Wordfence Security Firewall Review: Missing a Lot of Protection that Better Options Offer
Like the developers of lots of WordPress security plugins, the developer of Wordfence Security makes a lot of impressive sounding claims about their plugin and the protection it offers, but notably doesn’t present any evidence to back the claims up. The actual results, as is often the case, are less than impressive. Figuring that out, though, is difficult, as many others will tell you that these plugins provide much more protection than they do.
One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. In the latest run of that, Wordfence Security only provided protection against 22.8% of the tests. What makes the poor result stand out more is that there hasn’t been much improvement over time. The first time we did that testing, in May 2022, it provided protection against 20.3% of the tests. The best free alternative did significantly better, as it provided protection against 38.8% of the tests.
Part of what seems to explain the lack of zero-day protection and failure to address it, is that the provider of the plugin is trying to get users of the plugin to pay for a service, Wordfence Premium, to get prompt access to firewall rules written for specific vulnerabilities. If they added more zero-day protection, that would remove the need for many of those rules and reduce the need to get that service. While the developer markets those rules as real-time protection, in reality they are delayed by however long it takes them to write a rule, assuming they even write a rule. In one recent instance, they added a rule over two months after a vulnerability had been publicly disclosed. Better developed firewall plugins, including ours, had already provided protection before the vulnerability was even disclosed.
Other testing we have done involving real-world vulnerabilities in WordPress plugins, showed that the publicly available version of our own plugin provided protection in seven of nine tests. By comparison, Wordfence Security of only provided protection in four of those tests. That comes despite the developer of Wordfence Secufrity claiming it is the industry leading firewall.