WordFence Security’s Firewall Won’t Actually Address Any Known Vulnerability
The most popular WordPress security-only plugin, Wordfence Security, appears to in part be as popular as it is because a lot of people believe it provides a level of protection it doesn’t come close to providing (and in some cases, believe it provides protection that isn’t even possible). They not only believe that, but will tell others that this is the case and criticize anyone trying to correct this misconception.
Take one recent example, where someone claimed that Wordfence Security’s firewall “will address anything that’s known”:
I imagine the firewall will address anything that’s known like that vulnerable bootstrap version’s exploit.
It is hard to fathom that someone could believe that to be true, considering how many known vulnerabilities there are out there, so it probably shouldn’t be surprising that it turns out this person was very confused. When it was mentioned to them that the firewall doesn’t provide that broad of protection, they responded this way:
Wordfence has posted the bootstrap vulnerability at the link below. Known vulnerabilities are blocked by their firewall. I grant security is an evolving game of cat and mouse, so it can not be said that wordfence can protect against “everything” in the broadest of terms. However the specific bootstrap flaw that I mentioned is indeed known to wordfence, and I only mention it bc you made the assertion that it wasn’t. Anyway …
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/bootstrap-shortcodes/bootstrap-shortcode-340-authenticated-contributor-stored-cross-site-scripting-10
What they are linking to is an entry from an inaccurate database of vulnerabilities that Wordfence has. That database is unconnected to their firewall rules, so there can be an entry for a vulnerability in that database and not a rule to have protection against it. We are not aware of Wordfence making the claim that this person has come to believe about their firewall having protection against every vulnerability in that database.
More problematic to the specific situation they were responding to, is that they were conflating a vulnerability in a WordPress plugin named Bootstrap Shortcode and an unrelated claim that a specific version of a library named Bootstrap had a vulnerability. The only connection was the name Bootstrap.
A way to check to see if that claim is true is to see how many rules there are for Wordfence Security’s firewall. There are currently 446 rules provided for it. There are a lot more vulnerabilities than that.
Another way to check on that would be to test to see if Wordfence Security’s firewall provides protection against known vulnerabilities, especially ones that are being exploited. We did just such a test against an exploited vulnerability in February and found it failed to provide protection.
In reality, most of the protection that the Wordfence Security firewall can provide doesn’t involve rules written for a specific vulnerability. Instead, it involves general rules. An upside of that type of protection is that the vulnerability doesn’t even have to be known to be protected against. When it comes to that type of protection, Wordfence Security provides significantly less protection than it could and other security plugins do.