Wordfence Premium Adding Firewall Rules for Vulnerabilities in Under 10 Plugins a Month
It’s common for critics of the Wordfence Security plugin to claim it isn’t useful unless you are using the companion Wordfence Premium service because new rules for the firewall are only provided to paying customers for the first 30 days after they are created, so free users won’t be protected against getting hacked. Like so much security advice, that isn’t backed with evidence supporting it. There turn out to be multiple serious problems with that claim.
One problem being that the plugin provides a fair amount of protection through what we refer to as general protection, which doesn’t require a rule written for a specific vulnerability. It doesn’t provide as much as the best WordPress firewall plugins do, though.
Another problem is that the claimed real-time nature of the rules isn’t true. Twice, with rules added to the free data in December, the rules were added over two months after a vulnerability had been disclosed. In both cases, other firewall plugins provided general protection against the vulnerabilities before they were even disclosed.
Notably, Wordfence doesn’t provide a measure of how fast they are adding rules, instead claiming they are real-time when they know there is a delay. (Wordfence has a long track record of saying things that are not true.)
What Wordfence also notably doesn’t provide is a page that lists all the rules they are adding. That seems unsurprising based on data we have now collected. Last year we started keeping track of all the rules they were adding for vulnerable plugins to their free data and publicly listing that. So this tracks the paid data with a month’s delay. For the whole year, there were rules written for 101 vulnerable plugins. Or an average of 8.4 rules per month. That is far below the number that would be needed for all the vulnerabilities that would reasonably be covered if you are going the route of writing rules for individual vulnerabilities.
It also is far below what you would expect for how much they are charging for access to these rules and how much money they are likely taken in to produce them. As you are talking about maybe a few hours a week of work being done.