How I love, and hate Wordfence.

Oh, well, hello to whoever roams here. (wait…no one does.)

First, to whom ever comes to this desert, I’ve noticed this site gets pretty much zero hits from any humans. Sure, search engines and status monitoring roam the site every so often, but no humans. Whatever.

Anyways, I’ve always used Wordfence as a standard on every WordPress site for security. It’s a great plugin at it’s basics, but sometimes, I just get mad at Wordfence for being way too, “oh you want just a little more advanced features? Please pay $5/month!”. Here’s why.

First, the pricing. Seriously, $5 a month, at least what’s advertised. I took this into a bit more consideration. If I wanted to purchase 2 keys for my main site, and my Minecraft server’s site, over the span of a year, it’d cost $44.63. Not bad, but then again, they do the buy more it’s cheaper per key style of pricing. Great, I can get 1000 keys for $7.82/key/year, which is a huge discount, from $59/year for 1 key, but it’s really misleading how they said previously in advertising premium that they offered discounts of up to 90% (now they say less than $5/month, but still…), but only if you get a thousand keys, for 5 years. No one will ever need 1,000 keys as an average person hosting a blog on WordPress, and especially for 5 years just to get the average key cost down very, very low. Plus, WordFence at the lowest offers monthly plans, in which, yes, technically, the “Less than $5/month” explanation is correct at $59/year, but it’s still $4.92/month, in reality. It’s more then Malwarebytes Anti-Malware pro, and more than SiteLock from Hostgator 😉

And now, for the parts of Wordfence I hate too much.

Number 1, why have a delayed “Threat Defense Feed” version? First, let’s clear this up. “Threat Defense Feed” practically means malware definitions, in which it’s like a dictionary the program goes to when scanning files, to see if the file contains any malicious code. If malicious code is detected, the software will flag it along with what software it comes from.

If anti-malware software had delayed definitions by a month, they’d get killed! New malware for WordPress, comes out each and every day, like malware too. Not having your site updated for 1 month being able to define that software is complete bullshit, leaving your site unprotected for the month, and if someone really wants to hack your site with the latest and greatest exploit discovered just a day ago, your free definitions won’t protect you for 29 days, leaving your site vulnerable. It’s also to be noted most likely, that using a new exploit, any site hacking attempts will normally occur within the first few weeks of it being discovered. The entire point of anti-malware on sites and computers is to have it updated constantly, and not have your computer vulnerable for a month unless you pony up some cash. It’s the largest bullshit I’ve seen with this kind of stuff, and most likely, WORDPRESS UPDATES will patch a new security hole faster then Wordfence could block it with delayed definitions. Really?

Oh, it gets worse, too. Want to know if your site is being used for spam, too bad. Wordfence Regular doesn’t even protect against that. Fact is, your hosting provider probably will detect spamming being generated in about a day of an incident, so it’s better off you leave it to your provider to alert you when your site is getting spamvertised. Oh, and it’s a real thing, too. Site SEO can severely drop if a site is generating spam, leaving you pretty much dead.

More, more bullshit! You have to pay for “Cell Phone Sign In”, aka 2-factor authentication. In the modern world we live in today, this should absolutely be free! Give me a break here WordFence! You want us to pay for 2FA! You serious?

Hey, want some more bullshit, here’s more! Country Blocking is just for premium users. So, if you see thousands of attempted logins from one single country, or something suspicious about a hacking attempt, you can’t just click a button and the country is blocked from accessing your site. Nope, you have to use some sort of IP database, and input manually every IP range from that country, which, if there’s a hacking attempt from China, or Russia, can take hours upon hours to get the IP ranges and enter it in manually! It’s complete bullshit!

And look, more bullshit! “Advanced Comment Spam Protection”! Let’s get this straight. I’m pretty sure any smart site admin uses Akismet, provided by WordPress, which in it’s own, does a fantastic job of blocking spam comments, 100% of the time. Why should I pay to have “advanced heuristics” to identify spam commands, check “source IPs and any URLs” inbound, and other bullshit? Most sensible admins put comments to be approved, and huge sites that use WordPress just use a different commenting system all together, so can I say this is a scam? You don’t need this bullshit!

Oh, look, more bullshit! The last part, however. Why should we pay to have WordFence scan at scheduled times? In reality, most anti-malware software does this, which annoys the shit out of me, you shouldn’t have to pay for this! People NEED scheduled scans, especially if they’re on a tight shared server, limited on resources. If a Wordfence scan goes off right in the middle of peak traffic, and you don’t have a lot of overhead, your site slows down, your hosting provider gets pissed off at you, a lot, and it’s just terrible overall. Can’t we have the right to have our sites be scanned at 2am when no one’s online?

However, it’s nice that Wordfence does offer some good features.

While indeed you have delayed definitions, Wordfence does a fine and dandy job at blocking malware, and repairing malware-infected files back to normal. Live traffic is great to have, disk space monitoring is good to have, and it’s nice to view live traffic based on crawlers, human visitors, top consumers, and see login attempts.

But still, when I have 11 features in my WordFence features panel, and I can only use six of them, it’d be nice to at least have Country Blocking, and Scan Schedule available for free.

Hopefully someone at Wordfence reads this. It’s likely not, but whatever.