Looking at the marketing for the Wordfence Premium service, it sounds impressive. They claim to provide “real-time protection”:
If your website is mission-critical you can’t afford the downtime, reputation challenges or SEO impact of getting hacked. That’s why so many sites rely on the real-time protection provided by Wordfence Premium.
But things start looking iffy when you read things like this:
The Wordfence firewall leverages firewall rules to identify and block malicious traffic to your website, protecting you from the latest WordPress attacks and security vulnerabilities.
If a rule needs to be developed for the protection to work, the protection isn’t actually real-time, but only comes in to play after a rule has been written. The marketing material doesn’t mention any of that, which is concerning. Not surprisingly then, the marketing material doesn’t provide a claimed time frame when the protection will really come in to play. But elsewhere, Wordfence admits that they are writing rules after vulnerabilities have been exploited. So not only is it not real-time protection, but it comes in to play after websites have already been hacked and at the point where there are better options to deal with the vulnerabilities.
As an example of that, look at a post on their blog titled “Critical Vulnerabilities Patched in Adning Advertising Plugin”. That involved two vulnerabilities. The first is described, in part, this way:
As such it was possible for an unauthenticated attacker to upload malicious code by sending a
POSTrequest towp-admin/admin-ajax.phpwith theactionparameter set to_ning_upload_imagetheallowed_file_typesset tophp, and afilesparameter containing a malicious PHP file. Alternatively, an attacker could set theallowed_file_typestozipand upload a compressed archive containing a malicious PHP file, which would be unzipped after upload.
The second was described this way:
In order to delete any uploaded images, the plugin also registered another ajax action,
_ning_remove_image, which also used anopriv_hook. As with the upload vulnerability, this function did not perform a capability check or a nonce check. As such it was possible for an unauthenticated attacker to delete arbitrary files using path traversal.If an attacker were able to delete
wp-config.php, the site would be reset, and an attacker could then set it up again and point it to a remote database under their control, effectively replacing the site’s content with their own content.
Near the end of their post they admit they added protection at least a day after the vulnerability was already being exploited, so not real-time protection:
June 24, 2020 – Wordfence Threat Intelligence receives a report of a compromised website running the Adning plugin. During our investigation, we discovered two vulnerabilities.
June 25, 2020 – Firewall rule released for Premium Wordfence users. We make initial contact with plugin’s author and send full disclosure after receiving a response.
They don’t provide any information as to when that website was compromised, so it could have been well before they wrote their rule.
If your website is mission-critical, where you can’t afford the downtime, reputation challenges or SEO impact of getting hacked, then Wordfence Premium doesn’t seem like it delivers what you need or what they are promising.
It doesn’t have to be that way. Our Plugin Vulnerabilities Firewall is designed to protect against zero-day vulnerabilities like that before security companies are aware of them, instead of providing protection after they are publicly known.
With the two vulnerabilities mentioned, our plugin provides multiple forms of protection against both of them, without us needing to know about the vulnerability or writing a rule for the specific vulnerability, so it could have provided protection from the beginning instead of after it was already known to be exploited.
Wordfence could offer the same thing, but for some reason they would rather charge people for rules that only come in to play after websites have been hacked (which they then offer a paid clean up service to deal with).
During November, we are offering a lifetime subscription to the service for the normal price of a year of service.