The paid Wordfence Premium service connected with the Wordfence Security plugin is promoted with the claim that it provides “real-time protection”:

If your website is mission-critical you can’t afford the downtime, reputation challenges or SEO impact of getting hacked. That’s why so many sites rely on the real-time protection provided by Wordfence Premium.

That “real-time protection” is claimed to involve “Real-time Firewall Rule Updates”, which doesn’t make sense. If the protection requires updates, then there clearly is a delay, and it isn’t real-time protection. As Wordfence claims that this is real-time when it isn’t, they then don’t provide information on how long it takes for the protection to be added. As a recently exploited vulnerability in a closed WordPress plugin shows, not only is it not real-time, but it is can be way too late when it wouldn’t have to be.

Wordfence provides the rules provided to their Wordfence Premium customers to those relying only on their plugin 30 days later, so you can trace back when protection was added by seeing when it was added to that free data.

Far Behind Real-Time

On September 20, the plugin WP DSGVO Tools (GDPR) was closed on the WordPress Plugin Directory.

Because the plugin is one of the most popular WordPress plugins, our systems alerted us to its closure. As we had seen indications in the past that hackers were monitoring for closures of popular plugins and looking to exploit vulnerabilities found in those, we review those plugins to see if there are vulnerabilities in them that we should be warning customers of our service about, in case they use them. You might think that with how Wordfence promotes themselves, they would have also done that, but what happened in this situation strongly suggests they don’t.

On September 22, we publicly warned that the plugin “contains type of vulnerability hackers target“.

If Wordfence was trying to provide as close “real-time protection” as possible, you would assume that they would have at least promptly added a rule to protect against that vulnerability after that. They didn’t, as their rule for this vulnerability wasn’t added to the free data as of October 22, which would be 30 days later.

As we noted in our post, we had tested exploitation of the vulnerability against our then upcoming Plugin Vulnerabilities Firewall plugin and it already provided protection without requiring a rule to be written for the specific vulnerability, so real real-time protection is actually possible.

On September 24, it was being publicly discussed that the vulnerability was being exploited. Wordfence hadn’t added protection before that happened or even on the day that was being publicly discussed, it turns out.

On September 27, Wordfence must have added their rule, as the rule was added to free data on October 27.

So their “real-time protection” came 5 days after it could have if they just followed in footsteps here and came 3 days after it was being publicly known that this was being exploited. We would ask how they think that type of response is acceptable, but we know that they have delivered results like that for years without it having a consequence for them. It does have a serious consequence for those relying on the service to provide the protection it is claimed to provide.