Jetpack vs Wordfence: Which is Better?
Jetpack is a multipurpose administrative plugin, and packages backups, security, growth and speed in one handy-dandy plugin. Plus, it has the cachet of being from the Automattic stable, so it obviously carries weight in the WordPress domain.
Our other contender is Wordfence, arguably the most popular WordPress security plugin today. They are known for their take-no-prisoners approach to security, and the terrific security resources they develop consistently.
We put 5 WordPress security plugins through their paces in a testing series that lasted 1.5 months. We wanted to find out how each plugin copes against malware, attacks, vulnerabilities, and more.
VERDICT Perhaps it is better to do one thing really well, than do many things but be average. Between Jetpack vs Wordfence, Because regardless of its WordPress pedigree, Jetpack lost out in this pitched battle. Wordfence is a great free security plugin, with some downsides, but still a better option to Jetpack.
The central idea behind this testing series was to find the best WordPress security plugin for your website. To that end, we took the top 5 plugins, 3 test sites, and set aside 45 days to figure out all the pros and cons of each plugin.
Our 3 test sites were set up as follows: a simple blog with around 500 posts, images and comments as a control; a site with vulnerable plugins and themes; and lastly a site full of different types of malware. We subjected the plugins to SQL injection attacks, RCE attacks, and brute force attacks, while also pitting them against the redirect malware, pharma hack, Japanese keyword malware, and much more.
Each plugin boasts a different set of features, but for WordPress security, the most important ones are the scanner, cleaner and firewall. There are other good-to-haves too, but these are critical.
At the end of 45 days, one clear winner emerged: MalCare. With a sophisticated scanner, automatic malware cleaner and an advanced firewall, it was impossible to beat. Looking for the best security plugin for your WordPress website? Choose MalCare.
Summary of Jetpack vs Wordfence comparison
If you were wondering, Jetpack vs Wordfence—which to pick? Choose Wordfence. It is orders of magnitude better as a security plugin.
We like Jetpack’s all-in-one approach to WordPress administration, but it really takes a beating on the security front, especially when compared to Wordfence. That doesn’t mean that Wordfence doesn’t have its own problems; just that it is contextually better than Jetpack.
Ultimately, neither Jetpack nor Wordfence are the best option for your website’s security. We will go into more detail later in the article, but if you want to cut to the chase, download the best-in-class security plugin: MalCare.
Jetpack in a nutshell
Jetpack’s malware scanner is mediocre at best. It will be able to detect some of the malware on your site. However, there is no cleaning option nor a firewall. While there are some decent security features, they have less impact on website security. Overall, Jetpack isn’t a good option.
With any security plugin, we look for 3 important factors upfront: malware scanner, malware cleaner, and firewall. Jetpack has already flunked 2 out of 3 from that list, so we started by checking out the malware scanner.
Jetpack was the second plugin we tested, after iThemes, and frankly we were happy to see something work like it was supposed to. Obviously, this is not a good approach when trying to be objective, so we threw a lot of malware at Jetpack to see how it would react. Disappointingly, the malware scanner caught about 30% of the infected files and folders on our hacked WordPress website.
When we tried out the other features, like brute force protection, it worked inconsistently. Sometimes the attacks were stopped, and at other times we weren’t able to elicit any response. The plugin didn’t detect all the vulnerabilities on the website either. The more obscure ones remained undetected, even though they contained serious security flaws. Our test site only had a few vulnerable themes and plugins, so the outcome of 2 out 3 wasn’t bad. However, with a larger site with more software, that ratio is sure to be much worse.
It wasn’t all bad though. Jetpack’s activity log is really great and user-friendly. No obscure tech jargon that people cannot understand easily. We also liked the integrated backups feature, because backups can be the last saving grace with an infected site. We weren’t able to test the backups though, because it was out of the scope of this experiment.
On the whole, Jetpack is a below-average security plugin. We would have expected a lot more, considering the huge price tag, but it still isn’t the bottom of the barrel for us. That dubious honour goes to iThemes.
Wordfence in a nutshell
After MalCare, Wordfence is the best free security plugin we have tested. If you have zero budget for website security, Wordfence will give you the best website security. The scanner detects most file-based malware, and the automatic repair will get rid of most of it. The firewall is one of the most updated ones available, but if you opt for the free version, you should be aware that it doesn’t receive real-time updates. Wordfence has a malware removal service too, but it is expensive.
We left Wordfence for the last in our testing series, because we were super excited to try out the acknowledged heavyweight of WordPress security plugins. Except for MalCare, the other plugins were disappointing at best, horrifying at worst.
Wordfence’s scanner detected all the file-based malware in the WordPress core files, the website root, and in the plugin and theme files and folders. On the surface, this may look like a great scanner, and in many ways, it is definitely above-average. However, Wordfence failed to detect malware that was squirreled away in premium plugins and themes, and in some cases, in the database as well.
The major downside of the scanner, apart from the fact that it can’t check every nook and cranny of your website, is that our websites took a performance hit. Wordfence uses server resources to do anything on the website. That’s not good.
At this point, Wordfence is still better than all the other security plugins we tested. Our opinion went up several notches when we tried the automatic repair feature, and it removed all the malware that it detected. Of course, it wasn’t able to remove the malware it didn’t detect, but the automatic malware removal is much quicker than waiting for a security expert to clean the website. Again, this is way better than the other plugins we tested, except for MalCare.
Lastly, we tried out the firewall, which was effective at blocking several exploits, like SQL injection, XSS attacks, and remote code injections.
Wordfence is a great free security plugin, but it is prone to false positives and sending alerts for every tiny thing the firewall blocks. After a few days, we couldn’t find the signal because of all the noise. Frankly, too many alerts are just as bad as no alerts, because they lead to the same outcome: no action.
Once we checked the 3 major security features, we tried out the two-factor authentication and brute force protection. Both work really well. Wordfence also detected all the vulnerabilities on our websites, even one in an obscure plugin that most of the other plugins failed to detect.
What we absolutely loved about Wordfence was the great user experience. No unnecessary, terrifying jargon and complex security terms on the dashboard. Simple language, with clear recommendations for newbie admins.
We were surprised that Wordfence doesn’t have an activity log, except for a raw log evidently intended for Wordfence developers. It also doesn’t protect websites from bad bots, which is strange.
In summary, Wordfence is highly recommended for websites that don’t have a budget for security. It is the best free option, but even so, doesn’t provide complete security. For that peace of mind, you should opt for MalCare instead.
How to pick the best security plugin
With all the misguided expert advice available online, WordPress security can be a black box at the best of times. Many admin want to be certain that their sites are protected, but don’t understand the details, and therefore don’t know how to pick the best option for their websites.
As a part of this testing series, we wanted to make sure that we presented all our data in an unbiased and approachable way. That meant we needed to explain how and why we arrived at our conclusions.
Security plugins can have a ton of features, and sometimes those features serve to obscure the ineffectiveness that lies beneath all that hype. If a huge feature list is not a good metric to choose a plugin, what is? Well, these factors:
- Essential security features
- Malware scanning
- Malware cleaning
- Good-to-have security features
- Vulnerability detection
- Brute force login protection
- Activity log
- Two-factor authentication
- Potential problems
- Impact on server resources
As you can see, this is a very short list. But these are the factors that will prevent hackers from exploiting your website, and malware from upending your website and peace of mind. Of all the plugins we tested, none hit the spot for us.
In fact, the only plugin that aces this list is MalCare. With MalCare, your website is assured of an excellent malware scanner, a cleaner that automatically removes malware without breaking your site, and a firewall that prevents hackers from exploiting vulnerabilities. You absolutely cannot go wrong with MalCare.
Worfence vs Jetpack Security: Head-to-head comparison of features
To present the results of our testing process fairly and concisely, we organised the data by feature. Each plugin has its pros and cons, and depending on what you are looking for, this section will help you gauge both Wordfence and Jetpack on the merits of that particular feature.
We’ve organised the list from most important to least, and encapsulated our experiences with settings, installation, and other aspects of the plugins.
However, if you prefer to skip to the conclusion, we recommend installing MalCare on your WordPress website and calling it a day.
The Wordfence scanner found all the file-based malware in core WordPress files and folders, and free plugins and themes. But it couldn’t detect malware in our website database, and stuff in some premium plugins and themes. Jetpack found approximately 30% of the malware on our website.
Once you activate Wordfence, two things happen right away: the first site scan starts, and the firewall goes into learning mode. We’ll cover the firewall in more detail later. We saw the scanner was running, and it soon reached 60%. And then it stayed there for a while. Ok, we figured that it needs more time to run, so left it alone for a few hours, and came back to find it was still at 60%.
As it happens, the 60% isn’t a progress bar for the scanner, but an indicator for the efficiency of the free scanner. To get to 100%, you need to upgrade to the pro version. This was the first and last instance of cognitive dissonance with Wordfence, so we let it go.
We set Wordfence to scan the website again, and were pleasantly surprised to see it finished really quickly. 37 seconds, to be precise, for our tiny malware-ridden website. The scanner detected all the malware in the core WordPress files and in free plugins and themes, but nothing from the premium ones nor from the database. So, in spite of Wordfence being a terrific alternative to almost all our plugins out there (except MalCare of course), the scanner is strictly above-average only.
Our takeaway is that Wordfence’s malware database is extensive, and relatively up to date. However, if the Wordfence team has not come across malware, it will not be in the database. Therefore, it cannot protect websites against newer threats.
Another downside to the scanner is that it generates a lot of false positives. False positives are as good as no alerts, because they lead to mistrust of alerts and complacency.
Jetpack includes a malware scanner as part of its paid plans. Although it is not a patch on Wordfence, we noted that Jetpack detected some malware. The percentage is considerably less than that of Wordfence though, clocking in at about 30-50% efficacy, compared to Wordfence’s 70-80% efficacy.
Jetpack doesn’t have malware cleaning, automatic or otherwise. Wordfence does have an option to repair infected files, but only the malware it actually detects in the first place. On the other hand, Wordfence has a premium malware removal service, which costs an eye-watering $490 per site.
After the scan, Wordfence lists out the hacked files with a recommendation to get the files cleaned by their professional WordPress experts. Alternatively, you can try using the two automated cleanup options on the dashboard: delete all deletable files and repair all repairable files.
In our tests, the delete option got rid of 1 file successfully without errors, leaving lots of other files still hacked. Then tried the repair option, which fixed all the files shown in the list. That’s great, because that meant we didn’t need to spring for malware removal separately.
Our only gripe with this entire episode was that there were terrifying warnings that our site may break if we use the delete or the repair option. We made sure that we had backups though, and powered through. The malware we found still needed to be removed, so the warnings made us briefly debate whether living with malware was better than breaking the site. No, that’s not the case at all.
Because the other security plugins we tested didn’t even reach this point in the festivities successfully, we didn’t bother checking them against any other types of malware. However, since Wordfence made short work of the file-based malware, we added some curveballs to our testing repertoire.
First, some hacked redirect malware went into our website database. Then, we added several Japanese keyword hack spam pages as well. Also, we inserted malicious scripts into premium plugins, and installed a nulled plugin on the test websites. We assumed that these would trip the scanner up, and they absolutely did. The scanner didn’t register any of the malware in non-core, premium folders.
Wordfence’s malware database is comprehensive, but appears to rely heavily on what their team has seen before. That’s when the automatic repair works. Wordfence is incapable of detecting obscure malware, or malware in premium plugins and themes. The net result is that the cleaner is really only as effective as the scanner, which is about 70-80% effective in its own right.
The next step up is opting for Wordfence’s malware removal service, which claims to remove all instances of malware, backdoors, and furthermore assesses the site for vulnerabilities and security lapses. As part of the package, Wordfence will assist you in getting your website delisted from any blacklists, like Google’s for instance. There is a 1-year guarantee for the cleanup, providing you follow the post-hack checklist assiduously to the letter.
Please note that we are not able to comment on the efficacy of the malware removal service, as we didn’t try it out.
Jetpack hedges a little on the subject of malware cleaning on their website. That, in itself, is a dead giveaway that they can’t do it. Malware cleaning is arguably the most critical and the hardest part of WordPress security, seeing as clumsy removal can damage a website beyond repair. If a plugin can clean malware confidently, they will talk about it for sure.
Our expectations of Jetpack were not high, especially after we saw that the scanner cannot flag all the malware. We were justified because even with the malware it did flag, Jetpack was unable to do anything with it. The scan results show the actual code that has been tagged as malware, and the suggestion on each tag is to get an expert to remove it. So it is not comprehensive nor helpful.
Jetpack doesn’t have a firewall. Wordfence’s web application firewall will protect websites effectively from most major and common attacks. One point of concern is that the free version gets updates after the premium one.
A firewall is an integral part of your WordPress security, because it stops WordPress attacks and malicious traffic from reaching your website. If bad actors can’t reach your website, they can’t exploit vulnerabilities, and therefore cannot install malware. Think about a firewall as the security perimeter around your website. Jetpack doesn’t have a firewall, so this section is really only about Wordfence.
The Wordfence firewall goes directly into learning mode when you first install the plugin. It is recommended that you leave it learning mode for at least a week for best results. This is correct, because firewalls require live traffic to block effectively in the future. In our case, our test sites don’t get any traffic, so we switched off the learning mode immediately, and got down to testing.
Both the free and premium versions of the Wordfence firewall successfully kept out attacks. We tried SQL injections, cross-site scripting attacks, cross-site request forgeries, and remote code injections. We could not exploit any of the vulnerabilities on the site.
There was one question though. The Wordfence dashboard shows the efficacy of the free firewall at 35%, as opposed to the proposed 100% of the premium firewall. So what then is the difference between the free and premium versions?
The difference is two-fold: the first is when the firewall loads on your website; and the second is when your firewall receives updates.
Both of these factors are non-trivial differences, and are crucial to how the same plugin can have a 65% efficacy difference between their free and premium versions. We will break both differences down to explain what is going on here.
Firstly, your website loads in a sequential order. WordPress is generally first, with the core files and folders, then the plugins and themes, and the database. This is known as the load order, and the most important files always load first because they are instrumental to the rest of the site. For instance, without wp-config, you can’t connect to the database. This is a small example, but is indicative of how important load order is when dealing with security.
The free Wordfence firewall loads like an ordinary plugin, which means it loads after WordPress, all the core files, and maybe alongside the other plugins. That means, the firewall cannot keep all malicious traffic away from the site, but only some of it.
Secondly, firewalls are effective because of the rules they contain to filter out bad traffic. These rules need to be updated on a regular basis to account for the changing threats.
MalCare’s firewall for instance learns from all the websites it protects. So if the firewall blocks out a threat on a few websites, it learns that there should be a rule for that threat, and updates the firewall rules on all the other 100,000+ websites it is installed on—even before the threat ever hits those websites. That is the power of preemptive protection.
So, while Wordfence has the most updated firewall, free firewall users get updates later than their premium counterparts. If there was some indication of the length of the delay, we would be able to say how much of a calculated risk it is, because even a small window is problematic. However, there isn’t, so we can only speculate it is considerable. Who knows.
Wordfence zeroed in on all the vulnerabilities on our test websites, whereas Jetpack missed some of the lesser known ones entirely.
During the initial scan, Wordfence alerted us of all the vulnerabilities, flagging them as critical threats. We included a lot of obscure plugins and themes, because those tripped up the other security plugins during their scans. Some of them have less than 200 users and are highly niche. So full points to Wordfence on that front.
An extra point that we really liked is that WordFence flagged out-of-date plugins and themes as medium threats. This is really important, because vulnerabilities in outdated software are a major cause of successful hacks on WordPress websites.
Interestingly, you cannot fix vulnerabilities from the WordFence dashboard. Several lesser security plugins add this as a bonus feature, however at its core, the “feature” merely updates the outdated software—a functionality that already exists on the wp-admin dashboard. There is no real reason to replicate that, unless the plugin has managed updates like MalCare does.
Jetpack flaked out on us and missed the obscure outdated software altogether. Not all that surprising, but disappointing nevertheless.
Brute force login protection
Wordfence does a great job of protecting the login page from brute force attacks. Jetpack adds a captcha to wp-login, when there are several login failures, but it doesn’t block the IP even temporarily.
Just for the record, IP blocking is an imprecise feature to begin. So why are we pointing out Jetpack’s inadequacy in that respect? Mainly because they have so many settings dedicated to whitelisting IPs, to the extent that we figured we were in imminent danger of blocking ourselves. But nothing. If you are going to talk up any feature that much, you need to have good follow-through. That’s all.
We brute-forced the login page many times over, and well over our set limit. The only difference we saw was a numeric captcha that wasn’t there before. It was minus any branding, so we will go out on a limb and assume it was Jetpack.
Overall, the captcha is an elegant but inadequate solution to brute force attacks on the login page. Brute force attacks can overwhelm a website by using up server resources, so they need to be kept out with more than just a captcha.
Wordfence, on the other hand, worked like a champ. We are somewhat spooked by a huge number of settings for every plugin, and it can sometimes mean that the plugin doesn’t work, so it was refreshing to see just a few options.
Although brute force protection is enabled by default, you can customise settings from the firewall section. There are options to set the number of failed login attempts that lead to a temporary lockout, and even how long that lockout should last. Inevitably, we see the allowlist option, even though we know that device IPs are dynamic, so this is indicative at best, pointless at worst.
You will also find the strong password options here. While those are great to have, in the firewall section, under brute force protection is not the logical place to have those settings. Yes, they are both related to login security, but that still requires a leap to connect. We’re doubtful about people finding these very useful settings in this remote spot.
We really liked Jetpack’s activity log, as it is one of the best versions we have seen. Surprisingly, Wordfence doesn’t have an activity log.
We are really surprised that Wordfence doesn’t have an activity log because it is a really important part of website security. Hackers take advantage of insufficient logging to attack sites. You definitely want to have a reliable activity log that has the correct information about the goings-on of your website.
On Wordfence, there is an option to enable debugging, in case something goes wrong. The option is buried deep inside the Diagnostics section under Tools. It is intended to make firewall logs more verbose. We also found a full activity log specifically for Wordfence events in the Scan section, but that’s not what we mean by activity log. It also looks like a raw log meant for Wordfence developers.
Jetpack’s activity log feature is excellent and makes it super easy to understand what has occurred on the website. It is available for preview on the free plans, but needs a premium subscription to really be of any use. The logs have all user, plugin, and theme activity information, with the additional feature of alerts for things that require attention, like malware or vulnerabilities.
Our caveat here is that the activity log data is only available for 30 days. We would have preferred to see a much longer time frame for it to be really useful.
Wordfence has great two-factor authentication, which works out of the box. Jetpack doesn’t have this feature.
Two-factor authentication is not a deal breaker for a security plugin, because there are dedicated plugins available for the functionality. So we aren’t coming down too hard on Jetpack for not including it.
On Wordfence, the two-factor authentication works perfectly. Best of all, it is straightforward to use, without a whole bunch of confusing options. In fact, it used to be a premium feature, which is now available for free users as well.
Server resource usage
Jetpack will use some server resources for its scans, but not perceptibly affect performance. Wordfence, on the other hand, is banned by certain web hosts because of how much strain it puts on server resources.
We realised that Jetpack is something of a lightweight in terms of security, and has a similar impact on server resources. There is a noticeable blip in disk usage, but we didn’t see too much impact on website performance.
Wordfence was a server resource vampire. Granted, we scanned the website many times and threw a bunch of tests at the malware, but we were not expecting disk usage to skyrocket 2-3x. Frankly, our test sites are small, so the penalty wasn’t serious. But we shudder to think what would happen on an ecommerce site or one with a lot of content. Yikes.
After seeing a bunch of messages on its dashboard, it is fair to conclude that Wordfence uses the site resources to do everything: right from scanning to cleaning, and everything in between. The trouble with this is that performance and security shouldn’t be pitted against each other in some sort of tradeoff. You shouldn’t have to compromise on either.
Jetpack sends you the odd alert once in a while, whereas Wordfence can drown your inbox in an hour.
In our opinion, alerts need to be balanced. You want to know if something has gone pear-shaped with your website as soon as possible. But you don’t need an alert if someone sneezes in the general vicinity of your website. Balance is key.
Wordfence fails miserably in this department. The alerts from scan results, false positives, firewall lockouts, and much more are too numerous to count. Frankly, a good firewall should block attacks directly, without creating an alert every time.
In this instance, Jetpack does really well. You only get alerts for things that matter, like discovered vulnerabilities or detected malware; that is, things that need your immediate attention.
Installation, configuration, and usability
Wordfence was the easiest installation ever. Can’t say the same about Jetpack.
Wordfence was so great in this respect. Start using the plugin, and it shows you the way forward. No complicated configurations at all. The language used is simple and approachable.
We especially liked how there are short walkthroughs as you visit each section on the dashboard for the first time. The clear explanations are easy to understand, and there is none of that tech gobbledegook that usually accompanies these things.
The overall design is very intuitive, and designed to give you a bird’s eye view of your website’s security. If anything feels confusing, click on a tooltip and get taken to their excellent documentation.
If Wordfence was easy, Jetpack was surprisingly tricky. The installation leans heavily on the need to upgrade. You even have to choose a plan, free or otherwise, to proceed at all. It could have been much better than it is.
The good thing about Jetpack is that it combines multiple WordPress admin tasks into one plugin. It has backups, which we know are super important for any website. The external dashboard is on WordPress.com, so it is very familiar to use.
Having said all that, we would have given Jetpack an unequivocal thumbs up as a security plugin without the frills and furbelows, if it had done a good job of protecting our websites. It didn’t so ultimately none of these good-to-haves are of any value.
Wordfence is all about the security. There is nothing in the plugin that is even security-adjacent, like the possibility of updating plugins as we mentioned before. But there are still a ton of extras.
Starting from install, the first thing we noticed is a notifications section for site updates. For instance, it showed us that 5 of our test site’s plugins needed to be updated.
Moving forward, there is a panel called Wordfence Central status. This is to allow you to connect your account to multiple websites, and see the status of all your websites in the wp-admin of this website. If that sounds confusing, it is because it is confusing and not at all intuitive. You really don’t want to manage multiple websites from the dashboard of one website. You need an external dashboard for that, which Wordfence Central actually is. But it does a poor job of bringing that across.
Wordfence Central is alright, nowhere close to full-featured though. Perhaps we are spoilt because of MalCare’s dashboard, which feels like an airplane control panel for websites. Wordfence Central looks unwieldy for anything more than 10 or 20 sites, and could be much better.
In the Tools section, there is a panel for live traffic. It initially looks like it is a skin for Google Analytics, but it turned out to be more than that. It records traffic logs to your website, and you can see exactly what kind of traffic your website gets: human, bot, warning, blocked.
We thought Diagnostics was quite interesting, as it had a lot of information about the website; things like process owners and database tables, for instance. It is like a blueprint of the website, which the status of each of the specifications alongside. It doesn’t look like something a normal user would need, but definitely could help out a developer.
What’s missing from Jetpack and Wordfence
Ultimately, there is a lot missing from Jetpack: the scanner is below-average, there is no cleaner or firewall. The rest of the stuff is alright, but these three factors are non-negotiable for security.
Wordfence doesn’t have bot protection, and surprisingly no activity log. Although it is a comprehensive security plugin, the drain on server resources and the tendency to cry wolf at the drop of a hat is off-putting.
Jetpack vs Wordfence: Pricing
Jetpack is exorbitant at $300 per year for the security suite. Wordfence premium is far more reasonable at $99 for the year, but the premium version isn’t a significant upgrade on the free version.
Wordfence has a really great free version, and in our opinion the upgrade to premium doesn’t add much more. The site license is still competitive at $99 a pop, and gets better with more websites.
The knockout punch from the Wordfence corner is their malware removal service. That will set you back a cool $490 per site cleanup. The 1-year guarantee is also subject to terms and conditions, so you shouldn’t consider that a one-time expense.
Jetpack is really not worthy of that fancy price tag. There is little to say beyond that.
Better alternative to Jetpack and Wordfence: MalCare
The best investment you can make in your website is to invest in a good security plugin. By this point, you know what to look for in a security plugin. And you will find all those things and more in MalCare. MalCare scans, cleans and protects your website from exploits in a major way. It far outperforms all other plugins.
Plans for MalCare start at $99 for the Basic plan, which includes unlimited cleanups. Contrast that to Wordfence’s $99 plan and $490 per cleanup needed thereafter and the choice becomes clear. MalCare all the way.
We really hope this article helps to clear any confusion with respect to WordPress security. It is admittedly hard to wade through all the misinformation available online to arrive at a good decision.
If you have any questions, please write to us. We would be happy to help, and thrilled to hear from you!
Karishma was an engineer in a former life, and so she specialises in making tech more accessible through communication. When she isn't writing, Karishma spends her time tinkering in the innards of WordPress websites