Wordfence Security and Wordfence Premium Fail to Provide Protection Against “Critical” Vulnerability
The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:
Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked.
The paid Wordfence Premium service connected with the Wordfence Security plugin is promoted with the claim that it provides “real-time protection”:
If your website is mission-critical you can’t afford the downtime, reputation challenges or SEO impact of getting hacked. That’s why so many sites rely on the real-time protection provided by Wordfence Premium.
Yet the plugin and that service have again failed to provide protection which matches those claims. And, more notably and importantly, failed to provide protection that they easily should have provided.
On October 5, exploit code for an unfixed privilege escalation vulnerability in a WordPress plugin that would allow an attacker to create a new WordPress account with the Administrator role was disclosed. That type of vulnerability was described by Wordfence as being “critical” earlier this year.
In its current form, the NinjaFirewall plugin has contained general protection against this type of vulnerability since September 2016. That means that Wordfence had 5 years to have easily implemented real-time protection for this vulnerability, by building on what NinjaFirewall already had created. We say that it would be easy, because we implemented protection against this type of vulnerability in our new Plugin Vulnerabilities Firewall using what NinjaFirewall had done as a template, but making further changes to try to expand the level of protection, while reducing the possibility of problems.
When that exploit code was released, we tested and confirmed that both of those plugins’ protection worked properly and stop the privilege escalation. No rule for the specific vulnerability was required.
By comparison, Wordfence Security failed to provide protection at the time.
Wordfence only provides new rules to their Wordfence Premium customers for the first 30 days, so you can trace back when and if protection was added for customers of that by seeing when and if it was added to their free data.
It has now been 34 days since that exploit code was released and no rule has been added to protect against the vulnerability. We retested exploitation on a website using Wordfence Security and found that it currently fails to provide protection.
Based on a previous test and more recent automated testing, it looks like other firewall and security plugins would also fail to provide protection against exploitation of this vulnerability.
Plugin Security Scorecard Grade for NinjaFirewall
Checked on June 12, 2025See issues causing the plugin to get less than A+ grade