Wordfence Review: The Good, the Bad, and the Secure


Wordfence is a popular and well-regarded WordPress security plugin for keeping your website safe from malware and attacks. However, with so many choices available, it can be tough to determine which security plugin is the best fit for your needs.

That’s where I come in. I have put together a comprehensive Wordfence review to help you make an informed decision and feel confident that your website is secure. You can trust that I have thoroughly researched and tested Wordfence to provide you with the most accurate and up-to-date information.

So, sit back and relax, knowing that I am here to guide you in the right direction towards a secure website.

TL;DR: WordFence’s free version is a really good security plugin for website owners with zero budget for security. However, there are a bunch of downsides, including some security lacuna: like false positives and missed malware with their malware scanner. I strongly recommend MalCare instead, which is far more reliable and effective at blocking threats.


Wordfence is a great option for brand new sites or those with a low budget. It’s one of the best free security plugins that I have tested, after MalCare of course. While it may not provide a 100% shield against malicious attacks, it does the best job amidst the others.

However, there are a few things that I don’t like about Wordfence. For starters, the Wordfence scanner is only reliable when it comes to finding malware in certain sections of the website. It can scan for malware in the core files and non-premium plugins and themes, but it does not detect malware in the database, which is often a target for malware.

Additionally, Wordfence’s cleanup services can be seriously expensive—insanely expensive, actually! Furthermore, the Wordfence firewall loads like any other plugin, therefore it is not 100% effective at blocking malicious traffic. Even worse, the free version firewall only receives updates after the premium version, which can take up to 30 days. This provides ample time for hackers to exploit any weaknesses.

Another issue with Wordfence is that it can have quite an impact on your server resources. Every time a scan runs, you will notice a significant reduction in your site’s performance. In fact, for this very reason, some web hosts ban it altogether. Wordfence also lacks any bot protection, which is a must-have for any website security solution.

Overall, in this review, I will provide a detailed analysis of Wordfence’s features, user interface, and overall effectiveness based on my own experience and research.

💡 MalCare is a vastly better option to Wordfence, with an excellent malware scanner and advanced firewall available with the free plugin. Only if malware is detected on your site, do you need to upgrade to a premium subscription for a detailed report and one-click removal feature.

Critical security features and Wordfence 

When I consider any security plugin, there are 3 non-negotiable features that I always look for: a malware scanner, a malware cleaner, and a firewall. These features are at the top of my list when determining if the plugin is a viable choice. I have provided extensive information about these three features and more in this section.

Malware scanner

The first feature I tested was the malware scanner. A lot hinges on the scanner, as it is the only way you can find out if your site has malware or not. 

The first scan took about 20 minutes. Initially, it seemed like the scan had not finished, but it turned out that the 60% was not a progress bar but a depiction of what percentage of the site the free version will scan.

I conducted another scan and this time around, it finished much faster. The second scan found a big chunk of the malware present on the hacked test website. It detected the malware on the site files, but not the database malware. This is a problem since database-based malware is a very real and dangerous problem. 

The scanner also flagged some errors with the iThemes and BackupBuddy plugins installed on the site. These were false positives.

The second line item in the scan results was a call-to-action to use the premium version to clear up the malware. If you are using the free version, there are some things you can do if your WordPress site is hacked but they are risky. I’ll talk about this in the next section.

Malware removal

The free version of the plugin gave me two malware removal options: delete all deletable files and repair all repairable files. 

I can assure you that deleting a file without care is guaranteed to crash your site. I’m going to assume that Wordfence knows which files are important for WordPress, free themes and plugins, but not for much else. I decided to go with the delete option first and it got rid of one file successfully, but with a warning about how deleting files can break your site. This is going to be a terrifying warning for anybody that’s trying to clean malware from a live site

So, I moved on to the repair option and it was able to repair most of the files with malware. I checked the site again with MalCare’s scanner and it was free of malware. So it was pretty good at clearing the malware that it recognised. If the Wordfence developers know of malware, they’re able to repair the files and remove it. Unfortunately, this means that they can’t remove newly discovered malware. 

It was also clear that the Wordfence plugin isn’t able to deal with malware that is in the database. Much like the scanner, it also does not remove malware from non-core WordPress files or premium plugins, and themes. 

There is also a call to action to reach out to the Wordfence removal service. This is bundled with their Response and Care packages that I will talk about later in this article. In full transparency, I did not test out this service.

💡 Malware removal is a premium feature for Wordfence, as it is for MalCare. The difference lies in the pricing. MalCare has a one-click malware removal feature that takes care of most malware in minutes. For more complex hacks, each subscription entitles you to unlimited manual removal by security experts.


Configuring the firewall was a bit of a daunting task. The firewall rules and scan rules can be overwhelming for someone who isn’t tech-savvy. A developer who knows which IPs to whitelist or blacklist may have more luck, but the average user may not. 

There is also a separate section for the Wordfence firewall. It also introduces the term, Web Application Firewall. Here, they quickly describe what a firewall is and does. 

I also discovered that it is recommended to keep the learning mode active for a week before turning it on. This is because firewalls require live traffic to learn, so that it can reduce the chance of the firewall blocking out legitimate traffic. It didn’t make sense to leave the learning mode on my test sites, as there was no traffic to them, so I went into the options and changed the status to ‘enabled and protecting’. The firewall protects your site effectively against most threats.

This page also explains the difference between the free and premium versions. For starters, the free version of the plugin loads as a regular plugin after WordPress has loaded, which is only somewhat effective. Ideally, a firewall should load before WordPress to block out all malicious traffic

Here’s another good news and bad news situation. Good news is that Wordfence has the most updated firewall. The bad news is that the free version is updated after the premium version. Any amount of delay can risk your site being attacked by malware. So, this isn’t ideal.

💡 Always choose a firewall that integrates seamlessly with your WordPress site. It should understand the nuances of WordPress and protect your site accordingly.

Good-to-have security features 

A good security plugin will not only provide an effective firewall and malware scanning system to protect your WordPress website, but also several secondary security features to enhance your website’s protection. This includes an activity log, vulnerability detection, two-factor authentication, and login protection. In this section, I’ll take a closer look at these secondary security features of Wordfence and explore how they work.

Login protection

When it comes to login protection, Wordfence has got you covered. Brute force protection is in the firewall section and is enabled by default. You can go into the settings to customize the robust set of options. You can set lockouts for incorrect login attempts, and even how much time a user will experience lockout after a certain number of incorrect login attempts. They also provide great documentation on what each option does and how to use it most effectively to protect the site.

You can also set an allowlist for IPs that are not to be tested by the firewall. This is of limited value, because you’ll find that your device IPs will change.

Additionally, there are options that can enforce strong passwords, preventing the use of passwords found in data breaches, and much more. Brute force protection works exactly as per your settings, so you can be sure that your site is secure.

Vulnerability detection

Scanning with Wordfence revealed some out-of-date plugins as a medium threat. It’s always good to keep everything updated, so this was a good reminder. 

The plugins with discovered vulnerabilities were also flagged correctly as critical threats, even for obscure plugins with less than 200 users. It’s great to see that Wordfence can pick up on these vulnerabilities, as many of the other plugins I tested weren’t able to. 

Unfortunately, there is no way to fix the vulnerabilities from the Wordfence dashboard. Most of the other plugins, like Jetpack and Sucuri, recommended updates and allowed you to carry those out from the same panel. On Wordfence, it will take you to the updates dashboard instead. It would have been a useful feature.

Two-factor authentication

Securing accounts with two factor authentication is a very popular security measure, however it can be a bit of a pain to set up. On Wordfence, it used to be a premium feature to enable this feature on your WordPress site, but now it’s free. Plus, it’s super easy to set up, plus you can customize several options and enable recaptcha to add an extra layer of protection.

You can also use two factor authentication on your Wordfence account. This can be helpful to protect your account, especially if you’re managing multiple sites.

Activity log

If you’re looking for an activity log on Wordfence, it’s not readily available, but you can enable debugging from the Diagnostics section under Tools. That will give you more verbose logs, though they won’t be the same as a full activity log. 

There is a scan log, but it looks to be more for Wordfence developers. Just be aware that enabling the debug mode will take up more server resources, as stated in diagnostics.

Installing and configuring Wordfence

When it comes to managing your WordPress website’s security, usability is just as important as the security features themselves. The easier it is to install and set up a security plugin, the better. I wanted to make sure that the plugin is user-friendly and beginner-friendly, so that anyone can use it to protect their WordPress website. 


Installing Wordfence is a breeze; it’s just like any other plugin. Plus, it uses a website application firewall, so you don’t need to bother with DNS settings that you might not have access to. No API keys required and no need to mess around with your site’s code. Setting up Wordfence is just like any other web product, and you’ll be able to see your site on the external dashboard immediately.

Ease of use

Wordfence is easy to use, with clear tooltips and links to documentation whenever needed. The documentation is highly contextual and helpful, clearly explaining what each feature does, how to set it up, and why it’s necessary. You don’t need to worry about how to scan or set up a firewall, and Wordfence takes care of most of the security aspects for you. 

However, if your site ever gets hacked, you’ll have to decide how to remove the malware. There are automated options, but the expert removal service that Wordfence provides isn’t included in the free version.

Notifications and alerts

We avoid plugins that send us far too many emails and unfortunately, Wordfence is one of those. 

Figuring out how many security alerts are too many and how many are just right can be tricky, but important. You want to be notified of any critical threats that need your attention, because the more you leave them unaddressed, the worse they become. 

Wordfence sends a lot of alerts, but customizing them can be hard. Plus, after your inbox has been flooded a few times because of a brute force attack, you might end up ignoring all the alerts. That’s basically like not having any at all, so this could be a bigger problem than it seems.

Wordfence central

If you have multiple WordPress sites on the same account, WordFence Central makes it easy to manage them from the wp-admin of each site. But if you’re an agency with hundreds of sites, the limited space won’t work. But, thankfully, it has an external dashboard. 

I was able to add all our test sites and got a bird’s eye view of all our websites. Just create an account on WordFence and you’ll be able to add all your sites. It can get a bit crowded with more than 20 sites, but it’s still a great way to have an overview. 

Other factors to consider

Before using Wordfence, there are a few other factors to consider. While Wordfence is a powerful security tool, is it the best security plugin? 

Impact on server resources

Wordfence is a huge resource hog and adds so much bloat to your site. Every scan it runs totally slows down your site, and some web hosts even ban it for this reason. 

On my sites of different sizes, the disk usage doubled when Wordfence started running its scans. This might not be a big deal for small sites, but for those that use a lot of resources, but it’s a significant jump. Plus, if you make any changes to the default settings, Wordfence warns you that it’ll consume even more of your server resources. 

Additionally, if you look in the activity log, you can even see how much memory was used for each scan. But that’s not the worst part: the firewall also runs on your site resources, so if your site gets hit with a sustained attack, you could be in trouble even if it’s protected against these exploits.

Help and support

If you’re using the free version of Wordfence, prepare to be on your own; no support for you! You’ll be relying on the forum for help, which can be a bit of a pain. Now, if you’re using the premium version, you get access to support, but even then it can be a bit hit-and-miss. I’ve seen plenty of complaints on review sites, so just be aware.


The free version of Wordfence isn’t bad, but it’s not exactly the best security you can have for your site. If you want to upgrade to the premium version, you’re looking at a max of $99 per site, and it gets cheaper the more licenses you buy. 

In the past, malware cleanup would cost you an extra $490, but now it’s included in a care plan for the same price per year. That said, you still shouldn’t expect a quick response time to any issues you have, and the 1-hour response time only comes with the $950 a year plan; which is a bit pricey, if you ask me.

What are the best alternatives to Wordfence?

I mentioned that Wordfence has the best free version I’ve tested. But, if you’re not sold on Wordfence, don’t worry, there are plenty of other security plugins out there that could provide the protection you’re looking for. 

  • MalCare: MalCare is the best alternative to Wordfence, especially in terms of offering superior protection for your site. The MalCare scanner is more accurate than Wordfence, and the auto-cleanup is much easier to use. The firewall is also more reliable.

    If your site is hacked, a MalCare plan includes unlimited malware removal by security experts. MalCare detects more vulnerabilities than Wordfence, and only notifies you in emergencies. It does all of this with no impact on your server resources. 
  • Sucuri: Sucuri is a heavyweight in the WordPress security space. If you’re looking for unlimited malware removal, Sucuri has got you covered; all of their paid plans come with it. The thing is the scanner isn’t that great, so you’ll need to know there’s malware on your site before you can make use of the removal feature. On the plus side, the pricing is way better than Wordfence, so that’s definitely a bonus.

How to choose a security plugin for WordPress?

Choosing the right security plugin for your website can be a daunting task. With so many options available, it can be hard to know which one is best for your needs. In this section, I’ll discuss the features you should consider when selecting a security plugin, such as scanning capabilities, malware removal, firewalls, and more.

Crucial security features 

  • Malware scanning: Malware comes in many forms, and there are different ways to scan for it. One way is signature-matching, which compares the code of the malware against a database of known malware signatures. This is only as reliable as the database of signatures, which needs to be regularly updated to make sure it’s accurate. Even then, it’s never a 100% guarantee that all malware will be detected, since the developers may not even know about the latest threats yet.
  • Malware removal: Removing malware from your website can be a complicated process. In some cases, you can delete the files that were added by the malware, or repair site files that have been affected. For more complicated cases, you may need to talk to a security expert to get the malware completely removed. Many security plugins offer malware removal as a premium feature, so it’s worth looking into if you need help.
  • Firewall: A firewall is a tool that helps protect your website from malicious software and hackers. A good firewall will filter out traffic that is not wanted or needed, while allowing legitimate traffic to pass through. A firewall should be regularly updated to ensure the latest security measures are in place. 

Other features 

  • Vulnerability detection: Most hacking attempts occur because of vulnerabilities in your system. A vulnerability scanner can help you identify and patch any security holes in your website quickly, so you can have a robust security setup. This makes it a pretty important security feature. 
  • Two factor authentication: Two factor authentication (2FA) is an additional layer of security used to protect user accounts from unauthorized access. It works by requiring two different methods of authentication before allowing a user to log in. With 2FA, users have to provide something they know (like a username and password) as well as something they have (like a phone or security token). This helps to keep your accounts safe from hackers and other malicious actors. This is a good security feature to have. 
  • Login protection: Hackers often try to break into the WordPress admin area by randomly guessing your username and password. To do this, they’ve created automated programs that keep trying out different combinations until they get it right. This is called a brute force attack. To protect yourself from this, you should install a plugin that has login protection features.
  • Activity log: If you want to make sure your website is safe and secure, it’s important to keep an eye on all the changes happening to it. That way, you can spot any suspicious behavior or malicious attacks and nip it in the bud. This is why an activity log is so important. It’ll help you monitor everything and identify any security event quickly.

Potential problems 

  • Impact to server: Every action on your server uses up its resources, which can slow down your site if there’s too much going on. Security plugins that conduct scans, for example, will take up tons of server resources, like Wordfence. On the other hand, MalCare does its scans on its own server, so it won’t use up yours. That’s definitely a plus. Look for plugins that don’t use your server resources. 

Final thoughts

Wordfence is a decent choice, but if you’re looking for heavy-duty protection, MalCare premium is the way to go. It may cost a bit more, but it’s worth it for the comprehensive protection it offers. Don’t leave your site open to potential threats; invest in the best protection you can get.


Is Wordfence any good?

Wordfence has an awesome free version that gives your website a good level of protection. The scanner is usually good at keeping threats away, although it doesn’t check the database. The firewall is always up-to-date and does a great job of protecting you from any malicious stuff. But the free firewall is updated after the premium. If you do find something malicious though, getting rid of it can be tricky and may require upgrading to a more expensive plan. You may also want to see our guide on Wordfence free vs premium.

Is Wordfence a good plugin?

We’d say Wordfence has some great features but comes with its flaws. The free version is the best I’ve seen. Scanner is pretty good but doesn’t take into account database-based malware. Firewall is well-updated but the free version is updated later than the premium, leaving a window of opportunity for the hackers. It also has a pretty good file repair feature but the expert removal is expensive. 

How secure is Wordfence?

Wordfence is a reliable security tool that provides a good level of security for websites. The scanner feature is mostly good and offers a good level of protection, although it doesn’t scan the database. The firewall is well-updated and provides good protection against malicious attacks. However, removal of malicious code or malware can be complicated or requires an expensive plan upgrade. 

Which is better: Sucuri or Wordfence?

Sucuri offers advantages over Wordfence in some areas, such as being less resource-intensive on the website. However, its scanner feature is not as good as Wordfence, and the malware removal service is more reasonably priced. On the other hand, the firewall protection isn’t as good as with Wordfence.

Does WordFence effectively protect against most attacks/hacks?

It can help prevent the more common attacks, like brute-force logins, blocking malicious file uploads, SQL injections, etc. but cannot prevent all bots completely and the firewall is prone to blocking legit users also.



You may also like

Spam link injection WordPress
Prevent WordPress SQL Injection Attacks

SQL injections are some of the most devastating attacks on WordPress sites. In fact, they are rated second on the list of most critical WordPress vulnerabilities, second only to cross-site…

What is WordPress Privilege Escalation?
What is WordPress Privilege Escalation?

Imagine logging into your WordPress site and finding unexpected changes, unfamiliar user accounts with admin privileges, or even spam content and pages.  This isn’t just a nightmare scenario—it’s a real…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.