How to Avoid Wordfence Premium Price Increase While Getting Better Real-Time Protection for Free
Last week, the WordPress security provider Wordfence announced a significant price increase for their Wordfence Premium service. What they didn’t provide was any explanation of what was causing their cost for the service to increase, which they needed to pass on to customers. Instead, they said this:
It has been over 6 years since we last raised our prices. Since then our team has more than doubled in size and we have introduced significant improvements to the core Wordfence product, launched a range of free and paid products, and introduced new services that include 24 hour incident response.
None of that would explain an increase in the cost of providing the service they are increasing the price of. Certainly offering other paid services wouldn’t increase the cost of that service.
Elsewhere, the head of the company cited inflation:
Founder here. It’s below inflation if you calculate it for the past 6 years. We’ve done our best to avoid this for as long as we can.
Again, there was no explanation for what is supposed to be costing them more to provide the service, which would be impacted by inflation. Price increases are the cause of inflation, so citing that as the need to increase prices on its own doesn’t make a lot of sense. Corporate profits have increased despite inflation, which has been explained as being caused by companies using inflation as a cover to increase profits:
What we’re seeing in this moment is really when that profit maximization and opportunity collides. And the opportunity is the cover of inflation.
Real-Time Protection?
The main promoted feature of that service, as this message shown when you first set up the Wordfence Security plugin, is “real-time protection for your website”:
The cost of doing that shouldn’t scale as the number of customers increases, so they should have been able to lower the price over time, if they gained more customers, instead of increasing the price. That is assuming they are actually doing the work needed to provide that, but are they? Their customers don’t actually test out how well (or poorly) it delivers on its promises, as one customer hinted at:
I agree with other redditors, you do have a very good product although to be fair I have not tested other similar products.
You can test things out, which we have done, and the results have been so bad it is hard to believe that they really are providing so little while charging so much.
Wordfence Premium Fails to Provide Real-Time Protection or Any Protection
We have done repeated tests to see if Wordfence Premium and the Wordfence Security plugin would provide protection in situations you would reasonably expect them to and they have repeatedly failed to provide protection. Some of examples of that are:
In May, testing showed they didn’t protect against a known vulnerability in a plugin that was being targeted by a hacker.
In April, testing showed they didn’t protect against a known backdoor that had been introduced in to a plugin.
In December, testing showed they didn’t protect against a possibly exploited vulnerability in a plugin.
That isn’t a new issue. Three years ago we found that Wordfence Security had failed to protect against an exploited vulnerability in a plugin and a customer of Wordfence Premium had mentioned they had gotten hacked while using the vulnerable plugin.
Almost No Firewall Rules Being Added
Another way to understand what protection they are or are not providing with that service would be to see what rules are being added to their firewall. We touched on that last month in a post about one of their new services, Wordfence Intelligence. Here is what we wrote then:
Looking at the free version of that data, which is the same data as available with their paid offering, just delayed by a month, we found that they only changed the rules on two days in August. In September, there were only two days with changes made as well.
In August, they only added a firewall rule for one vulnerability in a WordPress plugin.
In September, they only added a firewall rule for two vulnerabilities in WordPress plugins.
That isn’t in line with how many newly disclosed vulnerabilities in WordPress plugins would have needed firewall rules to provide protection, or even close to what would have been needed.
So they don’t appear to even be trying to deliver on the promised protection or doing almost any work.
Wordfence Could Do Much Better Without Spending Much
It is hard to understand how they think it would be acceptable to charge as much money as they were before, for so little protection in return. It isn’t as if it would cost them much to provide much more protection, as even one employee only working on this a few hours a day could greatly improve on what they are delivering now. So charging even more therefore wouldn’t be justified.
As long as Wordfence’s customers don’t know better, then they can charge them for something they fail to even attempt to deliver on. Security and WordPress journalists have been failing the public with this, as they have failed for years to cover what is going on with Wordfence Premium, while frequently promoting Wordfence.
Better Real-Time Protection For Free
So Wordfence Premium isn’t delivering the promised real-time protection, but is the Wordfence Security plugin the best free option for a WordPress firewall? No. We have done tests going back years and have found that it provides much less protection than another free option, NinjaFirewall.
One way to measure how much real-time protection they offer is through automated testing we do using software mainly designed to test to make sure that the protection of our own firewall plugin isn’t broken as we make changes to it. That protection doesn’t require knowing about a vulnerability, so it is all real-time protection. In the latest run of that testing yesterday, Wordfence Security only protected against 20.0% of the tested attacks, while NinjaFirewall protected against an additional 16.8% of them:
NinjaFirewall also has done better in testing we have done of large group of WordPress security plugins to see if they would protect against real-world vulnerabilities in other WordPress plugins.
You can get even better paid protection than that, but for those currently relying on Wordfence Premium switching to NinjaFirewall would offer them protection then they have now without having to pay anything.