million install Jetpack and 7+ million install WooCommerce have been found to have both the previously mentioned issues. The threat posed by that would depend on what is done after the filter-less filtering is done, but the filter-less filtering shouldn’t be happening even if there isn’t a larger issue. [Read more]

22 Jul 2024

WordPress Plugin Directory is Allowing Completely Unsupported Extraordinary Claims of Security Plugin Efficacy

For those looking to improve the security of WordPress websites, security plugins are often thought of as an important part of the solution. Just look at the install count of security plugins. What our testing over the years has found is that very popular plugins often fail to provide much protection, if any. That is corroborated by the many complaints by those using those plugins that they failed to provide the promoted protection and websites got hacked. At the same time, there are much less popular plugins that are offering significantly more protection. What seems to be an obvious part of the explanation for this mismatch is that in the WordPress plugin directory, WordPress is allowing developers to make extraordinary claims of efficacy without even putting forward any supporting evidence for the claims. In other fields, this type of thing wouldn’t be allowed, because of the negative impact it has.

Take a plugin named Bad Bot Blocker. Here is the first paragraph of the description on the plugin directory (with our own emphasis): [Read more]

6 Jun 2024

Another Fake Vulnerability in Wordfence Security Is Still Being Targeted 4 Years On

Yesterday, we looked at a hacker’s attempt to target an apparent vulnerability in the WordPress security plugin Wordfence Security that turned out to have never existed. We looked at that because our own firewall plugin had blocked attempts to exploit that. It isn’t the only fake vulnerability that hackers are trying to exploit in Wordfence Security years after the false claim was made.

On our own website, the firewall plugin blocked this request recently: [Read more]

5 Jun 2024

Hackers Still Targeting Fake Vulnerability in WordPress Plugin Wordfence Security 4 Years On

One way that WordPress security plugins and other security solutions make it appear that they are delivering more protection than they really are is by emphasizing how many attacks they have stopped, but don’t delineate between attacks that would have succeeded otherwise and those that wouldn’t have. That is a key detail, as almost all attacks will fail on their own. One of the reasons for that is that hackers keep trying to exploit vulnerabilities years after it would make any sense to do so. Another issue is that hackers try to exploit vulnerabilities that never really exist. An example of those two coming together that we spotted recently involved a WordPress security plugin known for unnecessarily scaring its users by emphasizing attacks that would have been unsuccessful anyway, Wordfence Security.

One of the users of our own firewall plugin reported that it had blocked what appeared to be an attempt to exploit a vulnerability in Wordfence Security. The request blocked was this: [Read more]

23 Jan 2024

Security Optimizer vs Wordfence Security

We recently noted that the developer of the 1+ million install WordPress security plugin Security Optimizer, SiteGround, was saying that you shouldn’t use the Wordfence Security plugin and instead use their plugin. They didn’t cite any evidence that their plugin is more effective. What would be most important to know is if it did a better job of protecting websites from vulnerabilities in other plugins. We have done just such testing.

Since 2021, we have done 16 tests of a large group of WordPress security plugins to see if they would protect against real vulnerabilities that had existed in other plugins. In those tests, Security Optimizer provided no protection in any of the tests. Wordfence Security did somewhat better, providing protection in six. The reason why Security Optimizer didn’t provide any protection is that the plugin doesn’t contain a firewall. The developer in some places makes it seem like it does and falsely claims to offer protection that would come from a firewall. [Read more]

18 Jan 2024

Malcare’s Review of Wordfence Recommends Malcare Instead Without Disclosing They Make It

Those looking for useful security advice for WordPress websites are often running across biased information, where the bias isn’t disclosed. While looking for some information for a post we were writing, we ran across what was claimed to be a review of the Wordfence Security plugin. It was from a competitor, Malcare. That was never disclosed in the review. You only have to get to the fourth paragraph before they are recommending Malcare instead already:

WordFence’s free version is a really good security plugin for website owners with zero budget for security. However, there are a bunch of downsides, including some security lacuna. I strongly recommend MalCare, which is far more reliable and effective at blocking threats and protecting your site against malware. [Read more]

18 Jan 2024

Sucuri Security vs Wordfence Security

In looking at lists of the best WordPress security plugins recently, the Sucuri Security plugin has been repeatedly listed first. That is not because it is the best security plugin and doesn’t even have anything to do with the plugin. Instead, it is listed as the best because the company behind it offers affiliate revenue for those who get people to sign up for an unrelated service they offer. If you look at reviews of Sucuri’s service, there are a lot of people warning about how bad the service is. That isn’t surprising when the developer keeps admitting that they are failing to protect their customers. But what about the protection their plugin offers versus the most popular security-only plugin for WordPress, Wordfence Security?

Since 2021, we have done 16 tests of a large group of WordPress security plugins to see if they would protect against real vulnerabilities that had existed in other plugins. In those tests, Sucuri Security provided no protection in any of the tests. Wordfence Security did somewhat better, providing protection in six. The reason why Sucuri Security doesn’t provide any protection is that the plugin doesn’t contain a firewall. Recommendations of it would make you think otherwise. [Read more]

17 Jan 2024

Wordfence Is Warning That Vulnerabilities Are Critical When They Are Not

Whether intentionally or not, part of the business model of the developer of the Wordfence Security plugin involves scaring people in to buying their services by overstating the risk posed by security issues. The overstated risk was on display in the last week with a false claim of “critical” vulnerability in the current version of WooCommerce.

As we noted yesterday, Wordfence had claimed that there was a vulnerability in a version of WooCommerce, which they later admitted didn’t contain the vulnerability. This was caused in part by them not actually checking on a patch they claim had been released in a certain version. There wasn’t a patch. Even after admitting that mistake, they still didn’t check to see if there really was a vulnerability. Instead, they, for some reason, thought that WooCommerce’s developer claiming that they had addressed the “potential for” a vulnerability, meant there was a vulnerability. There wasn’t a vulnerability. Only the potential for one, as WooCommerce’s developer had clearly stated. [Read more]