Wordfence Security Falls to Fourth Place in December Test of WordPress Security Plugins’ Zero-Day Protection
While developing our WordPress firewall plugin, we created regression testing software to make sure that, as we updated that; we didn’t break existing protection, which is something at least one other developer hasn’t done. What we realized once we started developing that is that we could also use that to do automated testing to get a sense of how much protection other WordPress security plugins provided against zero-days, which are vulnerabilities being exploited before the developer knows about them. In May, we started doing a monthly run of that against a wide range of plugins to start tracking how their protection changed over time. So far there haven’t been many notable changes, but this month had a significant change.
Up until this month, the results have been that our plugin has provided the most protection, followed by NinjaFirewall providing protection in about a third of the exploit tests, and Wordfence Security coming third with protection for a fifth of the exploit tests. That seems like a good indication of the poor state of WordPress security plugins and a lack of understanding of how much protection they provide, as NinjaFirewall only has 80,000+ installs, while Wordfence security has 4,000,000+ installs.
This month Wordfence Security fell to fourth place as the protection in the plugin Pareto Security increased by about 6.5% points since last month, from 15.5% to 21.9%. Wordfence Security stayed at 20%. Pareto Security only has 500+ installs. Clearly, the money that Wordfence takes in isn’t being spent on providing the best firewall protection against zero-days (nor does it otherwise appear to be spent on providing strong security in some other form).
We tried to add additional plugin, BitFire, to our testing this month, but the latest version of the plugin broke WordPress. An earlier version cause more limited breakage that we had been able to workaround.
Here are the top 10 plugins in the latest testing round and the percentage of the exploit tests they blocked:
1. Plugin Vulnerabilities Firewall – 100.0%
2. NinjaFirewall – 36.8%
3. Pareto Security – 21.9%
4. Wordfence Security – 20.0%
5. All In One WP Security & Firewall – 16.8%
6. Web Application Firewall – 11.6%
7. Hide My WP – 11.0%
8. (tie) Bulletproof Security – 9.7%
8. (tie) Hide My WP Ghost – 9.7%
10. Anti-Malware Security and Brute-Force Firewall – 4.5%
Plugin Security Scorecard Grade for NinjaFirewall
Checked on June 12, 2025See issues causing the plugin to get less than A+ grade