Further articles of the series
Security Plugins for WordPress: #1 Security is important
Security Plugins for WordPress: #2 Wordfence Security
Security Plugins for WordPress: #3 iThemes Security
Security Plugins for WordPress: #4 NinjaFirewall
Security Plugins for WordPress: #5 Sucuri Security
Security Plugins for WordPress: #6 All In One WP Security
Security Plugins for WordPress: #7 VaultPress
The most popular security plugin
My test run of the different security plugins for WordPress started with Wordfence, by far the most popular security extension. The plugin is quite extensive, but its free version is also limited. Some features are reserved for premium customers. But that doesn't matter, because even in the basic version Wordfence already covers the most important areas concerning security. Apart from the plugin, the company has made a name for itself by announcing security holes, active work, constant updates and, most recently, by its Top 100 list of WordPress bugs. All in all the company seems to be quite active and therefore leaves a good impression. But enough of the bullshit, what can Wordfence do in detail and is the whole thing really worth a recommendation?
Scanning for malicious code
After installation, Wordfence offers a preview of a lot of functions and possibilities. Almost too many, if you ask me, because especially beginners might be overwhelmed. The integrated tour explains the most important things in text form and finally the first scan is due. It will definitely find something, because Worfence Security is known for false positives. So you have to check the results yourself and decide in each individual case if it is really a security hole or changed code, or if it is just a normal change of your own or trusted plugins. In the test, Wordfence reported among other things a quite harmless log file, as well as WordPress files that were simply in German instead of English. Both 100 percent no security hole, but Wordfence just wanted to report them to me. In the long run, such false reports of the scan can get on your nerves a bit, especially as a beginner, if you never really know if this is a legitimate report or not. The scan itself checks WordPress, Theme and Plugin files, checks everything for known security holes or questionable URL's, does everything necessary to expose and delete any changed code. Like a normal virus scan, but within WordPress.
Comparatively weak firewall
I personally don't like the Wordfence firewall much. Instead of querying get and post variables etc. in detail and defining individual rules, Wordfence only allows you to make a few settings for access. They are described in a nice way, so that even beginners know what is meant, but that's why they are kept too simple and superficial. Thus, frequent accesses can be regulated or blocked, even fake crawlers pretending to be Google crawlers can be blocked. But I would be very careful here, because in the test Wordpress Security blocked official and important crawlers very quickly, and Google itself also reported back with errors via the Webmaster Tools a short time later. In general, the firewall therefore mainly serves as access control, so that nobody, no matter if user or bot, accesses the website too fast and too often. In comparison, there is a little bit more that I expect from a firewall. Unfortunately Wordfence can't really score in this area.
Falcon Cache Engine
As a small highlight Wordfence Security presents the in-house Falcon Cache Engine. The Falcon Cache (by the way, a cool name, I think) is supposed to score with short order names to speed up the cache significantly and to make the directories as flat as possible, which should result in faster access times. In practice, the Falcon Cache actually does a good job, but is still not necessarily outstanding in comparison. On the one hand there are too few options for special cases and professionals, on the other hand it is not faster than for example Cachify in HDD mode or WP-Rocket, correctly adjusted. Also, despite all the explanations of Wordfence, I don't understand why a cache engine belongs in a security plugin. To me, these are two pairs of shoes that should be clearly separated, even if they work perfectly together. As a simple cache, the Falcon engine does work and is actually quite fast, just not earth-shattering or really impressive, so it would be a real argument for the WordPress plugin. It's just a working cache, which, as I said before, doesn't belong in a security plugin for me and which is available elsewhere just as well.
Apart from all the obvious, there are several other smaller features within Wordfence. For example, brute force protection at login, an automatic malware URL scan for comments, the WordPress version can be hidden in the code, and much more. Also interesting is the use of the Wordfence network, because Wordfence Security can send and receive data. So if another website in the network is aggressively attacked, the same attack on your own homepage will be blocked from the outset if possible. There's also the premium version, which features two-factor authentication, allows blocking of entire countries, and activates automatic scans. However, the premium version of Wordfence requires an API key and currently costs $39 per website, although it is cheaper if you order several keys at once and for several years in advance. It's not expensive, but is Wordfence really worth the money? I'm not so sure myself.
Conclusion on Wordfence Security
Now Wordfence is one of the most popular extensions to WordPress.org, thus registers millions of downloads and gets almost only 4 or 5 stars as a rating, so what else can I say about it? For me Wordfence does its job, but the price is too high for me. The API-key is not meant, of course, because it is not needed, even the Free-Version is good for something, I am more interested in the performance and the demands Wordfence puts on WordPress itself. The plugin nests itself extremely deep in the system, the scans eat a lot of memory, the operation itself of course also. The database is described and fed with new tables, the plugin needs full access to the folder "wp-admin" and the firewall ended up being way too shallow. Same goes for Falcon Cache. Basically it doesn't do anything wrong, but it doesn't really make anything better either and in my opinion it has no place in a security plugin. But that is descriptive at the same time, because Wordfence wants everything and seems to have integrated everything somehow, but is also overloaded and slow, just not performant anymore. For me it's an all-rounder-plugin, but it doesn't really go into details or deliver outstanding results. On the contrary: In terms of performance Wordfence will have a negative impact on you, even if it advertises to make websites up to 50 times faster. The latter probably only applies to those who have never heard of caching, because the rest is rather ballast. So in the end Wordfence could be a great all-in-one solution, but it has become too bloated and opaque to make the installation of the plugin worthwhile. A pity.