Wordfence stands as a widely acclaimed WordPress security plugin, designed to safeguard your website against malware and various cyber threats. Nevertheless, given the multitude of security plugins available, determining the most suitable option for your specific needs can be challenging.
RECOMMENED BY OUR EDITORS
Here’s where my expertise comes into play. I’ve compiled an in-depth Wordfence review to assist you in making an informed decision and instilling confidence in the security of your website. Rest assured, I’ve conducted thorough research and testing on Wordfence to provide you with the most precise and up-to-date information.
So, sit back and relax, knowing that I am here to steer you in the right direction for establishing a secure website.
Introduction
Wordfence proves to be an excellent choice for newly established websites or those operating on a limited budget. It stands out as one of the top-performing free security plugins in my testing, second only to MalCare. While it may not offer a foolproof defense against all malicious attacks, it outperforms its counterparts and provides commendable security measures.
Nevertheless, there are aspects of Wordfence that raise concerns. Firstly, the reliability of the Wordfence scanner is limited to specific sections of the website. While it effectively detects malware in core files and non-premium plugins and themes, it falls short in identifying malware within the database, a common target for malicious activities.
Moreover, Wordfence’s cleanup services come with a hefty price tag, bordering on exorbitant. Additionally, the effectiveness of the Wordfence firewall is compromised as it loads like any other plugin, rendering it less than 100% effective in blocking malicious traffic. What’s more, the free version’s firewall updates lag behind the premium version by up to 30 days, providing a window for potential exploitation by hackers.
Wordfence also poses a challenge to server resources, noticeably impacting site performance during scans, to the extent that some web hosts outright prohibit its use. Notably, Wordfence lacks essential bot protection, a crucial feature for any comprehensive website security solution.
In this review, I will delve into a detailed analysis of Wordfence’s features, user interface, and overall effectiveness, drawing from my personal experience and research.
Security Features and Wordfence
When evaluating any security plugin, I prioritize three indispensable features: a malware scanner, a malware cleaner, and a firewall. These elements are crucial considerations in determining the plugin’s suitability, and I offer comprehensive details about these key features and more in this section.
Malware scanner
The initial feature under scrutiny was the malware scanner, as its effectiveness is pivotal in determining the presence of malware on a site.
The initial scan duration was approximately 20 minutes. Initially, there was a misconception that the scan had not concluded, but it was clarified that the 60% displayed was not a progress bar but rather an indication of the percentage of the site covered by the free version’s scan.
In a subsequent scan, the process concluded notably quicker. The second scan successfully identified a significant portion of the malware afflicting the compromised test website, detecting it within the site files. However, it did not pinpoint any malware within the database, presenting a concerning gap in addressing database-based malware, a legitimate and hazardous issue.
Furthermore, the scanner raised false positives by flagging errors associated with the iThemes and BackupBuddy plugins installed on the site.
A noteworthy element in the scan results was a prompt to consider using the premium version to effectively eliminate the detected malware. While the free version offers certain remedial actions for a hacked WordPress site, they come with associated risks, which I will discuss in the subsequent section.
Malware removal
The plugin’s free version provided me with two choices: to delete all deletable files and to repair all repairable files.
I can guarantee that deleting a file without caution is likely to result in a site crash. While I assume that Wordfence is aware of the crucial files for WordPress, free themes, and plugins, it may not cover all scenarios. Opting for the delete option initially successfully removed one file, accompanied by a warning highlighting the potential site-breaking consequences of file deletion. This warning can be particularly alarming for individuals attempting to clean malware from a live site.
Subsequently, I proceeded to use the repair option, and it effectively resolved issues with most of the files containing malware. Upon rechecking the site with MalCare’s scanner, it was confirmed to be free of malware. Wordfence proves efficient in eliminating recognized malware, as its developers can repair files and remove identified threats. However, it’s important to note that this capability is limited to known malware, and newly discovered threats may pose a challenge.
It became evident that the Wordfence plugin lacks the ability to address malware within the database. Similar to its scanner, it does not remove malware from non-core WordPress files, premium plugins, and themes.
A call to action prompts users to explore the Wordfence removal service, which is bundled with their Response and Care packages, details of which will be discussed later in this article. To maintain transparency, it’s crucial to mention that I did not personally test this service.
Firewall
Configuring the Wordfence firewall proved to be a somewhat challenging task. The multitude of firewall rules and scan rules might be overwhelming for individuals lacking technical expertise. While developers familiar with whitelisting or blacklisting IPs may find it more manageable, the average user could face difficulties.
The Wordfence firewall has a dedicated section that introduces the concept of a Web Application Firewall, providing a quick description of its functions.
Notably, it is recommended to activate the learning mode for a week before enabling the firewall. This is crucial because firewalls require live traffic to learn and reduce the risk of blocking legitimate traffic. However, for my test sites with no traffic, leaving the learning mode on made little sense. Consequently, I accessed the options and changed the status to ‘enabled and protecting.’ The firewall effectively safeguards your site against a majority of threats.
This section also delineates the distinctions between the free and premium versions. Firstly, the free version of the plugin loads as a standard plugin after WordPress has loaded, rendering it only partially effective. Ideally, a firewall should initiate prior to WordPress loading to preemptively block all malicious traffic.
Here’s a mixed news scenario. The positive aspect is that Wordfence boasts the most up-to-date firewall. However, the drawback is that the free version receives updates after the premium version. This delay introduces a potential risk of your site being vulnerable to malware attacks, making it less than ideal.
Good-to-have security features
An effective security plugin goes beyond offering a robust firewall and malware scanning system for safeguarding your WordPress website. It should also incorporate various secondary security features to bolster your website’s protection. These include an activity log, vulnerability detection, two-factor authentication, and login protection. In the following section, I will delve into these supplementary security features of Wordfence, examining how they contribute to enhancing overall website security.
Login protection
For login protection, Wordfence offers comprehensive coverage. Brute force protection is included in the firewall section and is activated by default. Users have the flexibility to customize these settings by accessing the options. It allows for the configuration of lockouts for incorrect login attempts and specifies the duration of user lockouts after a predefined number of incorrect login attempts. Additionally, Wordfence provides thorough documentation explaining the functionality of each option and how to use them most effectively to enhance site protection.
Another feature allows you to establish an allowlist for IPs exempt from firewall testing. However, the utility of this feature is limited as device IPs may change over time.
Furthermore, there are options to enforce robust password policies, barring the use of passwords identified in data breaches, and more. Brute force protection operates precisely according to your configured settings, providing assurance that your site is effectively secured.
Vulnerability detection
The Wordfence scan uncovered a few outdated plugins, categorized as a medium threat. This serves as a valuable reminder to maintain up-to-date plugins for optimal security.
Notably, plugins with identified vulnerabilities were accurately flagged as critical threats, even for less popular ones with fewer than 200 users. Wordfence’s ability to detect such vulnerabilities is commendable, distinguishing it from other plugins I tested that struggled with similar identification.
Regrettably, the Wordfence dashboard does not provide a direct method to address identified vulnerabilities. Unlike several other plugins such as Jetpack and Sucuri, which recommend and allow updates from the same panel, Wordfence redirects you to the updates dashboard for this task. Incorporating this functionality within the Wordfence dashboard would have been a valuable feature.
Two-factor authentication
Implementing two-factor authentication is a widely adopted security practice, although it can be somewhat cumbersome to configure. Initially a premium feature on Wordfence, enabling two-factor authentication for your WordPress site is now available for free. Additionally, the setup process is straightforward, allowing users to customize various options and incorporate recaptcha for an added layer of protection. You can also use two factor authentication on your Wordfence account. This can be helpful to protect your account, especially if you’re managing multiple sites.
Activity log
Locating an activity log in Wordfence isn’t immediately accessible. However, you can activate debugging from the Diagnostics section under Tools. While this provides more detailed logs, it may not replicate a comprehensive activity log.
A scan log is present, but it seems tailored for Wordfence developers. It’s important to note that enabling debug mode can increase server resource usage, as indicated in the diagnostics section.
Other factors to consider
Before using Wordfence, there are a few other factors to consider. While Wordfence is a powerful security tool, is it the best security plugin?
Impact on server resources
Wordfence is excessively resource-intensive and introduces significant bloat to your website. Each scan it performs has a considerable impact on site speed, to the extent that certain web hosts prohibit its usage due to this reason.
Across various-sized sites, I observed a doubling of disk usage when Wordfence initiated its scans. While this might not pose a significant issue for smaller sites, it represents a substantial increase for those with higher resource usage. Additionally, if you modify the default settings, Wordfence issues a warning that such changes will further amplify the consumption of your server resources.
Furthermore, by examining the activity log, you can track the amount of memory utilized for each scan. However, the more concerning aspect is that the firewall also operates on your site’s resources. Consequently, in the event of a sustained attack on your site, you may encounter issues even if the site is safeguarded against these exploits.
Help and support
For users utilizing the free version of Wordfence, be prepared to navigate without official support; it’s not available. Assistance will depend on forum interactions, which may prove somewhat challenging. With the premium version, you do gain access to support, but experiences can vary. Numerous complaints on review sites suggest that the support may be hit-or-miss, so it’s essential to be mindful of this aspect.
Pricing
The free edition of Wordfence is decent but falls short of being the optimal security solution for your site. Upgrading to the premium version comes at a maximum cost of $99 per site, with reduced rates for additional licenses.
Previously, malware cleanup incurred an additional charge of $490, but it is now encompassed within a care plan offered at the same yearly price. However, it’s essential to note that swift response times to issues are not guaranteed, and the 1-hour response time is exclusive to the $950 per year plan, which may be deemed somewhat costly.
Final thoughts
While Wordfence is a reasonable option, for robust and comprehensive protection, opting for MalCare premium is the recommended path. Despite a potentially higher cost, the investment is justified by the extensive protection it provides. Don’t leave your site vulnerable to potential threats; prioritize and invest in the most effective protection available.
