Wordfence Security Increases Protection in October Test of WordPress Security Plugins’ Zero-Day Protection
One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. In May of last year, we started doing a monthly run of that against other firewall plugins, so we could get a better understanding of how the WordPress security landscape is changing over time.
This month saw one change, the Wordfence Security plugin increased its protection from 20.90% of the tests to 23.16%. That is notable, as after a year of testing, we had barely seen improvements among the plugins tested.
The results, though, still remain well below the best options. The protection offered by NinjaFirewall remains well above it, at 38.98% in the latest test. Our own firewall plugin provided protection against 100% of the tests. So Wordfence Security, despite being very popular, continues to lag less popular firewall plugins by a large degree and hasn’t made large strides in closing the gap since we started doing the testing.
What seems like part of the explanation for the limited protection offered by Wordfence Security is that the developer tries to get people to sign up for their Wordfence Premium service based on writing rules for vulnerabilities. If they add more zero-day protection, it means there are fewer rules they can write, since protection is already available.
A further problem with that is that contrary to even how critics described things, Wordfence is not actually adding many rules for vulnerabilities. In the past month, the free rules, which mirror the Wordfence Premium rules with a 30 day delay, only added rules for six plugin vulnerabilities, as can be seen with our tracker of those rules. That is much less than would be needed to offer the level of protection Wordfence and others claim their firewall offers.