Login

Tag Archives: Wordfence Security

Plugin Security Scorecard Grade for Wordfence Security

Checked on March 19, 2025
F

See issues causing the plugin to get less than A+ grade

9 Jan 2024

Five Years In, Wordfence Security Still Doesn’t Provide Protection When Using WordPress Block Editor

In December 2018, WordPress 5.0 was released, which introduced a new default editor, the blocks editor (also known as Gutenberg). You would think that the developer of the most popular security only plugin, Wordfence Security, would have quickly made sure that they offered protection when using that, but that turned out not to be the case. In a test we did in September 2021, we found that wasn’t the case. It was also an issue at the time, with the best free option for protection, NinjaFirewall. And was also the case with our then in-development, Plugin Vulnerabilities Firewall. A recently fixed vulnerability in a popular plugin, Spectra, led to us revisiting this and finding that things haven’t changed for Wordfence Security, but have for the other two plugins.

On Sunday, a new firewall rule was added to the free data for the Wordfence Security plugin. Here is that rule: [Read more]

5 Jan 2024

All-In-One Security (AIOS) vs Wordfence Security

When it comes to the developers of WordPress security plugins, they shouldn’t be creating the insecurity they are supposed to be protecting against. That unfortunately is true of the current and former developers of the very popular All-In-One Security (AIOS) plugin. It has been such an issue with the new developer that we released an advisory warning against using their plugins until and unless they could show they have gotten a handle on security. So when it comes to the question of using All-In-One Security (AIOS) or Wordfence Security, our advice would be to not use All-In-One Security (AIOS). But let’s say you still want to consider it. Then the most important thing to know about WordPress firewall plugins is the amount of protection they offer against real threats, which we are somehow the only ones that do testing that would measure that.

Since 2021, we have done 16 tests of a large group of WordPress security plugins to see if they would protect against real vulnerabilities that had existed in other plugins. In those tests, All-In-One Security (AIOS) provided protection in only two of the tests. Wordfence Security did somewhat better, providing protection in six. [Read more]

4 Jan 2024

Wordfence Security Firewall Review: Missing a Lot of Protection that Better Options Offer

Like the developers of lots of WordPress security plugins, the developer of Wordfence Security makes a lot of impressive sounding claims about their plugin and the protection it offers, but notably doesn’t present any evidence to back the claims up. The actual results, as is often the case, are less than impressive. Figuring that out, though, is difficult, as many others will tell you that these plugins provide much more protection than they do.

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. In the latest run of that, Wordfence Security only provided protection against 22.8% of the tests. What makes the poor result stand out more is that there hasn’t been much improvement over time. The first time we did that testing, in May 2022, it provided protection against 20.3% of the tests. The best free alternative did significantly better, as it provided protection against 38.8% of the tests. [Read more]

3 Jan 2024

Wordfence Premium Adding Firewall Rules for Vulnerabilities in Under 10 Plugins a Month

It’s common for critics of the Wordfence Security plugin to claim it isn’t useful unless you are using the companion Wordfence Premium service because new rules for the firewall are only provided to paying customers for the first 30 days after they are created, so free users won’t be protected against getting hacked. Like so much security advice, that isn’t backed with evidence supporting it. There turn out to be multiple serious problems with that claim.

One problem being that the plugin provides a fair amount of protection through what we refer to as general protection, which doesn’t require a rule written for a specific vulnerability. It doesn’t provide as much as the best WordPress firewall plugins do, though. [Read more]

3 Jan 2024

WP Cerber Security vs Wordfence Security

The most important thing to know about WordPress firewall plugins is the amount of protection they offer against real threats, but we are somehow the only ones that do testing that would measure that. A lot of the claimed threats that WordPress security plugins claim to protect against are not really threats. What is a real threat is vulnerabilities in other plugins being exploited and that is something that firewall plugins can provide protection against. The developers of WP Cerber Security and Wordfence Security make it sound like they provide strong protection against those vulnerabilities, but in reality, they don’t do a very good job or provide no protection whatsoever.

The marketing of WP Cerber Security prominently claims it “[exceeds] customers’ expectations” by “vigorously [defending] WordPress against hacker attacks.” It also is claimed that it “screens all suspicious requests and blocks them before they can harm a website.” [Read more]

2 Jan 2024

Five WordPress Security Plugins Prevented Exploitation of Serious Vulnerability in Another Security Plugin

One of the things that should have long ago raised a lot of alarm about the state of the WordPress security industry is how often security plugins are found to contain vulnerabilities. Instead, it has been treated as evidence that it is normal for plugins to be insecure, not that there is something very wrong with security providers. That is quite unfortunate because it means that the good providers are not getting the support they deserve and security is suffering for it.

In June 2022, we did a large-scale test to see if WordPress security plugins would have stopped a vulnerability of a type, persistent cross-site scripting (XSS), that hackers are known to widely exploit, which was found in the security plugin WP Cerber Security. The results were not good. Only two of 31 plugins provided protection against the vulnerability itself. Last year, another vulnerability of that type was disclosed in the plugin. So we were curious to see how many plugins protected against that one. [Read more]

22 Dec 2023

SiteGround Recommends Against Using WordPress Security Plugins That Actually Protect Against Vulnerabilities

A short time ago, we looked at how a feature of SiteGround’s recently rebranded WordPress plugin, Security Optimizer, didn’t really provide the advanced protection against cross-site scripting (XSS) promised, or any protection for that matter. While looking in to their response to our findings, we ran across troubling advice that SiteGround is giving. In response to the question of if the plugin is compatible with Wordfence Security, they responded this way:

The Security Optimizer was created both with securing and performance in mind from the start. Running two security plugins will simply slow down your website. [Read more]

12 Dec 2023

Wordfence Security Still More Than Doubles Peak Memory Usage Over WordPress By Itself

In October 2021, we found that the Wordfence Security plugin for WordPress more than double the peak memory usage over WordPress by itself. That compared to a minimal memory increase by the two WordPress firewall plugins that provided more protection than it. Those two plugins also had a significantly smaller performance penalty than Wordfence Security. It obviously is a bad tradeoff to get less protection for more memory usage and a higher performance penalty.

In discussing that memory usage, we quoted a Wordfence employee that had claimed that they are “constantly working on making the plugin” “use less resources”. That certainly sounds impressive, but Wordfence has a long track record of impressive claims that turn out to not be true. It also doesn’t make sense. You can’t constantly do that. You should hit a point where you can’t do anymore. The changelog for the plugin doesn’t have entries that suggest that is true either. [Read more]

5 Dec 2023

Wordfence Premium Added “Real-Time Firewall Protection” for Plugin Vulnerability Over Two Months After It Was Disclosed

In the middle of August, we publicly warned that the WordPress plugin WooODT Lite contained an authenticated option update vulnerability, which would allow logged-in attackers to change arbitrary WordPress options (settings). The possibility of the vulnerability was flagged by proactive monitoring we have to try to catch serious vulnerabilities as they are introduced in to plugins. It wasn’t a new issue, though. It had been in the plugin’s code for 13 months.

Based on earlier testing, two WordPress security plugins could have protected against common exploitation of that type of vulnerability even before we had warned about it. Those were our own Plugin Vulnerabilities Firewall and NinjaFirewall. [Read more]

30 Nov 2023

Solid Security vs Wordfence Security

The most important thing to know about WordPress firewall plugins is the amount of protection they offer against real threats, but we are somehow the only ones that do testing that would measure that. A lot of the claimed threats that WordPress security plugins claim to protect against are not really threats. What is a real threat is vulnerabilities in other plugins being exploited and that is something that firewall plugins can provide protection against. The developers of Solid Security and Wordfence Security make it sound like they provide strong protection against those vulnerabilities, but in reality, they don’t do a very good job or provide no protection whatsoever.

Recently, the iThemes Security plugin was rebranded as Solid Security. Alongside that came new misleading marketing about what protection it offers. Among those is the claim that “Solid Security shields your site from cyberattacks and prevents security vulnerabilities.” They also have a bolded claim that the plugin will “Reduce your WordPress website’s risk to nearly zero”. [Read more]