You’ve just launched your website and it’s starting to get some traction. You notice that you’re getting a lot of traffic, but it’s coming from a suspicious source. You don’t know what to do, so you decide to look into comparing security plugins for WordPress.
Wordfence is an incredibly popular security plugin for WordPress websites that is often mentioned in reviews and recommendations. This plugin offers a wide range of features, including a scanner, cleaner, and firewall—the three most important components of any website’s security. While it certainly has its benefits, there are also drawbacks which will be discussed in this article.
Bulletproof Security often appears in listicles too, but does it truly merit the attention it receives? Does Bulletproof Security really deliver on the hype surrounding it? Let’s take a closer look to find out!
There is absolutely no contest. Wordfence is the clear winner if you’re choosing between these two plugins, even though it has its own problems. Bulletproof Security is anything but the reliable security solution it claims to be. We are utterly mystified by its high ratings. If you’re looking for a security plugin that just works, skip both and install MalCare.
When it comes to protecting your website from cyber threats, there are a variety of security plugins to choose from. In this article, we’ll be comparing how both Bulletproof Security and Wordfence handle different aspects of security like scanning and removing malware. Read on to discover the differences between these two security plugins and find out which one is right for you.
Wordfence in a nutshell
Wordfence is the best free security plugin for WordPress. It has a plethora of features that make it a good choice for website security if you have no budget for security. Wordfence includes a firewall and comprehensive malware scanning. However, it should be noted that the scans can only detect 70 to 80% of malware, which is due to the signature-matching mechanism used for detection. This is one of the major drawbacks of Wordfence.
The firewall does a good job of keeping out threats, but the free version’s rules are updated 30 days later than the premium one. Since firewalls rely on rules to keep out threats, this is a significant disadvantage for site security.
Finally, you may also have to check with your web host to see if Wordfence is allowed on your site at all, as it is a resource hog and some hosts outright ban it from their servers. Overall, Wordfence is an excellent security plugin that offers great protection, but it still has some drawbacks that should be taken into consideration before using it.
Recommended read: Wordfence review
Bulletproof Security in a nutshell
Bulletproof Security claims to provide reliable security solutions, but it is far from bulletproof. After testing the free version, we were disappointed to find that none of the features, including the scanner, cleaner, and login security, actually worked against malware. We were not willing to upgrade to the pro version to find out if the firewall was any better, but the free version is definitely a bad security plugin.
Head-to-head comparison of security features: Wordfence vs. Bulletproof Security
In this section, we’ll be comparing how both plugins stack up against each other when it comes to important security features as follows:
Wordfence’s free scanner is only 70-80% effective but Bulletproof Security’s scan was abysmal.
Wordfence’s free scanner only runs at 60% efficiency as stated on their dashboard, which is not great. Although scans do complete quickly, this is of little use if they are not effective in detecting malware.
Wordfence also uses signature-matching to detect malware. This means they have a massive database of malware signatures, against which they compare code on your site. Credit where credit is due, Wordfence does a stellar job of keeping their database updated, however by its nature, it cannot detect newer malware. So it is not proof against zero-day attacks.
Additionally, this mechanism works only on file-based malware. Malware can also be in the database; in fact the redirect malware often infects the database more than the files on a site. Wordfence detected all our file-based malware, and by our estimation, it is able to detect 70 to 80% of malware. Unfortunately it is prone to false positives as well.
Lastly, the scanner can only really detect malware in open source or free plugins and themes. This is because they use the publicly available code to compare site code against, to look for additions that shouldn’t be there. This rules out premium plugins and themes, the latter of which is the vast majority
When we tested Bulletproof Security, we observed a few things. Firstly, when we ran a scan for the first time, we had to turn on the database option as well. We are not sure why this is an option and not automatically part of the scan, as database malware is a real thing.
Next, the scan opens up in another window, and is labeled: “file hash maker”. This is a preliminary scan of some sort, although this wasn’t clear from the dashboard.
We ran a second (or rather the first actual malware scan) next. The scan took about 5 minutes for our hacked site. Longer on a larger test site with more posts and images.
In spite of all that rigmarole, Bulletproof Security didn’t detect any malware on our very much hacked site. It also caused our wp-admin to become unresponsive, which is an unexpected bonus on top of all the non-scanning it did.
We are further unimpressed to note that it flagged our cron file as suspicious because it has custom code. This is a fairly typical thing for a lot of plugins to do, so it is very unhelpful to suggest we delete the cron file!
Wordfence can clear malware it flagged, although we were not reassured by the threats of the site breaking. Bulletproof Security’s malware removal puts all the onus on the site admin.
Wordfence has two automated options for malware removal via the plugin itself: delete all deletable files and repair all repairable files.
They also offer an expert cleaning service for those who wish to have their website cleaned thoroughly, but at a price. Both options removed the flagged malware off of our website although we were afraid of losing custom code as well. However, we had to be cautious when using them because the warnings of the site breaking due to changes were quite dire.
Wordfence was able to clean all the file-based malware from our website. So next, we decided to test the feature with malware we inserted into the database and files of premium themes. Unfortunately, the scanner was not able to detect any of it, so automatic repair was not even an option.
The scan provided by Bulletproof Security was dismal and it didn’t flag any actual malware. So there was nothing to test the cleaner on. However, just for fun, we clicked on the view/ignore/delete suspicious files option to see what would happen.
To be clear, none of the suspicious files that were flagged by the scanner were actually malware. The real malware was allowed to rest undisturbed on our site. How comforting for the hackers.
Each of the suspicious files has four options, and you need to have a good understanding of WordPress files to be able to use this feature. We would not recommend this option, especially for beginners.
Wordfence’s firewall is only 35% effective. We didn’t test Bulletproof Security’s firewall as it is a premium feature.
The Wordfence firewall comes pre-installed and ready to use. It is reasonably successful at keeping out attacks.
To optimize its performance, Wordfence recommends keeping the firewall in learning mode for a week to allow it to learn from live traffic. However, for our test websites that don’t receive much traffic, this was not practical.
The free version of Wordfence’s firewall is only 35% effective, so we investigated the reasons behind this.
Firstly, the firewall loads like a plugin, which can limit its ability to block all malicious traffic if it loads after WordPress core. Secondly, while the firewall is updated regularly, the free version experiences a 30-day delay in receiving these updates, leaving a potential window for hackers to exploit.
The firewall in Bulletproof Security is a premium feature, so we were unable to test it. However, we can infer that a lot of heavy lifting is done via the .htaccess file, which is not the most secure method and is not recommended. The .htaccess file is a very powerful one, but it is not meant to be a firewall. In fact, it is on the site, so it loads after WordPress. Therefore, attacks can still get through to the site.
At setup, there is an autofix setting that scans all installed plugins and adds their IPs to a whitelist. On further digging, we saw that this adds lines to the .htaccess file. This can get very unwieldy very fast, so we are not best pleased with this mechanism of filtering traffic.
Wordfence was mostly effective but Bulletproof Security didn’t even have this basic feature.
Wordfence correctly identified the out-of-date plugins as medium threats and the vulnerabilities as critical threats. Unfortunately, Wordfence also gave false positive errors for iThemes and Backupbuddy, demonstrating its tendency to occasionally generate false alerts.
It is remarkable that Bulletproof Security does not have such a basic security feature, considering that even iThemes offers this capability.
Brute force login protection
Wordfence has effective and customizable login security. Bulletproof Security offers a useless one.
Wordfence’s brute force protection is enabled by default and functions effectively, locking out users after a certain number of incorrect login attempts as per the configuration set in the Firewall section. This section also offers many customization options, such as setting lockouts, time limits for lockouts, and password management options to enforce strong passwords and prevent data breach. Although it is possible to whitelist IPs, we are uncertain of its effectiveness due to dynamic device IPs which could potentially result in legitimate users being locked out.
Bulletproof Security’s login security feature adds a simplistic captcha field to the login screen which must be correctly entered to avoid an error. However, this is too basic and can easily be bypassed, creating an unnecessary point of friction for legitimate users.
To make matters worse, entering random details in the username and password fields with the correct captcha actually autofills the captcha field the second time around, thus practically eliminating the minor hurdle that was initially created. It is safe to say that this security feature is completely ineffective.
Neither has a user-friendly activity log but Bulletproof Security does have a security log for firewalls.
We were taken aback to find that Wordfence lacks an activity log, which is considered to be one of the most essential security components. There is an option to enable debugging in the Diagnostics section under the Tools menu, but this only causes the firewall logs to become more detailed, not the same as an activity log. After further research, we found out that there is an activity log for Wordfence events in the Scan section, however it is solely for development purposes and not user friendly.
Bulletproof Security does not offer an activity log, only a security log which records firewall activity.
Wordfence offers the feature and Bulletproof Security doesn’t.
Wordfence’s two-factor authentication is simple to configure and customize, and was formerly a premium feature but is now accessible with the free plugin.
If you guessed that Bulletproof Security does not provide two-factor authentication, you’d be right.
Server resource usage
Both take up server resources but at least Wordfence provides results.
Wordfence’s resource-intensive nature was painfully obvious. Every action it performs on a website consumes server resources, resulting in a spike in disk usage during scans. On our relatively small websites, this caused the disk usage to double or even triple, which adversely affected load time, response time and the overall user experience.
Bulletproof Security’s scans consume resources, yet they do not flag any malware, making the situation even more frustrating. It was almost rubbing salt on a wound.
Wordfence offers too many alerts. Bulletproof Security has no alerts.
With Wordfence, there were an overwhelming number of emails. We were inundated with alerts in a very short time, rendering them ultimately useless as too many alerts can lead to inaction when needed.
Given that the scan was unable to detect any malware and the login security was a damp squib, it is not surprising that we did not receive any alerts. After all, what would there be to alert us to?
Installation, configuration, and usability
Wordfence is easier to set up and configure. Bulletproof Security is confusing.
The installation, configuration and general use of Wordfence is among the best we have encountered. Their documentation includes walkthroughs on each major section, providing comprehensive explanations of the most important settings and features in an easy-to-understand language.
Furthermore, Wordfence provides great recommendations for configuration and their documentation is readily available via tooltips on the dashboard, thus making it highly user-friendly. Each feature is explained in detail and instructions on how to apply it to your website are accessible without delay.
The setup wizard of Bulletproof Security was somewhat confusing as it is not immediately evident what it does. We found that it creates folders and database tables, adds installed plugins to the .htaccess file to create a whitelist, backs up the site database, and enables the default settings. However, it does not back up any files which could be just as important.
Additionally, the setup only showed one blue or red line item informing us that our .htaccess file is not protected. The interface is extremely difficult to navigate and is loaded with obscure terms without explanation, making the setup process an absolute mess.
Wordfence includes a Notifications section which indicates which plugins and themes need to be updated due to being considered critical or medium threats.
There is also a Wordfence Central dashboard which allows one to manage multiple sites on the same account, and it has an accompanying section on the wp-admin of each connected site as well. In our opinion, this feature is of limited utility for agencies with hundreds of managed sites.
The Live Traffic section logs and classifies traffic, and there is a “Who is” lookup option to view the attacker without leaving wp-admin.
The Diagnostics section is particularly interesting as it offers comprehensive information about the website, giving developers a spec of the website in one place.
Bulletproof Security adds a large number of hardening options to the .htaccess file, some of which are very specific such as the Timthumb vulnerability code and the protection of root folder and files from access. We do not recommend tampering with access of core WordPress files and feel that using a good firewall is a better choice.
Although Wordfence is an impressive security plugin, it lacks both protection and an activity log. The scanner is quite advanced and surpasses most other security plugins, bar MalCare. Despite these missing features, it is still an exceptional security plugin.
Bulletproof Security lacks a scanner, login security and presumably firewall capabilities, although this is uncharitable speculation on our part.
The free version of Wordfence is quite robust, and the annual subscription fee of $99 is quite reasonable. Previously, an additional malware cleanup fee of $490 was charged in addition to the $99 subscription fee. However, with the introduction of the Care and Response plans, customers can opt for the Care plan from the beginning. The Response plan offers a guaranteed 1-hour response at a cost of $950 a year per site, which is extremely beneficial in the event of a hack as time is of the essence. This renders the Care plan somewhat inadequate.
For the one-time payment of only $69, you can get no security for your WordPress site – an absolute bargain!
How to choose a security plugin that is worth your money?
Drawing from our extensive knowledge of WordPress security, we have compiled a comprehensive list of essential features to look for in a security plugin. We have left out any features that are not directly related to security in order to provide you with a concise and informative guide.
Essential security features:
- Malware scanning: This feature helps to detect any malicious code, files, or scripts that have been added to the website, alerting the user of any potential threats.
- Malware cleaning: It helps to remove any malicious code that has been detected. This is a crucial step in keeping the website safe and secure.
- Firewall: It helps to block malicious traffic or requests from reaching the website, as well as stopping potential threats from entering the website. It also helps to alert the user of any suspicious activity, such as attempted brute-force attacks.
Good-to-have security features:
- Vulnerability detection: This feature helps to detect any potential vulnerabilities in the website which could be exploited by hackers. It is important to identify these vulnerabilities and patch them as soon as possible.
- Brute force login protection: This feature helps to block any attempts of brute-force attacks on the website, which are often used by hackers to gain access to the website.
- Activity log: This feature helps to track any suspicious activity on the website, such as malicious requests or failed login attempts, so that they can be blocked before they cause any damage.
- Two-factor authentication: This feature helps to add an extra layer of security to the website by requiring the user to enter an additional code before they can access the website. This makes it harder for hackers to gain access to the website.
- Impact on server resources: This is an important factor to consider when choosing a security plugin. Security plugins can often be resource-intensive, which can lead to slow loading times and other performance issues.
Better alternative to Wordfence and Bulletproof Security: MalCare
In all honesty, the best alternative to both Wordfence and Bulletproof Security is MalCare, which is a comprehensive security plugin with everything you need and more. It offers the bot protection and activity log that Wordfece is missing and is far more reliable. Also, we haven’t forgotten the database.
Recommended read: Wordfence alternatives
So, to wrap it up, when selecting a WordPress security plugin for your website, it is essential to consider the scanner, cleaner and firewall capabilities as these three features are the foundation of a reliable plugin. Here at MalCare, our mission is to provide security that is stress-free and effortless, so you can concentrate on the essential elements of your website while we ensure its security.
Is Wordfence worth it?
Wordfence free is excellent for its price, which is nothing. Wordfence premium versions are not much more effective than the free version.
Is Wordfence’s free version good enough?
Yes, the free version of Wordfence is good enough for basic security needs. It provides a scanner, firewall, and login security, all of which are necessary for a secure website.
Does Wordfence slow down your site?
Yes, Wordfence can slow down a website considerably. It is a resource-intensive plugin, consuming server resources when performing scans and other operations, thus leading to an increase in disk usage and potentially impacting load time and response time.
What is the best alternative to Wordfence?
MalCare is the best alternative to Wordfence as it offers a comprehensive range of features and is far more reliable. It provides bot protection, an activity log, and a database scan which Wordfence is missing, and is also much less resource-intensive.
Recommended read: Comparison between Sucuri and Wordfence