Login

Tag Archives: Wordfence Security

Plugin Security Scorecard Grade for Wordfence Security

Checked on June 12, 2025
F

See issues causing the plugin to get less than A+ grade

30 Nov 2023

Solid Security vs Wordfence Security

The most important thing to know about WordPress firewall plugins is the amount of protection they offer against real threats, but we are somehow the only ones that do testing that would measure that. A lot of the claimed threats that WordPress security plugins claim to protect against are not really threats. What is a real threat is vulnerabilities in other plugins being exploited and that is something that firewall plugins can provide protection against. The developers of Solid Security and Wordfence Security make it sound like they provide strong protection against those vulnerabilities, but in reality, they don’t do a very good job or provide no protection whatsoever.

Recently, the iThemes Security plugin was rebranded as Solid Security. Alongside that came new misleading marketing about what protection it offers. Among those is the claim that “Solid Security shields your site from cyberattacks and prevents security vulnerabilities.” They also have a bolded claim that the plugin will “Reduce your WordPress website’s risk to nearly zero”. [Read more]

20 Nov 2023

WordPress Firewall Plugins Protect Against Vulnerability Without Rule Needed for Wordfence Security To Do That

Last week, we noted that the marketing for the Wordfence Security plugin was promoting its firewall as being the industry leader, despite that not being supported by them with anything whatsoever and objective testing showing that being far from the case. In doing that, we included a screengrab of them making that claim:

[Read more]

16 Nov 2023

Combining WordPress Security Plugins Doesn’t Provide Better Protection Than One Better Plugin

It isn’t uncommon to see people asking the developers of WordPress security plugins if they can be used alongside another security plugin. That often seems like an odd question, as the two plugins being asked about are all-in-one security plugins that both claim to provide all the protection you need. If someone doesn’t trust the developer of either to deliver what they promise, why would they trust that combining two of them would deliver that? The results of testing we do provides evidence that this isn’t the approach to get the best security or even any security.

Across testing we do of security plugins to see if they could provide protection against vulnerabilities in other plugins, many of the plugins provide no protection. Combining multiple plugins that provide no protection, won’t produce a better result. But what if you combine plugins that do provide protection? [Read more]

13 Nov 2023

Wordfence Security’s Country Blocking Isn’t an Effective Measure Against Hackers

Last week, we wrote about one feature of the Wordfence Security plugin that doesn’t actually provide the protection that Wordfence has been able to convince people otherwise. Another feature that was brought up to us by the same person asking about the other feature was country blocking. That blocks requests based on the IP addresses of the request seemingly coming from a certain country. Interestingly, Wordfence’s own documentation for that feature can’t even muster an explanation for how that is supposed to protect websites. That isn’t surprising if you look at real world attacker activity.

What looked to be one recent attack on our own website involved a hacker trying to log in to our website seven times. They used a different IP address each time. Here are the locations of the IP addresses: [Read more]

8 Nov 2023

The Wordfence Security Plugin Isn’t Actually Protecting Against Brute Force Attacks

We recently had a potential customer ask if our firewall plugin protected against brute force attacks as they believed the Wordfence Security plugin is doing. They also noted that using something different than what Wordfence Security provides would seem like less protection, even if it was better protection. When it comes to brute force attacks, they have hit the nail on the head, as those are not even happening. Wordfence is pretending something that WordPress already provides effective protection against isn’t happening and instead brute force attacks are happening, which requires something that WordPress doesn’t have built-in protection against.

Here is how Wordfence describes brute force attacks: [Read more]

7 Nov 2023

How a WordPress Firewall Plugin Stops Exploitation of Zero-Day That Automattic’s Jetpack Didn’t

When it comes to protecting WordPress websites from being hacked through vulnerabilities in plugins, the solution is often simply keeping plugins up to date. But that doesn’t work when a hacker finds a vulnerability and starts exploiting it, otherwise known as a zero-day, as there is no update available. That is where an additional security plugin or service can possibly provide protection. But do they? The answer is often that they won’t. Making that more problematic is that often the marketing of the solutions would tell you otherwise.

Recently, we looked at one example of how firewall plugins could easily detect and stop exploit attempts for a widely exploited vulnerability, but most didn’t. Let’s look at another example of how a firewall plugin can provide protection. This time with a zero-day. We will touch on a couple of examples of why web application firewalls (WAFs) such as a cloud based security service are unable to handle things as well. [Read more]

6 Nov 2023

Latest WordPress Plugin to Include Firewall Provides Almost No Protection Against Zero-Days

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. In May of last year, we started doing a monthly run of that against other firewall plugins, so we could get a better understanding of how the WordPress security landscape is changing over time.

This month we added a new plugin to our test set. The name of the plugin is Advanced Google reCAPTCHA, which doesn’t sound like it should be a relevant plugin to such testing. But as is often the case with WordPress plugins, developers add features that seem unrelated to the main purpose of the plugin. In this case, firewall functionality was added to the plugin, despite the developer already providing another plugin, Security Ninja, which is supposed to have a firewall (but doesn’t have one). [Read more]

16 Oct 2023

3 WordPress Firewall Plugins Stop Recent Widely Exploit Vulnerability in tagDiv Composer Plugin

Last week there were a spate of largely unhelpful new stories run about websites getting hacked through an already fixed vulnerability in a WordPress plugin not available through the WordPress Plugin Directory, tagDiv Composer. There is a lot that could be discussed with that, but one element stands out to us. It looked like exploitation of the vulnerability should be easily stopped by WordPress security plugins with a firewall. We say that based on our own experience developing such a firewall plugin. That runs counter to something said by Dan Goodin, who inexplicable continues to be employed by Ars Technica, despite repeatedly getting things wrong in his stories. He wrote this:

The malicious injection uses obfuscated code to make it hard to detect. It can be found in the database used by WordPress sites, specifically in the “td_live_css_local_storage” option of the wp_options table. [Read more]

10 Oct 2023

Wordfence Security Increases Protection in October Test of WordPress Security Plugins’ Zero-Day Protection

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. In May of last year, we started doing a monthly run of that against other firewall plugins, so we could get a better understanding of how the WordPress security landscape is changing over time.

This month saw one change, the Wordfence Security plugin increased its protection from 20.90% of the tests to 23.16%. That is notable, as after a year of testing, we had barely seen improvements among the plugins tested. [Read more]