Wordfence Security Doesn’t Protect Against a “Vast Variety of Attacks”
As we noted in a post a week ago, the most popular WordPress security only plugin, Wordfence Security, is being promoted with greatly overstated claims of what it delivers. That isn’t good for the security state of WordPress, as instead of security plugins competing on actually providing better results than others, they are competing on who is the best at lying to people about what they are capable of. Already in working on upcoming WordPress firewall plugin we have been able to easily surpass what Wordfence Security and other plugins provide, despite that plugin and other having been around many years, because those plugins are not competing to provide better results. That isn’t a boast, but a lament, as that shouldn’t be something we should already be able to say.
In trying to explain what our plugin is capable of, it seems helpful to understand how other plugins are being inaccurately being promoted. One instance of that we recently ran across with Wordfence Security seems like a good example of that type of thing.
In response to someone who was using Wordfence Security on a website that was hacked, an employee of the company behind that responded in part:
Some causes of a hack are impossible for any WordPress security plugin to protect against
That is true, though as we will come back to, the plugin isn’t providing protection against things other plugins are, but that also goes against how the plugin is marketed. On the plugin’s page on the WordPress Plugin Directory, part of the answer for the first FAQ question makes this claim:
Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked.
It can’t be both true that there are causes of a hack that are impossible for any WordPress security plugin to protect against and that the plugin “stops you from getting hacked”.
Later in the reply, the employee writes this:
Wordfence protects against a vast variety of attacks. Whether you were hacked because of an unknown attack method
In our recent testing of protection against three types of vulnerabilities that hackers have have been known to attempt to exploit a wide scale, PHP object injection, option update, and privilege escalation, Wordfence Security provided no protection when other plugins did. When it is failing to even protect against types of vulnerabilities that hackers have been known to attempt to exploit a wide scale, that other plugins can protect against, it clearly isn’t protecting against a “vast variety of attacks”.
In another test, it provided protection, though the protection was incomplete, allowing it to be easily bypassed, while our plugin’s protection wasn’t. In another more limited test, we found that a bypass of another protection still existed five years after it was publicly disclosed. To be balanced, in one test, it was the only plugin to provide protection that wasn’t easily bypassed.