Created in 2011 as the first security plugin for WordPress, WordFence has steadily grown in popularity with time. WordFence's core security solution is to discover newly published, or actively exploited security vulnerabilities, investigate them, create custom "virtual patches" to block exploitation of the vulnerabilities and push them to paying customers. Their free customers then receive the patches 30 days later.
The WordFence approach is a black-list or block-list approach. WordFence block's everything that looks like SQL injection or Cross Site Scripting (XSS) and anything they have a specific signature for and then allow everything else. This creates a data problem for WordFence as they can only block things that they previously know about and have developed rules and patches for, leaving websites vulnerable while patches are developed.
Recently funded in Januray 2023, BitFire is a new startup in the security space and is the first Runtime Application Self Protection (RASP) solution for WordPess. . The BitFire solution is to white-list or allow-list good traffic and block everything else. This creates the inverse data problem of WordFence as they must know what all "good traffic" is to block everything else.
BitFire has 2 unique features, bot blocking and RASP, in addition to the standard WAF (SQLi, XSS, XXE, CRSF, etc) most security solutions provide. Effective Bot Blocking is crucial since 99.9% of hacks are completely automated. This is because web tools like ZMap can scan the entire Internet looking for vulnerable web-sites in under a day.
To stop automated tools like ZMap and ZGrab, BitFire maintains a list of over 600 known good bots like search engines and seo tools and can verify them with network authentication. This means that an attacker would have to both impersonate GoogleBot AND launch the attack from google's campus in Silicon Valley to bypass the Bot Blocking. In addition to authenticating robots, BitFire authenticates human's as well with a JavaScript challenge that verifies a request claiming to be a web browser, is really a web browser and not an automated attack tool.
Finally BitFire's RASP layer integrates directly with the PHP runtime monitoring all database, network and filesystem access. This allows BitFire to prevent any security vulnerability from uploading malware, adding backdoor accounts to the database or using the network to attack other systems (SSRF).
WordFence boasts over 4,000,000 installs as the most popular security plugin on the planet. This is largely due to the fact as users have no real way to evaluate security quality, they tend to go along with what's popular. And so WordFence, being the first security plugin available; became the dominant force in the industry.
WordFence has 4 versions it ships to customers. The commercial version which retails for $120 USD / year is their primary product. The firewall ships with about 200 unique rules and 40,000 IPS that block specific plugin exploits of known security vulnerabilities and known or suspected attack IPS.
If your website is being attacked by one of these IP addresses or you are running a vulnerable version of a plugin they have a virtual patch for, WordFence can prevent your website from being hacked in those cases.
There are over 6,500 known WordPress plugin and theme vulnerabilities, WordFence can protect you from the 200 most recent vulnerabilities or about 3.0% of known vulnerabilities and 40,000 or 0.00009% of the 4,228,250,625 IPv4 addresses.
To WordFence's credit they do a lot of security research and often discover these vulnerabilities themselves. Also, the 200 or so vulnerabilities that they block tend to be the most current actively exploited vulnerabilities. But they are playing a losing game, no matter how fast they research and develop custom rules for newly discovered vulnerabilities they often only discover the issue after customer exploitation has occurred and malware is infecting client systems.
Until a new custom rule is created and push to their customers, your site is vulnerable. This is why WordFence upcharges clients $500 or $1,000 to clean malware that the WordFence software allowed to infect the site.
By contrast, BitFire guarantees the security of the RASP system and will not only clean any malware infecting a RASP protected system free of charge, but fully refund the purchase price of the 1 year license.
If you plan to use WordFence for your website security, we HIGHLY recommend you use the paid version. The free version of WordFence only pushes new rules to free customers after 30 days, and free customers do not benefit from their IP block list, greatly reducing the benefit of the software.
By the time 30 days has past, a vulnerable website has already been exploited. This is because web scanners like ZGrab and others can scan the entire Internet looking for vulnerable systems to exploit in under a day from a single machine. That's right 4,228,250,625 web sites scanned per day from a single machine.
By the time the new rules are pushed to your website, you have already been hacked.
Properly configured BitFire Bot Control is enough to protect most WordPress websites. Customers looking for guaranteed protection and peace of mind while not worrying about possibly spending an additional $1,000 - $500 USD to clean up a malware infection in the event their security software fails, should consider purchasing a BitFire RASP license to protect their websites.
The only thing we love more than security is helping people. Send a message to our chat room with the form below and someone will reach out shortly to help with any security challenge you may face.