Wordfence Security Falls to Fifth Place in February Test of WordPress Security Plugins’ Zero-Day Protection
While developing our WordPress firewall plugin, we created regression testing software to make sure that, as we updated that; we didn’t break existing protection, which is something at least one other developer hasn’t done. What we realized once we started developing that is that we could also use that to do automated testing to get a sense of how much protection other WordPress security plugins provided against zero-days, which are vulnerabilities being exploited before the developer knows about them. In May, we started doing a monthly run of that against a wide range of plugins to start tracking how their protection changed over time. So far there haven’t been many notable changes, but this month had a significant change that follows on a change from December.
In December, the Wordfence Security plugin fell to fourth place with the Pareto Security plugin moving above it based on adding more protection. That month we also had tried to add the BitFire plugin to the testing, but the latest version of the plugin broke WordPress. By this month BitFire has gotten in to better shape, so we could include it in the testing. The result of that is that Wordfence Security has fallen yet another spot, as BitFire provided protection against 25.8% of exploit attempts versus only 20.0% for Wordfence. That also put BitFire in third place behind only our plugin and NinjaFirewall.
It’s good to see another plugin providing a higher level of protection than has been on offer from others, but the results from this testing continue to show that even the better plugins are failing to deliver a lot of the protection they could provide.
Repeating what we said in December, clearly, the money that Wordfence takes in isn’t being spent on providing the best firewall protection against zero-days (nor does it otherwise appear to be spent on providing strong security in some other form), as the plugin, which has 4+ millions installs, is being beat out by plugins with 500+ and fewer than 10 installs. What helps to explain that popularity is that even the developer of BitFire has fallen for Wordfence’s untruthful marketing.
Here are the top 10 plugins in the latest testing round and the percentage of the exploit tests they blocked:
1. Plugin Vulnerabilities Firewall – 100.0%
2. NinjaFirewall – 36.8%
3. BitFire 25.8%
4. Pareto Security – 21.9%
5. Wordfence Security – 20.0%
6. All-In-One Security (AIOS) – 16.8%
7. Web Application Firewall – 11.6%
8. Hide My WP – 11.0%
9. (tie) Bulletproof Security – 9.7%
9. (tie) Hide My WP Ghost – 9.7%