Wordfence Security Doesn’t Offer The Industry Leading Firewall
While looking into something for another post, we noticed that the developer of the Wordfence Security plugin is marketing their solution as having the “Industry Leading Firewall”:
That’s a strong claim to make, so surely when clicking on that text it takes you to information to back it up, right? No. There isn’t anything backing it up.
We have done lots of testing of WordPress firewall plugins and security plugins more generally. The result of that testing is that Wordfence Security provides more protection than most options, but that isn’t really saying much, considering that most provide little to no protection.
You can see that in tests against real world vulnerabilities in other plugins, where it hasn’t provided protection in plenty of instances that other plugins have. That includes one test where four plugins provided protection against a vulnerability that was discovered by Wordfence Security’s developer, but Wordfence Security didn’t protect against it.
Another method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. Here are the top 10 plugins in the latest testing round and the percentage of the exploit tests they blocked:
1. Plugin Vulnerabilities Firewall – 100.0%
2. NinjaFirewall – 39.0%
3. Wordfence Security – 23.2%
4. Pareto Security – 19.8%
5. All-In-One Security (AIOS) – 13.6%
6. Web Application Firewall – 9.6%
7. Hide My WP – 6.2%
8. Hide My WP Ghost – 8.5%
9. Bulletproof Security – 7.9%
10. Anti-Malware Security and Brute-Force Firewall – 4.0%
While Wordfence Security provides significantly more protection than some options, it in turn provides significantly less protection than another free option, NinjaFirewall and even less protection versus our firewall plugin.
The takeaway from this isn’t just that Wordfence Security’s developer makes overstated claims, but that when looking for security solutions, you should look for something that is promoted with evidence of effective protection. It is easy to make impressive sounding claims, as that developer often does and so do plenty of other developers, but most developers don’t even appear to be trying to deliver on them as can be seen by the poor results in our testing.