Does DefendWP Firewall have any unpatched vulnerabilities?

No. All known vulnerabilities in DefendWP Firewall have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is DefendWP Firewall compatible with WordPress 6.8.5?

According to WordPress.org data, DefendWP Firewall 1.1.6 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is DefendWP Firewall compatible with PHP 8.1+?

DefendWP Firewall requires PHP 8.1 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is DefendWP Firewall updated?

DefendWP Firewall was last updated on Jun 16, 2025. Frequent updates are generally a positive security signal.

What is DefendWP Firewall's security score?

DefendWP Firewall has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

DefendWP Firewall Security & Risk Analysis

wordpress.org/plugins/defend-wp-firewall

Get instant protection against vulnerabilities disclosed by security companies.

3K active installs v1.1.6 PHP 8.1+ WP 6.2.0+ Updated Jun 16, 2025

malwareperformancesecurityvulnerability

A · Safe

CVEs total1

Unpatched0

Last CVEFeb 24, 2025

Plugin page Download

Safety Verdict

Is DefendWP Firewall Safe to Use in 2026?

Generally Safe

Score 99/100

DefendWP Firewall has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 24, 2025Updated 9mo ago

Risk Assessment

The "defend-wp-firewall" plugin v1.1.6 exhibits a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for SQL queries and properly escaping all output. The absence of dangerous functions and external HTTP requests also contributes to its security. However, significant concerns arise from the extensive attack surface presented by its AJAX handlers. All 21 AJAX handlers lack authentication checks, making them potential entry points for unauthorized actions. Furthermore, the taint analysis reveals 14 flows with unsanitized paths, with 6 classified as high severity, indicating a substantial risk of data manipulation or unintended code execution if these flows are exploited. The vulnerability history shows one past medium-severity CVE attributed to missing authorization, reinforcing the concern around inadequate access controls. While the plugin has a clean recent vulnerability record and no currently unpatched CVEs, the identified issues in static analysis, particularly the unprotected AJAX endpoints and unsanitized taint flows, warrant significant attention.

Key Concerns

AJAX handlers without auth checks
High severity taint flows with unsanitized paths
Past medium CVE for missing authorization

Vulnerabilities

DefendWP Firewall Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-22280medium · 4.3Missing Authorization

DefendWP Firewall <= 1.1.0 - Missing Authorization

Feb 24, 2025 Patched in 1.1.1 (8d)

Code Analysis

Analyzed Mar 16, 2026

DefendWP Firewall Code Analysis

Dangerous Functions

Raw SQL Queries

69 prepared

Unescaped Output

168 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared69 total queries

Output Escaping

100% escaped168 total outputs

Data Flows

14 unsanitized

Data Flow Analysis

15 flows14 with unsanitized paths

save_settings_dwp (admin\class-defend-wp-firewall-settings.php:78)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

21 unprotected

DefendWP Firewall Attack Surface

Entry Points21

Unprotected21

AJAX Handlers 21

authwp_ajax_load_more_logs_dwpadmin\class-defend-wp-firewall-admin.php:77

authwp_ajax_clear_all_logs_dwpadmin\class-defend-wp-firewall-admin.php:78

authwp_ajax_dfwp_dismiss_cache_admin_noticeadmin\class-defend-wp-firewall-admin.php:82

authwp_ajax_dfwp_firewall_init_setupadmin\class-defend-wp-firewall-service.php:32

authwp_ajax_dfwp_firewall_join_emailadmin\class-defend-wp-firewall-service.php:33

authwp_ajax_dfwp_firewall_sync_firewalladmin\class-defend-wp-firewall-service.php:34

authwp_ajax_dfwp_firewall_revoke_connect_firewalladmin\class-defend-wp-firewall-service.php:35

noprivwp_ajax_firewall_sync_ptcadmin\class-defend-wp-firewall-service.php:40

authwp_ajax_firewall_sync_ptcadmin\class-defend-wp-firewall-service.php:41

authwp_ajax_save_settings_dwpadmin\class-defend-wp-firewall-settings.php:26

authwp_ajax_block_ip_from_settings_dfwphooks\blocklist-functions.php:14

authwp_ajax_remove_single_blocklist_dfwphooks\blocklist-functions.php:15

authwp_ajax_save_ipify_ip_dfwphooks\blocklist-functions.php:21

noprivwp_ajax_save_ipify_ip_dfwphooks\blocklist-functions.php:22

authwp_ajax_whitelist_ip_from_log_dfwphooks\whitelist-functions.php:11

authwp_ajax_whitelist_post_req_from_log_dfwphooks\whitelist-functions.php:12

authwp_ajax_whitelist_get_req_from_log_dfwphooks\whitelist-functions.php:13

authwp_ajax_whitelist_ip_from_settings_dfwphooks\whitelist-functions.php:15

authwp_ajax_whitelist_pr_from_settings_dfwphooks\whitelist-functions.php:16

authwp_ajax_whitelist_gr_from_settings_dfwphooks\whitelist-functions.php:17

authwp_ajax_remove_single_whitelist_dfwphooks\whitelist-functions.php:18

WordPress Hooks 79

actionadmin_enqueue_scriptsadmin\class-defend-wp-firewall-admin.php:69

actionnetwork_admin_menuadmin\class-defend-wp-firewall-admin.php:72

actionadmin_menuadmin\class-defend-wp-firewall-admin.php:74

actiondefend_wp_firewall_setttings_updated_before_send_responseadmin\class-defend-wp-firewall-admin.php:80

actionadmin_noticesadmin\class-defend-wp-firewall-admin.php:81

actiondefend_wp_firewall_before_setting_startadmin\class-defend-wp-firewall-admin.php:83

actiondefend_wp_before_login_page_startadmin\class-defend-wp-firewall-admin.php:84

actionadmin_initadmin\class-defend-wp-firewall-admin.php:85

filteriwp_mmb_stats_filteradmin\class-defend-wp-firewall-admin.php:86

actionadmin_noticesadmin\class-defend-wp-firewall-service.php:24

actionactivate_pluginadmin\class-defend-wp-firewall-service.php:25

actiondeactivate_pluginadmin\class-defend-wp-firewall-service.php:26

actionupgrader_process_completeadmin\class-defend-wp-firewall-service.php:27

actionpre_uninstall_pluginadmin\class-defend-wp-firewall-service.php:28

actiondelete_pluginadmin\class-defend-wp-firewall-service.php:29

actiondelete_themeadmin\class-defend-wp-firewall-service.php:30

actionafter_switch_themeadmin\class-defend-wp-firewall-service.php:31

actiondefend_wp_login_successadmin\class-defend-wp-firewall-service.php:36

actionsetup_themeadmin\class-defend-wp-firewall-service.php:37

actionadmin_enqueue_scriptsadmin\class-defend-wp-firewall-service.php:38

actionwp_enqueue_scriptsadmin\class-defend-wp-firewall-service.php:39

filterdfwp_settings_optionsadmin\class-defend-wp-firewall-settings.php:20

filterdfwp_settings_optionsadmin\class-defend-wp-firewall-settings.php:21

filterdfwp_settings_optionsadmin\class-defend-wp-firewall-settings.php:22

filterdfwp_settings_optionsadmin\class-defend-wp-firewall-settings.php:23

filterdfwp_settings_optionsadmin\class-defend-wp-firewall-settings.php:24

actiondefend_wp_firewall_daily_auto_updateadmin\class-defend-wp-firewall-update.php:16

actiondefend_wp_firewall_setttings_updatedadmin\class-defend-wp-firewall-update.php:17

actionwpfc_delete_cacheadmin\class-purge-plugins-cache.php:328

filtersafe_style_cssadmin\views\defend-wp-firewall-settings-display.php:19

actiondefend_wp_firewall_add_filterhooks\add-action-filters-functions.php:14

actiondefend_wp_firewall_add_actionhooks\add-action-filters-functions.php:15

actioninithooks\blocklist-functions.php:13

actionadmin_enqueue_scriptshooks\blocklist-functions.php:17

actionwp_enqueue_scriptshooks\blocklist-functions.php:18

actionlogin_enqueue_scriptshooks\blocklist-functions.php:19

filterxmlrpc_enabledhooks\firewall-functions.php:15

actioninithooks\firewall-functions.php:16

actionplugins_loadedhooks\firewall-functions.php:17

actiondefend_wp_firewall_request_after_run_all_ruleshooks\firewall-functions.php:18

filterdefend_wp_firewall_matched_rulehooks\firewall-functions.php:19

actiondefend_wp_firewall_setttings_updatedhooks\htaccess-functions.php:15

actiondefend_wp_firewall_set_ruleshooks\index-write-functions.php:15

actioninithooks\index-write-functions.php:16

actiondefend_wp_firewall_index_writehooks\index-write-functions.php:17

filtersecure_auth_cookiehooks\login-functions.php:14

actioninithooks\login-functions.php:15

actiondefend_wp_firewall_matched_rule_actionhooks\login-functions.php:16

actionwp_enqueue_scriptshooks\nonce-functions.php:15

actionadmin_enqueue_scriptshooks\nonce-functions.php:16

actionlogin_enqueue_scriptshooks\nonce-functions.php:17

actionelementor/common/after_register_scriptshooks\nonce-functions.php:18

actiondefend_wp_firewall_deactivate_pluginhooks\plugins-manager-functions.php:15

actiondefend_wp_firewall_after_firewall_runhooks\plugins-manager-functions.php:16

filterpre_delete_posthooks\post-manager-functions.php:15

actiondefend_wp_firewall_matched_rule_actionhooks\post-manager-functions.php:16

filterget_post_metadatahooks\post-manager-functions.php:17

actiondefend_wp_firewall_wp_post_restrictionshooks\post-manager-functions.php:18

actiondefend_wp_firewall_remove_actionhooks\remove-action-filter.php:15

actiondefend_wp_firewall_remove_filterhooks\remove-action-filter.php:16

actioninithooks\remove-action-filter.php:18

actiondefend_wp_firewall_runhooks\run-functions.php:15

actioninithooks\run-functions.php:17

actiondefend_wp_firewall_matched_rule_actionhooks\run-functions.php:19

actiondefend_wp_firewall_after_firewall_runhooks\run-functions.php:20

filterdefend_wp_firewall_matched_rulehooks\shortcode-functions.php:15

filterpre_do_shortcode_taghooks\shortcode-functions.php:16

actiondefend_wp_firewall_shortcode_ruleshooks\shortcode-functions.php:17

actiondefend_wp_firewall_matched_rule_actionhooks\user-manager-functions.php:15

actiondelete_userhooks\user-manager-functions.php:16

actioninitincludes\class-defend-wp-firewall-activation-controller.php:9

actionadmin_noticesincludes\class-defend-wp-firewall-activation-controller.php:10

filterdfwp_setting_redirect_on_activationincludes\class-defend-wp-firewall-activation-controller.php:11

actioninitincludes\class-defend-wp-firewall-anonymous.php:16

actiondefend_wp_firewall_after_saving_logincludes\class-defend-wp-firewall-anonymous.php:17

actiondefend_wp_firewall_cron_hookincludes\class-defend-wp-firewall-anonymous.php:19

actionplugins_loadedincludes\class-defend-wp-firewall.php:135

filterposts_orderbyincludes\defend-wp-firewall-custom-functions.php:71

actioninitincludes\defend-wp-firewall-generic-functions.php:338

Scheduled Events 3

defend_wp_firewall_daily_auto_update

defend_wp_firewall_index_write

defend_wp_firewall_cron_hook

Maintenance & Trust

DefendWP Firewall Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedJun 16, 2025

PHP min version8.1

Downloads10K

Community Trust

Rating0/100

Number of ratings0

Active installs3K

Alternatives

DefendWP Firewall Alternatives

Jetpack – WP Security, Backup, Speed, & Growth

jetpack

Improve your WP security with powerful one-click tools like backup, WAF, and malware scan. Includes free tools like stats, CDN and social sharing.

3.0M 24 CVEs

Malcure Malware Shield — Removal, Repair, Monitor

wp-malware-removal

Fast malware removal & security shield. Fix hacks, stop redirects, clean SEO spam. Real-time threat intelligence. No bloat.

10K 3 CVEs

Security Ninja – WordPress Security Plugin & Firewall

security-ninja

WordPress security plugin with free basic firewall/WAF, vulnerability scanning, and 50+ core integrity checks.

7K 1 CVE

SiteLock Security – WP Hardening, Login Security & Malware Scans

sitelock

Free, lightweight WordPress security. Harden your site with login protection & 2FA, see Site Health clearly and run on-demand checks—setup in minutes.

1K 2 CVEs

Security Ninja For MainWP

security-ninja-for-mainwp

100

See Security Ninja vulnerabilities and security test results in your MainWP dashboard.

500 No CVEs

Developer Profile

DefendWP Firewall Developer Profile

revmakx

6 plugins · 224K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

704 days

View full developer profile

Detection Fingerprints

How We Detect DefendWP Firewall

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/defend-wp-firewall/admin/css/defend-wp-firewall-admin.css/wp-content/plugins/defend-wp-firewall/admin/js/defend-wp-firewall-admin.js

Script Paths

/wp-content/plugins/defend-wp-firewall/admin/js/defend-wp-firewall-admin.js

Version Parameters

defend-wp-firewall/admin/css/defend-wp-firewall-admin.css?ver=defend-wp-firewall/admin/js/defend-wp-firewall-admin.js?ver=

HTML / DOM Fingerprints

JS Globals

defend_wp_firewall_admin_obj

FAQ