PLUGIN SECURITY
Is Wordfence Security safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Wordfence Security WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
wordfence - Requires PHP: 7.0+
- Max supported PHP (analyzed): 8.4
Known vulnerabilities
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] <= 7.2.3 [CVE-2019-9669]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 5.1.5 [CVE-2014-4932, WordPress Wordfence Plugin <= 5.1.4 - Cross Site Scripting, Wordfence <= 5.1.4 - Reflected Cross-Site Scripting, Wordfence <= 5.1.4 - Cross-Site Scripting (XSS)]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 5.2.5 [CVE-2014-4664, WordPress Wordfence Security Plugin <= 5.1.3 - XSS, Wordfence Security – Firewall & Malware Scan <= 5.1.3 - Cross-Site Scripting, Wordfence <= 5.2.4 - Multiple Vulnerabilities (XSS & Bypasses)]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 5.2.4 [WordPress Wordfence Plugin <= 5.2.3 - Bypass]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 3.3.6 [WordPress Wordfence Security Plugin - Cross Site Scripting]
+ 29 more known vulnerabilities
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] <= 5.2.3 [WordPress Wordfence Security Plugin - Multiple Vulnerabilities]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 3.8.7 [WordPress Wordfence Plugin <= 3.8.6 - Stored XSS]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 5.2.4 [WordPress Wordfence Plugin <= 5.2.3 - Multiple Vulnerabilities]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 3.8.3 [WordPress Wordfence Plugin <= 3.8.1 - Bypass]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 5.2.5 [WordPress Wordfence Plugin <= 5.2.4 - Stored XSS]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 5.2.3 [WordPress Wordfence Plugin <= 5.2.2 - Cross Site Scripting]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 3.8.3 [WordPress Wordfence Plugin <= 3.8.1 - Stored XSS]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 3.3.7 [WordPress Wordfence Plugin <= 3.3.5 - Multiple Vulnerabilities]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 5.2.5 [WordPress Wordfence Plugin <= 5.2.4 - Unspecified Vulnerability]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 7.6.1 [CVE-2022-3144, WordPress Wordfence Security – Firewall & Malware Scan plugin <= 7.6.0 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability, Wordfence Security – Firewall & Malware Scan <= 7.6.0 - Authenticated (Admin+) Stored Cross-Site Scripting, Wordfence < 7.6.1 - Admin+ Stored Cross-Site Scripting]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 7.1.14 [Wordfence Security – Firewall & Malware Scan <= 7.1.13 - Reflected Cross-Site Scripting and Information Disclosure]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 6.1.7 [Wordfence Security – Firewall & Malware Scan 6.1.1 - 6.1.6 - Reflected Cross-Site Scripting]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 5.2.4 [Wordfence Security <= 5.2.3 - Stored Cross-Site Scripting via HTTP_HOST]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 5.2.4 [Wordfence <= 5.2.3 - Multiple Protection Mechanism Bypasses]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 5.2.4 [Wordfence <= 5.2.3 - Stored Cross-Site Scripting via REQUEST_URI]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 5.2.3 [Wordfence <= 5.2.2 - Stored Cross-Site Scripting]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 3.8.3 [Wordfence Security <= 3.8.1 - Stored Cross-Site Scripting]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 3.3.7 [Wordfence < 3.3.7 - Reflected Cross-Site Scripting]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 3.3.7 [Wordfence Security - Firewall & Malware Scan <= 3.3.6 - Stored Cross-Site Scripting]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 7.1.14 [Wordfence <= 7.1.12 - Username Enumeration Prevention Bypass]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 5.2.3 [Wordfence 5.2.2 - XSS in Referer Header]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 5.2.4 [Wordfence 5.2.3 - Multiple Vulnerabilities]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 5.2.4 [Wordfence 5.2.3 - Banned IP Functionality Bypass]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 5.2.5 [Wordfence 5.2.4 - IPTraf.php URI Request Stored XSS]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 5.2.5 [Wordfence 5.2.4 - Unspecified Issue]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 3.3.7 [Wordfence 3.3.5 - XSS & IAA]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 3.8.3 [Wordfence 3.8.1 - wp-admin/admin.php whois Parameter Stored XSS]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 3.8.3 [Wordfence 3.8.1 - Password Creation Restriction Bypass]
- Wordfence Security – Firewall, Malware Scan, and Login Security [wordfence] < 3.8.7 [Wordfence 3.8.6 - lib/IPTraf.php User-Agent Header Stored XSS]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- Really Simple Security – Simple and Performant Security (formerly Really Simple SSL) — 3000000+ active installs — max PHP 8.4
- Limit Login Attempts Security – Login Security, 2FA, Firewall, Brute Force Prevention — 1000000+ active installs — max PHP 8.4
- Security Optimizer – The All-In-One Protection Plugin — 1000000+ active installs — max PHP <8.0
- All-In-One Security (AIOS) – Security and Firewall — 1000000+ active installs
- Sucuri Security – Auditing, Malware Scanner and Security Hardening — 600000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.