It isn’t uncommon to see people asking the developers of WordPress security plugins if they can be used alongside another security plugin. That often seems like an odd question, as the two plugins being asked about are all-in-one security plugins that both claim to provide all the protection you need. If someone doesn’t trust the developer of either to deliver what they promise, why would they trust that combining two of them would deliver that? The results of testing we do provides evidence that this isn’t the approach to get the best security or even any security.

Across testing we do of security plugins to see if they could provide protection against vulnerabilities in other plugins, many of the plugins provide no protection. Combining multiple plugins that provide no protection, won’t produce a better result. But what if you combine plugins that do provide protection?

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. The results for other plugins isn’t very good. Here are the top three performing plugins in the latest run of that testing:

1. Plugin Vulnerabilities Firewall – 100.0%

2. NinjaFirewall – 39.0%

3. Wordfence Security – 23.2%

The best that another plugin does is to provide protection against 39.0% of the tests and then after that, it drops to 23.2%. At best, combining those two plugins would get to protection against 62.2% of what is provided by our plugin in the test. But for that to be true, there would have to be no overlap in the protection, which seems unlikely. Testing shows that there is significant overlap. We set up both plugins on one website, ensuring that both were providing all the protection they could offer. We then ran the same test system against that and found that combined, they provide protection for 46.9% of the tests. In other words, combining them only added 7.9% points to the protection over the better one alone. So combining the second and third best options still didn’t get to half the protection of the best option in the testing.

The plugin that only provided protection against 23.2% of the test, Wordfence Security, is marketed with the unqualified claim that it “stops you from getting hacked”. The claim isn’t true for multiple reasons, one of them being that it doesn’t even stop a lot of attacks that other firewall plugins do.

What that testing shows is that there should be more focus on testing to see what protection plugins provide, so that users can move to better options and that developers have incentive to improve the security they offer instead of focusing on misleading marketing.

---

Plugin Security Scorecard Grade for NinjaFirewall

Checked on June 12, 2025

See issues causing the plugin to get less than A+ grade

---

Plugin Security Scorecard Grade for Wordfence Security

Checked on June 12, 2025

See issues causing the plugin to get less than A+ grade