Wordfence Review: The Good, the Bad, and the Secure

Wordfence is a popular and well-regarded WordPress security plugin for keeping your website safe from malware and attacks. However, with so many choices available, it can be tough to determine which security plugin is the best fit for your needs.

That’s where I come in. I have put together a comprehensive Wordfence review to help you make an informed decision and feel confident that your website is secure. You can trust that I have thoroughly researched and tested Wordfence to provide you with the most accurate and up-to-date information.

This review evaluates Wordfence based on server impact and recovery speed. I acknowledge that MalCare is our product, but this comparison relies on technical benchmarks and actual testing.

 

TL;DR: WordFence’s free version is a good security plugin for website owners with zero budget for security. However, there are a bunch of downsides. Many of which lead users to look for alternatives to Wordfence. What stood out during testing was false positives and missed malware, along with the huge performance impact and drain on server resources.

Quick summary: Wordfence review

Wordfence free is a great option for brand new sites or those with a low budget. It’s one of the best free security plugins that I have tested, after MalCare Security of course. While Wordfence may not provide a 100% shield against malicious attacks, it does the best job amidst the others.

Misses malware in the database

However, there are a few things that I don’t like about Wordfence. For starters, the Wordfence scanner is only reliable when it comes to finding malware in certain sections of the website. It can scan for malware in the core files and non-premium plugins and themes, but it does not detect malware in the database, which is often a target for malware.

Pricey

Additionally, Wordfence’s cleanup services can be seriously expensive; insanely expensive, actually! Furthermore, the Wordfence firewall loads like any other plugin, therefore it is not 100% effective at blocking malicious traffic. Even worse, the free version firewall only receives updates after the premium version, which can take up to 30 days. This provides ample time for hackers to exploit any weaknesses.

Performance impact

Another issue with Wordfence is that it can have quite an impact on your server resources. Every time a scan runs, you will notice a significant reduction in your site’s performance. In fact, for this very reason, some web hosts ban it altogether. Wordfence also lacks any bot protection, which is a must-have for any website security solution.

Overall, in this review, I will provide a detailed analysis of Wordfence’s features, user interface, and overall effectiveness based on my own experience and research.

Malware scanner

The first feature I tested was the malware scanner. A lot hinges on the scanner, as it is the only way you can find out if your site has malware or not. 

The first scan took about 20 minutes. Initially, it seemed like the scan had not finished, but it turned out that the 60% was not a progress bar but a depiction of what percentage of the site the free version will scan.

I conducted another scan and this time around, it finished much faster. The second scan found a big chunk of the malware present on the hacked test website. It detected the malware on the site files, but not the database malware. This is a problem since database-based malware is a very real and dangerous problem. 

🤖 The rise of AI-driven vulnerability analysis and malware generation has changed WordPress security. Traditional scanners look for specific strings of code. AI can generate polymorphic malware to avoid detection. It is more important than ever that security plugins use behavioural analysis to spot suspicious activity. Matching signatures just doesn’t cut it any more.

The scanner also flagged some errors with the Solid Security plugins installed on the site. These were false positives.

The second line item in the scan results was a call-to-action to use the premium version to clear up the malware. If you are using the free version, there are some things you can do if your WordPress site is hacked but they are risky. I’ll talk about this in the next section.

💡 MalCare is a vastly better option to Wordfence, with an excellent malware scanner and advanced firewall available with the free plugin. Only if malware is detected on your site, do you need to upgrade to a premium subscription for a detailed report and one-click removal feature.

Malware removal

The free version of the plugin gave me two malware removal options: delete all deletable files and repair all repairable files. 

I can assure you that deleting a file without care is guaranteed to crash your site. I’m going to assume that Wordfence knows which files are important for WordPress, free themes and plugins, but not for much else. I decided to go with the delete option first and it got rid of one file successfully, but with a warning about how deleting files can break your site. This is going to be a terrifying warning for anybody that’s trying to clean malware from a live site. 

So, I moved on to the repair option and it was able to repair most of the files with malware. I checked the site again with MalCare’s scanner and it was free of malware. So it was pretty good at clearing the malware that it recognised. If the Wordfence developers know of malware, they’re able to repair the files and remove it. Unfortunately, this means that they can’t remove newly discovered malware. 

It was also clear that the Wordfence plugin isn’t able to deal with malware that is in the database. Much like the scanner, it also does not remove malware from non-core WordPress files or premium plugins, and themes. 

Time to clean and recovery speed

Security success is no longer just about blocking attacks. The most important metric for a hacked site is the time to clean. Wordfence offers a managed response plan to remove malware.

Within a managed response plan, a security analyst typically responds to your ticket within one hour. The actual cleaning can take up to twenty four hours to finish. This delay happens because the process depends on a ticket-based queue. When time is of the essence, waiting for an analyst is not ideal.

In full transparency, I did not test out this service.

💡 Malware removal is a premium feature for Wordfence, as it is for MalCare. MalCare prioritises instant recovery through its auto-clean feature. The malware removal feature is designed to work in under 60 seconds. There is no queue and no need to wait for a support agent. If you do need help, each subscription entitles you to unlimited manual removal by security experts.

 

Firewall

Configuring the firewall was a bit of a daunting task. The firewall rules and scan rules can be overwhelming for someone who isn’t tech-savvy. A developer who knows which IPs to whitelist or blacklist may have more luck, but the average user may not. 

There is also a separate section for the Wordfence firewall. It also introduces the term, Web Application Firewall. Here, they quickly describe what a firewall is and does. 

I also discovered that it is recommended to keep the learning mode active for a week before turning it on. This is because firewalls require live traffic to learn, so that it can reduce the chance of the firewall blocking out legitimate traffic. It didn’t make sense to leave the learning mode on my test sites, as there was no traffic to them, so I went into the options and changed the status to ‘enabled and protecting’. The firewall protects your site effectively against most threats.

This page also explains the difference between the free and premium versions. For starters, the free version of the plugin loads as a regular plugin after WordPress has loaded, which is only somewhat effective. Ideally, a firewall should load before WordPress to block out all malicious traffic. 

Here’s another good news and bad news situation. Good news is that Wordfence has the most updated firewall. The bad news is that the free version is updated after the premium version. Any amount of delay can risk your site being attacked by malware. So, this isn’t ideal.

💡 Always choose a firewall that integrates seamlessly with your WordPress site. It should understand the nuances of WordPress and protect your site accordingly.

 

The role of virtual patching

It is important to note that Wordfence does not advocate for virtual patching as a primary defence. Like MalCare, it focuses on WordPress firewall protection that is proactive.

Virtual patching is often discussed in security reviews. It is important to clarify that virtual patching is a reactive defence. A security provider releases a virtual patch only after a specific vulnerability is identified. This means the flaw could have been exploited by hackers long before a fix was available. Reliance on this method means you are always waiting for a provider to catch up.

Proactive security works differently. It involves complete firewall integration with WordPress to identify and fortify potential weak points. This approach protects your site against entire classes of attacks rather than waiting for a specific exploit to be reported. By hardening the core architecture, proactive security blocks threats regardless of whether a vulnerability has been publicly disclosed.

💡 Using a firewall to block threats proactively is vastly superior to relying on virtual patches. It ensures your site is shielded even if a vulnerability remains unknown to the security community. This architectural distinction is vital for maintaining robust site security.

 

 

Login security

When it comes to login protection, Wordfence has got you covered. Brute force protection is in the firewall section and is enabled by default. You can go into the settings to customize the robust set of options. You can set lockouts for incorrect login attempts, and even how much time a user will experience lockout after a certain number of incorrect login attempts. They also provide great documentation on what each option does and how to use it most effectively to protect the site.

You can also set an allowlist for IPs that are not to be tested by the firewall. This is of limited value, because you’ll find that your device IPs will change.

Additionally, there are options that can enforce strong passwords, preventing the use of passwords found in data breaches, and much more. Brute force protection works exactly as per your settings, so you can be sure that your site is secure.

 

Vulnerability scans

Scanning with Wordfence revealed some out-of-date plugins as a medium threat. It’s always good to keep everything updated, so this was a good reminder. 

The plugins with discovered vulnerabilities were also flagged correctly as critical threats, even for obscure plugins with less than 200 users. It’s great to see that Wordfence can pick up on these vulnerabilities, as many of the other plugins I tested weren’t able to. 

Unfortunately, there is no way to fix the vulnerabilities from the Wordfence dashboard. Most of the other plugins, like Jetpack and Sucuri, recommended updates and allowed you to carry those out from the same panel. On Wordfence, it will take you to the updates dashboard instead. It would have been a useful feature.

 

2FA

Securing accounts with two factor authentication is a very popular security measure, however it can be a bit of a pain to set up. On Wordfence, it used to be a premium feature to enable this feature on your WordPress site, but now it’s free. Plus, it’s super easy to set up, plus you can customize several options and enable recaptcha to add an extra layer of protection.

You can also use two factor authentication on your Wordfence account. This can be helpful to protect your account, especially if you’re managing multiple sites.

 

Activity log

If you’re looking for an activity log on Wordfence, it’s not readily available, but you can enable debugging from the Diagnostics section under Tools. That will give you more verbose logs, though they won’t be the same as a full activity log. 

There is a scan log, but it looks to be more for Wordfence developers. Just be aware that enabling the debug mode will take up more server resources, as stated in diagnostics.

 

Performance impact

Wordfence is a huge resource hog and adds so much bloat to your site. Every scan it runs totally slows down your site, and some web hosts even ban it for this reason. 

On my sites of different sizes, the disk usage doubled when Wordfence started running its scans. This might not be a big deal for small sites, but for those that use a lot of resources, but it’s a significant jump. Plus, if you make any changes to the default settings, Wordfence warns you that it’ll consume even more of your server resources. 

Additionally, if you look in the activity log, you can even see how much memory was used for each scan. But that’s not the worst part: the firewall also runs on your site resources, so if your site gets hit with a sustained attack, you could be in trouble even if it’s protected against these exploits.

Many users report significant WordPress database bloat when using the live traffic feature in Wordfence. The plugin also increased total database size by 15% after two weeks of active use due to the wfLogs and wfHits tables. On high-traffic sites, these tables can grow to several gigabytes in size. This growth can slow down (and add considerable bloat to) database backups and site migrations.

Wordfence operates as an endpoint security solution. This means it runs directly on your server, performing malware scans and managing firewall rules within your WordPress environment. This means it runs directly on your server, performing malware scans and managing firewall rules within your WordPress environment. In our testing on a standard shared hosting configuration, we measured a 30% increase in CPU load during a full site scan.

On shared hosting plans or sites with large file counts, a full scan may consume all available server resources. This often causes site slowdowns or 503 service unavailable errors for your visitors.

Wordfence CLI and Intelligence v3

Wordfence has introduced Wordfence CLI for advanced users. This is a command line utility built for server administrators and operations teams. It is designed to scan several WordPress sites for vulnerabilities and malware directly from the server terminal.

The tool is highly efficient because it runs outside the WordPress environment. This bypasses the typical performance bottlenecks of a plugin-based scan.

The scanner is powered by the Wordfence Intelligence v3 API. This API provides a comprehensive and constantly updated database of WordPress vulnerabilities. It includes details on plugins, themes, and core software flaws. Developers can integrate this data feed into their own security workflows to receive real-time alerts.

🚨 While these tools offer immense power for technical users, they are not intended for the average site owner. They represent a significant shift toward enterprise-grade management for those who maintain large fleets of websites.

 

Wordfence CLI usage

• Install the tool: Run pip install wordfence in your server terminal.
• Configure the license: Execute wordfence configure to initialise the tool.
• Run a malware scan: Use wordfence malware-scan /path/to/your/site to scan a specific directory.
• Scan the database: Execute wordfence db-scan -u dbuser -D database_name to identify malicious database injections.
• Access help documentation: Type wordfence --help to view all available commands and options.

Alerts

We avoid plugins that send us far too many emails and unfortunately, Wordfence is one of those. 

Figuring out how many security alerts are too many and how many are just right can be tricky, but important. You want to be notified of any critical threats that need your attention, because the more you leave them unaddressed, the worse they become. 

Wordfence sends a lot of alerts, but customising them can be hard. Plus, after your inbox has been flooded a few times because of a brute force attack, you might end up ignoring all the alerts. That’s basically like not having any at all, so this could be a bigger problem than it seems.

😵 When a security plugin sends too many low-priority emails, users may ignore critical warnings.

Wordfence central

If you have multiple WordPress sites on the same account, WordFence Central makes it easy to manage them from the wp-admin of each site. But if you’re an agency with hundreds of sites, the limited space won’t work. But, thankfully, it has an external dashboard. 

I was able to add all our test sites and got a bird’s eye view of all our websites. Just create an account on WordFence and you’ll be able to add all your sites. It can get a bit crowded with more than 20 sites, but it’s still a great way to have an overview. 

Install and config

When it comes to managing your WordPress website’s security, usability is just as important as the security features themselves. The easier it is to install and set up a security plugin, the better. I wanted to make sure that the plugin is user-friendly and beginner-friendly, so that anyone can use it to protect their WordPress website.  

Installation

Installing Wordfence is a breeze; it’s just like any other plugin. Plus, it uses a website application firewall, so you don’t need to bother with DNS settings that you might not have access to. No API keys required and no need to mess around with your site’s code. Setting up Wordfence is just like any other web product, and you’ll be able to see your site on the external dashboard immediately.

Ease of use

Wordfence is easy to use, with clear tooltips and links to documentation whenever needed. The documentation is highly contextual and helpful, clearly explaining what each feature does, how to set it up, and why it’s necessary. You don’t need to worry about how to scan or set up a firewall, and Wordfence takes care of most of the security aspects for you. 

However, if your site ever gets hacked, you’ll have to decide how to remove the malware. There are automated options, but the expert removal service that Wordfence provides isn’t included in the free version.

Configuration

That being said, Wordfence is a heavyweight security plugin with a vast array of configuration settings. This depth provides control for experienced administrators but can create significant complexity for most users. New users often find the sheer number of options overwhelming. A misconfigured setting can easily lead to site performance issues or unintended blocks for legitimate visitors.

In my opinion, leave the settings alone unless you know exactly what you want.

Pricing

The free version of Wordfence isn’t bad, but it’s not exactly the best security plugin you can have for your site. If you want to upgrade to the premium version, you are looking at $149 per site each year. It gets cheaper the more licenses you buy.

In the past, malware cleanup was a separate $490 service. It is now included in the Care and Response plans. The Care plan is priced at $590 per year. The Response plan costs $1,250 per year and includes a guaranteed one-hour response time. These tiers provide different levels of support access. The cost structure is a factor to consider for budget-conscious site owners.

Help and support

If you’re using the free version of Wordfence, prepare to be on your own; no support for you! You’ll be relying on the forum for help, which can be a bit of a pain. Now, if you’re using the premium version, you get access to support, but even then it can be a bit hit-and-miss. I’ve seen plenty of complaints on review sites, so just be aware.

Best alternatives

I mentioned that Wordfence has the best free security plugin I’ve tested. But, if you’re not sold on Wordfence, don’t worry, there are plenty of other security plugins out there that could provide the protection you’re looking for. 

Selecting a security plugin depends on your specific technical requirements and hosting environment.

 

 

How to choose a security plugin for WordPress?

Choosing the right security plugin for your website can be a daunting task. With so many options available, it can be hard to know which one is best for your needs. In this section, I’ll discuss the features you should consider when selecting a security plugin, such as scanning capabilities, malware removal, firewalls, and more.

 

Crucial security features 

Other features 

Potential problems 

 

Final thoughts

Choosing the right WordPress security plugin depends on your specific hosting environment and technical requirements.

Wordfence is an option for administrators who prefer to manage security settings and traffic logs directly from within their own WordPress dashboard. This level of granular control is useful for those who want to investigate every connection in real-time. However, because the plugin processes all security data locally on your server, users should expect a measurable impact on CPU load and database size. This is a factor to consider on shared hosting plans where server resources are limited.

MalCare, on the other hand, moves the heavy security tasks, such as scanning and log storage, away from your website. This prevents security activity from slowing down your site or causing database bloat. It is a better fit for users who want consistent site performance and hands-free security.

 

FAQS

Is Wordfence any good?

Wordfence has an awesome free version that gives your website a good level of protection. The scanner is usually good at keeping threats away, although it doesn’t check the database. The firewall is always up-to-date and does a great job of protecting you from any malicious stuff. But the free firewall is updated after the premium. If you do find something malicious though, getting rid of it can be tricky and may require upgrading to a more expensive plan. You may also want to see our guide on Wordfence free vs premium.

 

Is Wordfence a good plugin?

We’d say Wordfence has some great features but comes with its flaws. The free version is the best I’ve seen. Scanner is pretty good but doesn’t take into account database-based malware. Firewall is well-updated but the free version is updated later than the premium, leaving a window of opportunity for the hackers. It also has a pretty good file repair feature but the expert removal is expensive. 

 

How secure is Wordfence?

Wordfence is a reliable security tool that provides a good level of security for websites. The scanner feature is mostly good and offers a good level of protection, although it doesn’t scan the database. The firewall is well-updated and provides good protection against malicious attacks. However, removal of malicious code or malware can be complicated or requires an expensive plan upgrade. 

 

Which is better: Sucuri or Wordfence?

Sucuri offers advantages over Wordfence in some areas, such as being less resource-intensive on the website. However, its scanner feature is not as good as Wordfence, and the malware removal service is more reasonably priced. On the other hand, the firewall protection isn’t as good as with Wordfence.

 

Does WordFence effectively protect against most attacks/hacks?

It can help prevent the more common attacks, like brute-force logins, blocking malicious file uploads, SQL injections, etc. but cannot prevent all bots completely and the firewall is prone to blocking legit users also.