WordFence Under The Hood

Find out WordFence greatest strengths and weaknesses compared directly with the market

WordFence Overview

Created in 2011 as the first security plugin for WordPress, WordFence has steadily grown in popularity with time. WordFence's core security solution is to discover newly published, or actively exploited security vulnerabilities, investigate them, create custom "virtual patches" to block exploitation of the vulnerabilities and push them to paying customers. Their free customers then receive the patches 30 days later.

The WordFence approach is a black-list or block-list approach. WordFence block's everything that looks like SQL injection or Cross Site Scripting (XSS) and anything they have a specific signature for and then allow everything else. This creates a data problem for WordFence as they can only block things that they previously know about and have developed rules and patches for, leaving websites vulnerable while patches are developed.

BitFire Overview

Recently funded in Januray 2023, BitFire is a new startup in the security space and is the first Runtime Application Self Protection (RASP) solution for WordPess. . The BitFire solution is to white-list or allow-list good traffic and block everything else. This creates the inverse data problem of WordFence as they must know what all "good traffic" is to block everything else.

BitFire has 2 unique features, bot blocking and RASP, in addition to the standard WAF (SQLi, XSS, XXE, CRSF, etc) most security solutions provide. Effective Bot Blocking is crucial since 99.9% of hacks are completely automated. This is because web tools like ZMap can scan the entire Internet looking for vulnerable web-sites in under a day.

To stop automated tools like ZMap and ZGrab, BitFire maintains a list of over 600 known good bots like search engines and seo tools and can verify them with network authentication. This means that an attacker would have to both impersonate GoogleBot AND launch the attack from google's campus in Silicon Valley to bypass the Bot Blocking. In addition to authenticating robots, BitFire authenticates human's as well with a JavaScript challenge that verifies a request claiming to be a web browser, is really a web browser and not an automated attack tool.

Finally BitFire's RASP layer integrates directly with the PHP runtime monitoring all database, network and filesystem access. This allows BitFire to prevent any security vulnerability from uploading malware, adding backdoor accounts to the database or using the network to attack other systems (SSRF).

Performance: adds 44% to page creation time

685,416 of 2,197,485 microseconds load time for WordPress
Memory: adds 125% to memory usage

4,884KB of 8,671KB required memory for WordPress. 128MB minimum
Malware Scanning: often misses custom malware

long memory / CPU intensive process
Block Fake / Attack Bots

WordFence does not have bot controls
Cross Site Scripting

Blocks all known forms of Reflected XSS
SQL Injection

Blocks many injections (nested comment Regex bypass)
PHP de-serialize object injection

Blocks previously known object injections
Login Security

2 factor authentication, login auditing, brute force lockout
Centralized Management

Allows monitoring of multiple websites from wordfence.com
Specific Vulnerability Patching

WordFence blocks ~200 specific known security vulnerabilities
File: Runtime Application Self Protection

WordFence can not lock PHP file modification
Database: Runtime Application Self Protection

WordFence does not have database access control checks
Network: Runtime Application Self Protection

WordFence does not inspect network traffic
Browser Security Controls

WordFence does not support browser Content Security Policy

BitFire 3.6.1

Performance: adds 1% to page creation time

16,016 of 1,528,085 microseconds load time for WordPress
Memory: adds 0.01% to memory usage

58K of 3,798KB required memory for WordPress. 1MB minimum
Malware Scanning: find all redirects and dynamic code executions

10,000 files per minute, low memory use, 2.5 million malware domains
Block Fake / Attack Bots

Identify and Validate 600+ good bots with network authentication, block everything else
Cross Site Scripting:

Blocks all known forms of Reflected XSS
SQL Injection

Blocks all injections (SQL query parsing catches more attacks)
PHP de-serialize object injection

Blocks all PHP object injections
Login Security

2 factor authentication, login auditing
Centralized Management

Each site can only be managed by authenticated local users
Specific Vulnerability Patching

BitFire allows only known good traffic and does not use black lists
File Runtime Application Self Protection

Lock all of your PHP files from hackers and malware
Database Runtime Application Self Protection

Lock your database credentials from hackers and malware
Network Runtime Application Self Protection

Prevent Server Side Request Forgery and TOUTOC vulnerabilities
Browser Security Controls

Build Automated Content Security Policies to protect client browsers

WordFence is the most popular security tool for WordPress. What does it actually do?

WordFence boasts over 4,000,000 installs as the most popular security plugin on the planet. This is largely due to the fact as users have no real way to evaluate security quality, they tend to go along with what's popular. And so WordFence, being the first security plugin available; became the dominant force in the industry.

WordFence has 4 versions it ships to customers. The commercial version which retails for $120 USD / year is their primary product. The firewall ships with about 200 unique rules and 40,000 IPS that block specific plugin exploits of known security vulnerabilities and known or suspected attack IPS.

If your website is being attacked by one of these IP addresses or you are running a vulnerable version of a plugin they have a virtual patch for, WordFence can prevent your website from being hacked in those cases.

What about unknown vulnerabilities or other IP addresses?

There are over 6,500 known WordPress plugin and theme vulnerabilities, WordFence can protect you from the 200 most recent vulnerabilities or about 3.0% of known vulnerabilities and 40,000 or 0.00009% of the 4,228,250,625 IPv4 addresses.

To WordFence's credit they do a lot of security research and often discover these vulnerabilities themselves. Also, the 200 or so vulnerabilities that they block tend to be the most current actively exploited vulnerabilities. But they are playing a losing game, no matter how fast they research and develop custom rules for newly discovered vulnerabilities they often only discover the issue after customer exploitation has occurred and malware is infecting client systems.

Until a new custom rule is created and push to their customers, your site is vulnerable. This is why WordFence upcharges clients $500 or $1,000 to clean malware that the WordFence software allowed to infect the site.

By contrast, BitFire guarantees the security of the RASP system and will not only clean any malware infecting a RASP protected system free of charge, but fully refund the purchase price of the 1 year license.

Is the $120USD WordFence worth the cost?

If you plan to use WordFence for your website security, we HIGHLY recommend you use the paid version. The free version of WordFence only pushes new rules to free customers after 30 days, and free customers do not benefit from their IP block list, greatly reducing the benefit of the software.

By the time 30 days has past, a vulnerable website has already been exploited. This is because web scanners like ZGrab and others can scan the entire Internet looking for vulnerable systems to exploit in under a day from a single machine. That's right 4,228,250,625 web sites scanned per day from a single machine.

By the time the new rules are pushed to your website, you have already been hacked.

Is the $132USD BitFire worth the cost?

Properly configured BitFire Bot Control is enough to protect most WordPress websites. Customers looking for guaranteed protection and peace of mind while not worrying about possibly spending an additional $1,000 - $500 USD to clean up a malware infection in the event their security software fails, should consider purchasing a BitFire RASP license to protect their websites.

Want help securing a website?

The only thing we love more than security is helping people. Send a message to our chat room with the form below and someone will reach out shortly to help with any security challenge you may face.