WP-Safety

Wordfence Security – Firewall, Malware Scan, and Login Security Security & Risk Analysis

wordpress.org/plugins/wordfence

Firewall, Malware Scanner, Two Factor Auth, and Comprehensive Security Features, powered by our 24-hour team. Make security a priority with Wordfence.

5.0M active installs v8.1.4 PHP 7.0+ WP 4.7+ Updated Dec 20, 2025
2fafirewallmalwarescannersecurity
96
A · Safe
CVEs total12
Unpatched0
Last CVESep 6, 2022
Plugin page Download
Safety Verdict

Is Wordfence Security – Firewall, Malware Scan, and Login Security Safe to Use in 2026?

Generally Safe

Score 96/100

Wordfence Security – Firewall, Malware Scan, and Login Security has a strong security track record. Known vulnerabilities have been patched promptly.

12 known CVEsLast CVE: Sep 6, 2022Updated 3mo ago
Risk Assessment

Wordfence v8.1.4 exhibits a generally strong security posture with a significant number of code checks in place, including capability checks and nonce checks. The plugin also demonstrates good practices in its use of prepared statements for SQL queries and output escaping, with high percentages in both areas. However, the presence of two instances of the 'unserialize' function, a known risk for deserialization vulnerabilities, is a notable concern. This is further emphasized by the taint analysis, which identified 4 flows with unsanitized paths, all classified as high severity. While there are no currently unpatched CVEs, the history of 12 known CVEs, with a majority being high and medium severity and including cross-site scripting and protection mechanism failures, suggests a past trend of exploitable vulnerabilities. This indicates that while the plugin has made strides in security, ongoing vigilance and thorough code review are essential to mitigate potential risks arising from deserialization and unsanitized input.

Key Concerns

  • High severity taint flows with unsanitized paths
  • Use of dangerous function: unserialize
  • History of high severity vulnerabilities
  • Output escaping not fully implemented (74%)
  • Bundled library: Select2 (potential for outdated version)
Vulnerabilities
12

Wordfence Security – Firewall, Malware Scan, and Login Security Security Vulnerabilities

CVEs by Year

2 CVEs in 2012
2012
7 CVEs in 2014
2014
1 CVE in 2016
2016
1 CVE in 2018
2018
1 CVE in 2022
2022
Patched Has unpatched

Severity Breakdown

High
5
Medium
7

12 total CVEs

CVE-2022-3144medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Wordfence Security – Firewall & Malware Scan <= 7.6.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Sep 6, 2022 Patched in 7.6.1 (504d)
WF-e7819dbf-fbcc-4dca-8300-b75ec096c541-wordfencemedium · 4.7Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Wordfence Security – Firewall & Malware Scan <= 7.1.13 - Reflected Cross-Site Scripting and Information Disclosure

Oct 2, 2018 Patched in 7.1.14 (1939d)
WF-809d0632-39a7-44a7-b368-9dc58270c666-wordfencemedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Wordfence Security – Firewall & Malware Scan 6.1.1 - 6.1.6 - Reflected Cross-Site Scripting

May 10, 2016 Patched in 6.1.7 (2814d)
CVE-2014-4932medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Wordfence <= 5.1.4 - Reflected Cross-Site Scripting

Dec 8, 2014 Patched in 5.1.5 (3333d)
WF-47938357-7d51-4d62-a08c-4b2bf3f3a062-wordfencehigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Wordfence Security <= 5.2.3 - Stored Cross-Site Scripting via HTTP_HOST

Sep 27, 2014 Patched in 5.2.4 (3405d)
WF-be700f83-248f-4d22-b53d-7cc61e1f7d7d-wordfencemedium · 6.5Protection Mechanism Failure

Wordfence <= 5.2.3 - Multiple Protection Mechanism Bypasses

Sep 14, 2014 Patched in 5.2.4 (3418d)
WF-fdfa2336-dda2-4945-9278-1a85f8b5f88b-wordfencehigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Wordfence <= 5.2.3 - Stored Cross-Site Scripting via REQUEST_URI

Sep 14, 2014 Patched in 5.2.4 (3418d)
WF-f315fff8-d616-4a5c-91bc-d8b0ec0f028f-wordfencehigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Wordfence <= 5.2.2 - Stored Cross-Site Scripting

Sep 8, 2014 Patched in 5.2.3 (3424d)
WF-63a2d09d-9cb8-47ba-8e40-5b43894552e3-wordfencehigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Wordfence Security <= 3.8.1 - Stored Cross-Site Scripting

Aug 1, 2014 Patched in 3.8.3 (3462d)
CVE-2014-4664high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Wordfence Security – Firewall & Malware Scan <= 5.1.3 - Cross-Site Scripting

Jul 30, 2014 Patched in 5.1.4 (3464d)
WF-93f9862f-745f-44d5-ac49-f8d2d19b35ed-wordfencemedium · 6.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Wordfence Security - Firewall & Malware Scan <= 3.3.6 - Stored Cross-Site Scripting

Oct 19, 2012 Patched in 3.3.7 (4113d)
WF-bdc39e21-f39c-4581-895a-04e352e9b383-wordfencemedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Wordfence < 3.3.7 - Reflected Cross-Site Scripting

Oct 19, 2012 Patched in 3.3.7 (4113d)
Code Analysis
Analyzed Mar 16, 2026

Wordfence Security – Firewall, Malware Scan, and Login Security Code Analysis

Dangerous Functions
2
Raw SQL Queries
22
105 prepared
Unescaped Output
528
1494 escaped
Nonce Checks
2
Capability Checks
3
File Operations
28
External Requests
2
Bundled Libraries
1

Dangerous Functions Found

unserialize$unserialized = @unserialize($data);modules\login-security\classes\utility\serialization.php:18
unserialize$unserialized = @unserialize($data, $options);modules\login-security\classes\utility\serialization.php:21

Bundled Libraries

Select2

SQL Query Safety

83% prepared127 total queries

Output Escaping

74% escaped2022 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

4 flows4 with unsanitized paths
_ajax_authenticate_callback (modules\login-security\classes\controller\ajax.php:171)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Wordfence Security – Firewall, Malware Scan, and Login Security Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 51
filterauthenticatemodels\block\wfBlock.php:1491
actionnetwork_admin_noticesmodules\login-security\classes\controller\notices.php:127
actionadmin_noticesmodules\login-security\classes\controller\notices.php:130
actionwordfence_ls_role_sync_cronmodules\login-security\classes\controller\permissions.php:56
actionwp_initialize_sitemodules\login-security\classes\controller\permissions.php:63
actionwpmu_new_blogmodules\login-security\classes\controller\permissions.php:66
actioninitmodules\login-security\classes\controller\permissions.php:69
actionwordfence_ls_ntp_cronmodules\login-security\classes\controller\time.php:41
actiondeleted_usermodules\login-security\classes\controller\users.php:502
filtermanage_users_columnsmodules\login-security\classes\controller\users.php:503
filtermanage_users_custom_columnmodules\login-security\classes\controller\users.php:504
filtermanage_users_sortable_columnsmodules\login-security\classes\controller\users.php:505
filterusers_list_table_query_argsmodules\login-security\classes\controller\users.php:506
filteruser_row_actionsmodules\login-security\classes\controller\users.php:507
filterviews_usersmodules\login-security\classes\controller\users.php:508
filtermanage_users-network_columnsmodules\login-security\classes\controller\users.php:511
filtermanage_users-network_custom_columnmodules\login-security\classes\controller\users.php:512
filtermanage_users-network_sortable_columnsmodules\login-security\classes\controller\users.php:513
filterms_user_row_actionsmodules\login-security\classes\controller\users.php:514
filterviews_users-networkmodules\login-security\classes\controller\users.php:515
filterxmlrpc_enabledmodules\login-security\classes\controller\wordfencels.php:52
actionadmin_initmodules\login-security\classes\controller\wordfencels.php:55
actionlogin_enqueue_scriptsmodules\login-security\classes\controller\wordfencels.php:56
filterauthenticatemodules\login-security\classes\controller\wordfencels.php:57
actionset_logged_in_cookiemodules\login-security\classes\controller\wordfencels.php:58
actionwp_loginmodules\login-security\classes\controller\wordfencels.php:59
actionregister_postmodules\login-security\classes\controller\wordfencels.php:60
filterwp_login_errorsmodules\login-security\classes\controller\wordfencels.php:61
actionuser_new_formmodules\login-security\classes\controller\wordfencels.php:65
actionuser_registermodules\login-security\classes\controller\wordfencels.php:66
actionadmin_menumodules\login-security\classes\controller\wordfencels.php:73
actionnetwork_admin_menumodules\login-security\classes\controller\wordfencels.php:75
actionadmin_enqueue_scriptsmodules\login-security\classes\controller\wordfencels.php:77
actionshow_user_profilemodules\login-security\classes\controller\wordfencels.php:79
actionedit_user_profilemodules\login-security\classes\controller\wordfencels.php:80
actioninitmodules\login-security\classes\controller\wordfencels.php:82
actionwp_enqueue_scriptsmodules\login-security\classes\controller\wordfencels.php:84
actionwoocommerce_before_customer_login_formmodules\login-security\classes\controller\wordfencels.php:97
actionwoocommerce_before_checkout_formmodules\login-security\classes\controller\wordfencels.php:98
actionwp_loadedmodules\login-security\classes\controller\wordfencels.php:99
filterwoocommerce_account_menu_itemsmodules\login-security\classes\controller\wordfencels.php:102
filterwoocommerce_account_wordfence-2fa_endpointmodules\login-security\classes\controller\wordfencels.php:103
filterwoocommerce_get_query_varsmodules\login-security\classes\controller\wordfencels.php:104
actionwp_enqueue_scriptsmodules\login-security\classes\controller\wordfencels.php:105
actionnetwork_admin_noticesmodules\login-security\classes\controller\wordfencels.php:161
actionadmin_noticesmodules\login-security\classes\controller\wordfencels.php:164
actionnetwork_admin_noticesmodules\login-security\classes\controller\wordfencels.php:170
actionadmin_noticesmodules\login-security\classes\controller\wordfencels.php:173
actionall_admin_noticeswordfence.php:83
actionall_admin_noticeswordfence.php:97
actionactivated_pluginwordfence.php:106

Scheduled Events 4

wordfence_start_scheduled_scan
wordfence_ls_role_sync_cron
wordfence_ls_role_sync_cron
wordfence_ls_ntp_cron
Maintenance & Trust

Wordfence Security – Firewall, Malware Scan, and Login Security Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 20, 2025
PHP min version7.0
Downloads406.6M

Community Trust

Rating94/100
Number of ratings4,829
Active installs5.0M
Alternatives

Wordfence Security – Firewall, Malware Scan, and Login Security Alternatives

Atomic Edge Security

Atomic Edge Security

atomic-edge-security

A
100

Connect your WordPress site to Atomic Edge for enterprise-grade WAF protection, real-time analytics, and advanced security tools.

0 No CVEs
VMP Security – Firewall, Malware Scan, and Login Security

VMP Security – Firewall, Malware Scan, and Login Security

vmpfence-security

A
100

Your all-in-one WordPress security solution. Stop hackers with our firewall, detect malware before it spreads, and protect your site.

0 No CVEs
Security Optimizer – The All-In-One Protection Plugin

Security Optimizer – The All-In-One Protection Plugin

sg-security

A
86

Secure your WordPress site from brute-force attacks, threats, malware, and bots. Free to use and easy to set up.

1.0M 5 CVEs
MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall

MalCare WordPress Security Plugin – Malware Scanner, Cleaner, Security Firewall

malcare-security

A
100

Get Bulletproof Security for your WordPress site. WordPress security plugin packed with comprehensive Firewall, malware scanner, cleaner & more.

200K No CVEs
Anti-Malware Security and Brute-Force Firewall

Anti-Malware Security and Brute-Force Firewall

gotmls

B
83

This Anti-Malware scanner searches for Malware, Viruses, and other security threats and vulnerabilities on your server and it helps you fix them.

100K 9 CVEs
Developer Profile

Wordfence Security – Firewall, Malware Scan, and Login Security Developer Profile

Mark Maunder

2 plugins · 5.0M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
3117 days
View full developer profile
Detection Fingerprints

How We Detect Wordfence Security – Firewall, Malware Scan, and Login Security

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wordfence/css/dist/editor/login-security-editor.css/wp-content/plugins/wordfence/css/dist/login-security.css/wp-content/plugins/wordfence/css/dist/login-security-admin.css/wp-content/plugins/wordfence/js/dist/login-security-editor.js/wp-content/plugins/wordfence/js/dist/login-security.js/wp-content/plugins/wordfence/js/dist/login-security-admin.js/wp-content/plugins/wordfence/waf/js/src/build/login-security.js/wp-content/plugins/wordfence/waf/js/src/build/login-security-admin.js+11 more
Script Paths
/wp-content/plugins/wordfence/waf/js/src/build/login-security.js/wp-content/plugins/wordfence/waf/js/src/build/login-security-admin.js/wp-content/plugins/wordfence/waf/js/src/build/login-security-editor.js/wp-content/plugins/wordfence/core/assets/js/wordfence-frontend.js/wp-content/plugins/wordfence/core/assets/js/wordfence-admin.js/wp-content/plugins/wordfence/core/assets/js/wordfence-editor.js+2 more
Version Parameters
wordfence/css/dist/editor/login-security-editor.css?ver=wordfence/css/dist/login-security.css?ver=wordfence/css/dist/login-security-admin.css?ver=wordfence/js/dist/login-security-editor.js?ver=wordfence/js/dist/login-security.js?ver=wordfence/js/dist/login-security-admin.js?ver=wordfence/waf/js/src/build/login-security.js?ver=wordfence/waf/js/src/build/login-security-admin.js?ver=wordfence/waf/js/src/build/login-security-editor.js?ver=wordfence/core/assets/css/wordfence-frontend.css?ver=wordfence/core/assets/js/wordfence-frontend.js?ver=wordfence/core/assets/css/wordfence-admin.css?ver=wordfence/core/assets/js/wordfence-admin.js?ver=wordfence/core/assets/css/wordfence-editor.css?ver=wordfence/core/assets/js/wordfence-editor.js?ver=wordfence/core/assets/css/wordfence-react-component-library.css?ver=wordfence/core/assets/js/wordfence-react-component-library.js?ver=wordfence/core/assets/css/wordfence-react-component-library-editor.css?ver=wordfence/core/assets/js/wordfence-react-component-library-editor.js?ver=

HTML / DOM Fingerprints

CSS Classes
wordfence-login-securitywf-ls-login-page-wrapperwf-ls-headerwf-ls-footerwf-ls-admin-form-sectionwf-ls-user-management-tablewf-ls-two-factor-settingswf-ls-two-factor-authentication-enrollment-form+5 more
HTML Comments
<!-- Wordfence Login Security --><!-- wordfence-ls-admin-page --><!-- wordfence-ls-login-page --><!-- Generated by Wordfence -->
Data Attributes
data-wordfence-ls-user-iddata-wordfence-ls-noncedata-wordfence-ls-target-urldata-wordfence-ls-i18n-tokendata-wordfence-ls-action
JS Globals
WordfenceLSwordfence_ls_ajax_objectWordfenceLS_Admin
REST Endpoints
/wp-json/wordfence-ls/v1//wp-json/wordfence-ls/v1/admin//wp-json/wordfence-ls/v1/users//wp-json/wordfence-ls/v1/settings//wp-json/wordfence-ls/v1/login//wp-json/wordfence-ls/v1/logout//wp-json/wordfence-ls/v1/register//wp-json/wordfence-ls/v1/password-reset/
Shortcode Output
[wordfence_2fa_management]
FAQ

Frequently Asked Questions about Wordfence Security – Firewall, Malware Scan, and Login Security