WordFence Security Fails to Provide the Protection Keeping WordPress Plugins Updated Would
One of the impediments to better security for WordPress websites (and security in general) is that people are not taking basic security measures and instead relying on security solutions that fail to provide the protection that those basic security measures would. Recently someone posted on the support forum for the plugin PDF.js Viewer, mentioning they were getting this message, which is from the Wordfence Security plugin, on their website:
Plugin Name: PDFjs Viewer
Current Plugin Version: 1.3
Details: To protect your site from this vulnerability, the safest option is to deactivate and completely remove “PDFjs Viewer” until a patched version is available. Get more information.
The developer of the plugin asked what the vulnerability was supposed to be. The response pointed to an entry from the WPScan service, which stated the vulnerability had been fixed in version 2.0.2 of the plugin:
That version was released a year ago and is newer than the version the message from Wordfence Security indicates is currently being used on the website.
For whatever reason, Wordfence Security’s message doesn’t recommend updating the plugin, despite that addressing the issue.
So the poster is using a rather out-of-date version of the plugin and using the Wordfence Security plugin. Wordfence Security should protect against the vulnerability mentioned, as Wordfence makes this unqualified claim about the protection offered by the plugin:
Web Application Firewall stops you from getting hacked by identifying malicious traffic, blocking attackers before they can access your website.
It isn’t too hard to understand why someone relying on the Wordfence Security plugin would be making sure to keep their plugins up to date, since Wordfence Security should be protecting them. But does it?
We tested both of the proof of concepts provided by WPScan and found that Wordfence Security didn’t stop either of them from working, so a hacker could exploit this vulnerability on websites using Wordfence Security.
By comparison, the two WordPress security plugins that in our testing provide the most protection against vulnerabilities in other plugins, both protected against the proof of concepts.
So Wordfence Security could provide protection, but isn’t.
Improving Security Over Relying on Wordfence Security
As this situation shows, using Wordfence Security isn’t a good alternative for keeping other plugins up to date. It also failed to provide protection when it could have, and while other security plugins did.
For those managing WordPress websites, their security focus should start with doing the basics instead of looking for a security solution. If additional security is warranted, they should look for solutions where the developers are not making overstated claims about the protection they offer, as is on display with Wordfence Security. Instead, they should look for evidence, preferably from third-party independent testing, that shows those solutions provide effective protection against real threats.