WordFence Under The Hood

找出 WordFence 与市场直接比较的最大优势和劣势

WordFence 概述

Created in 2011 as the first security plugin for WordPress, WordFence has steadily grown in popularity with time. WordFence's core security solution is to discover newly published, or actively exploited security vulnerabilities, investigate them, create custom "virtual patches" to block exploitation of the vulnerabilities and push them to paying customers. Their free customers then receive the patches 30 days later.

The WordFence approach is a black-list or block-list approach. WordFence block's everything that looks like SQL injection or 跨站脚本 (XSS) and anything they have a specific signature for and then allow everything else. This creates a data problem for WordFence as they can only block things that they previously know about and have developed rules and patches for, leaving websites vulnerable while patches are developed.

BitFire 概览

Recently funded in Januray 2023, BitFire is a new startup in the security space and is the first Runtime Application Self Protection (RASP) solution for WordPess. . The BitFire solution is to white-list or allow-list good traffic and block everything else. This creates the inverse data problem of WordFence as they must know what all "good traffic" is to block everything else.

BitFire has 2 unique features, bot blocking and RASP, in addition to the standard WAF (SQLi, XSS, XXE, CRSF, etc) most security solutions provide. Effective Bot Blocking is crucial since 99.9% of hacks are completely automated. This is because web tools like ZMap can scan the entire Internet looking for vulnerable web-sites in under a day.

To stop automated tools like ZMap and ZGrab, BitFire maintains a list of over 600 known good bots like search engines and seo tools and can verify them with network authentication. This means that an attacker would have to both impersonate GoogleBot AND launch the attack from google's campus in Silicon Valley to bypass the Bot Blocking. In addition to authenticating robots, BitFire authenticates human's as well with a JavaScript challenge that verifies a request claiming to be a web browser, is really a web browser and not an automated attack tool.

Finally BitFire's RASP layer integrates directly with the PHP runtime monitoring all database, network and filesystem access. This allows BitFire to prevent any security vulnerability from uploading malware, adding backdoor accounts to the database or using the network to attack other systems (SSRF).

性能: 添加 44% 至页面创建时间

WordPress 2,197,485 微秒加载时间中的 685,416 微秒
内存: 添加 125% 到内存使用量

WordPress 所需内存为 8,671KB 中的 4,884KB。最低 128MB
恶意软件扫描: 经常遗漏自定义恶意软件

长时间内存/CPU 密集型进程

WordFence 没有僵尸控制功能

阻止所有已知形式的反射式 XSS
SQL 注入

阻止多种注入(嵌套注释 Regex 旁路)
PHP 反序列化对象注入


2 因子身份验证、登录审核、暴力锁定


允许从 wordfence.com 监控多个网站

WordFence 可阻止约 200 个已知的特定安全漏洞

WordFence 无法锁定 PHP 文件的修改

WordFence 没有数据库访问控制检查

WordFence 不检查网络流量

WordFence 不支持浏览器内容安全政策

BitFire 3.6.1

性能: 添加 1% 至页面创建时间

WordPress 1 528 085 微秒加载时间中的 16 016 微秒
内存: 添加 0.01% 到内存使用量

WordPress 所需内存为 3,798KB 中的 58K。最小 1MB
恶意软件扫描: 查找所有重定向和动态代码执行

每分钟 10,000 个文件,内存使用率低,250 万个恶意软件域

通过网络身份验证识别并验证 600 多个优秀机器人,阻止其他一切机器人

阻止所有已知形式的反射式 XSS
SQL 注入

阻止所有注入(SQL 查询解析可捕获更多攻击)
PHP 反序列化对象注入

阻止所有 PHP 对象注入

2 因子验证、登录审核


BitFire 只允许已知的良好流量,不使用黑名单

锁定所有 PHP 文件,防止黑客和恶意软件入侵


防止服务器端请求伪造和 TOUTOC 漏洞


WordFence 是 WordPress 最受欢迎的安全工具。它的实际作用是什么?

WordFence boasts over 4,000,000 installs as the most popular security plugin on the planet. This is largely due to the fact as users have no real way to evaluate security quality, they tend to go along with what's popular. And so WordFence, being the first security plugin available; became the dominant force in the industry.

WordFence has 4 versions it ships to customers. The commercial version which retails for $120 USD / year is their primary product. The firewall ships with about 200 unique rules and 40,000 IPS that block specific plugin exploits of known security vulnerabilities and known or suspected attack IPS.

If your website is being attacked by one of these IP addresses or you are running a vulnerable version of a plugin they have a virtual patch for, WordFence can prevent your website from being hacked in those cases.

未知漏洞或其他 IP 地址怎么办?

There are over 6,500 known WordPress plugin and theme vulnerabilities, WordFence can protect you from the 200 most recent vulnerabilities or about 3.0% of known vulnerabilities and 40,000 or 0.00009% of the 4,228,250,625 IPv4 addresses.

To WordFence's credit they do a lot of security research and often discover these vulnerabilities themselves. Also, the 200 or so vulnerabilities that they block tend to be the most current actively exploited vulnerabilities. But they are playing a losing game, no matter how fast they research and develop custom rules for newly discovered vulnerabilities they often only discover the issue after customer exploitation has occurred and malware is infecting client systems.

Until a new custom rule is created and push to their customers, your site is vulnerable. This is why WordFence upcharges clients $500 or $1,000 to clean malware that the WordFence software allowed to infect the site.

By contrast, BitFire 担保 the security of the RASP system and will not only clean any malware infecting a RASP protected system free of charge, but fully refund the purchase price of the 1 year license.

价值 120 美元的 WordFence 值得购买吗?

If you plan to use WordFence for your website security, we HIGHLY recommend you use the paid version. The free version of WordFence only pushes new rules to free customers after 30 days, and free customers do not benefit from their IP block list, greatly reducing the benefit of the software.

By the time 30 days has past, a vulnerable website has already been exploited. This is because web scanners like ZGrab and others can scan the entire Internet looking for vulnerable systems to exploit in under a day from a single machine. That's right 4,228,250,625 web sites scanned per day from a single machine.


价值 132 美元的 BitFire 值得购买吗?

Properly configured BitFire Bot Control is enough to protect most WordPress websites. Customers looking for guaranteed protection and peace of mind while not worrying about possibly spending an additional $1,000 - $500 USD to clean up a malware infection in the event their security software fails, should consider purchasing a BitFire RASP license to protect their websites.


The only thing we love more than security is helping people. Send a message to our chat room with the form below and someone will reach out shortly to help with any security challenge you may face.