WP-Safety

Wordfence Login Security Security & Risk Analysis

wordpress.org/plugins/wordfence-login-security

Secure your website with Wordfence Login Security, providing two-factor authentication, login and registration CAPTCHA, and XML-RPC protection.

70K active installs v1.1.15 PHP 7.0+ WP 4.7+ Updated Jan 15, 2025
2facaptchalogin-securitysecuritytwo-factor-authentication
92
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Wordfence Login Security Safe to Use in 2026?

Generally Safe

Score 92/100

Wordfence Login Security has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago
Risk Assessment

The plugin "wordfence-login-security" v1.1.15 exhibits a generally good security posture with no recorded vulnerabilities and robust code practices in many areas. The static analysis shows a lack of exposed entry points like AJAX handlers, REST API routes, and shortcodes, which is excellent. The extensive use of prepared statements for SQL queries and proper output escaping further contributes to its security. The presence of nonce and capability checks, though limited, indicates an awareness of WordPress security best practices. However, the analysis does highlight two critical concerns: the use of the `unserialize()` function, which is inherently risky if not handled with extreme caution, and four taint flows identified as high severity, even though they did not reach a critical level. The absence of known CVEs and a clean vulnerability history are strong positive indicators, suggesting consistent security attention from the developers. Despite these strengths, the identified `unserialize()` usage and high-severity taint flows present potential attack vectors that require careful review and mitigation. Overall, while the plugin appears to be secure in many respects, these specific areas of concern warrant attention.

Key Concerns

  • High severity taint flows found
  • Dangerous function: unserialize used
Vulnerabilities
None known

Wordfence Login Security Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Wordfence Login Security Code Analysis

Dangerous Functions
2
Raw SQL Queries
16
53 prepared
Unescaped Output
145
484 escaped
Nonce Checks
2
Capability Checks
3
File Operations
2
External Requests
2
Bundled Libraries
1

Dangerous Functions Found

unserialize$unserialized = @unserialize($data);classes\utility\serialization.php:18
unserialize$unserialized = @unserialize($data, $options);classes\utility\serialization.php:21

Bundled Libraries

Select2

SQL Query Safety

77% prepared69 total queries

Output Escaping

77% escaped629 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

4 flows4 with unsanitized paths
_ajax_authenticate_callback (classes\controller\ajax.php:171)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Wordfence Login Security Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 47
actionnetwork_admin_noticesclasses\controller\notices.php:127
actionadmin_noticesclasses\controller\notices.php:130
actionwordfence_ls_role_sync_cronclasses\controller\permissions.php:56
actionwp_initialize_siteclasses\controller\permissions.php:63
actionwpmu_new_blogclasses\controller\permissions.php:66
actioninitclasses\controller\permissions.php:69
actionwordfence_ls_ntp_cronclasses\controller\time.php:41
actiondeleted_userclasses\controller\users.php:502
filtermanage_users_columnsclasses\controller\users.php:503
filtermanage_users_custom_columnclasses\controller\users.php:504
filtermanage_users_sortable_columnsclasses\controller\users.php:505
filterusers_list_table_query_argsclasses\controller\users.php:506
filteruser_row_actionsclasses\controller\users.php:507
filterviews_usersclasses\controller\users.php:508
filtermanage_users-network_columnsclasses\controller\users.php:511
filtermanage_users-network_custom_columnclasses\controller\users.php:512
filtermanage_users-network_sortable_columnsclasses\controller\users.php:513
filterms_user_row_actionsclasses\controller\users.php:514
filterviews_users-networkclasses\controller\users.php:515
filterxmlrpc_enabledclasses\controller\wordfencels.php:52
actionadmin_initclasses\controller\wordfencels.php:55
actionlogin_enqueue_scriptsclasses\controller\wordfencels.php:56
filterauthenticateclasses\controller\wordfencels.php:57
actionset_logged_in_cookieclasses\controller\wordfencels.php:58
actionwp_loginclasses\controller\wordfencels.php:59
actionregister_postclasses\controller\wordfencels.php:60
filterwp_login_errorsclasses\controller\wordfencels.php:61
actionuser_new_formclasses\controller\wordfencels.php:65
actionuser_registerclasses\controller\wordfencels.php:66
actionadmin_menuclasses\controller\wordfencels.php:73
actionnetwork_admin_menuclasses\controller\wordfencels.php:75
actionadmin_enqueue_scriptsclasses\controller\wordfencels.php:77
actionshow_user_profileclasses\controller\wordfencels.php:79
actionedit_user_profileclasses\controller\wordfencels.php:80
actioninitclasses\controller\wordfencels.php:82
actionwp_enqueue_scriptsclasses\controller\wordfencels.php:84
actionwoocommerce_before_customer_login_formclasses\controller\wordfencels.php:97
actionwoocommerce_before_checkout_formclasses\controller\wordfencels.php:98
actionwp_loadedclasses\controller\wordfencels.php:99
filterwoocommerce_account_menu_itemsclasses\controller\wordfencels.php:102
filterwoocommerce_account_wordfence-2fa_endpointclasses\controller\wordfencels.php:103
filterwoocommerce_get_query_varsclasses\controller\wordfencels.php:104
actionwp_enqueue_scriptsclasses\controller\wordfencels.php:105
actionnetwork_admin_noticesclasses\controller\wordfencels.php:161
actionadmin_noticesclasses\controller\wordfencels.php:164
actionnetwork_admin_noticesclasses\controller\wordfencels.php:170
actionadmin_noticesclasses\controller\wordfencels.php:173

Scheduled Events 3

wordfence_ls_role_sync_cron
wordfence_ls_role_sync_cron
wordfence_ls_ntp_cron
Maintenance & Trust

Wordfence Login Security Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedJan 15, 2025
PHP min version7.0
Downloads1.2M

Community Trust

Rating80/100
Number of ratings25
Active installs70K
Alternatives

Wordfence Login Security Alternatives

DoLogin Security

DoLogin Security

dologin

A
98

Easy Login. 2FA login. Passwordless login. Cloudflare Turnstile reCAPTCHA. GeoLocation (Continent/Country/City)/IP range to limit login attempts.

7K 4 CVEs
SecureAuth Authenticator 2FA

SecureAuth Authenticator 2FA

secureauth-authenticator-2fa

A
100

Adds TOTP-based two-factor authentication (2FA) via SecureAuth Authenticator to your WordPress login page.

0 No CVEs
Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

limit-login-attempts-reloaded

A
98

Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.

2.0M 4 CVEs
All-In-One Security (AIOS) – Security and Firewall

All-In-One Security (AIOS) – Security and Firewall

all-in-one-wp-security-and-firewall

A
93

Protect your website investment with All-In-One Security (AIOS) – a comprehensive and easy to use security plugin designed especially for WordPress.

1.0M 26 CVEs
Cartpauj Register Captcha

Cartpauj Register Captcha

cartpauj-register-captcha

A
100

Cartpauj Register Captcha does one simple task. It prevents SPAM signups through WordPress' default registration form.

1K 1 CVE
Developer Profile

Wordfence Login Security Developer Profile

wfryan

1 plugin · 70K total installs

88
trust score
Avg Security Score
92/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Wordfence Login Security

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wordfence-login-security/assets/css/admin.css/wp-content/plugins/wordfence-login-security/assets/css/common.css/wp-content/plugins/wordfence-login-security/assets/css/login.css/wp-content/plugins/wordfence-login-security/assets/css/user.css/wp-content/plugins/wordfence-login-security/assets/js/admin.js/wp-content/plugins/wordfence-login-security/assets/js/common.js/wp-content/plugins/wordfence-login-security/assets/js/login.js/wp-content/plugins/wordfence-login-security/assets/js/user.js
Script Paths
/wp-content/plugins/wordfence-login-security/assets/js/admin.js/wp-content/plugins/wordfence-login-security/assets/js/common.js/wp-content/plugins/wordfence-login-security/assets/js/login.js/wp-content/plugins/wordfence-login-security/assets/js/user.js
Version Parameters
wordfence-login-security/assets/css/admin.css?ver=wordfence-login-security/assets/css/common.css?ver=wordfence-login-security/assets/css/login.css?ver=wordfence-login-security/assets/css/user.css?ver=wordfence-login-security/assets/js/admin.js?ver=wordfence-login-security/assets/js/common.js?ver=wordfence-login-security/assets/js/login.js?ver=wordfence-login-security/assets/js/user.js?ver=

HTML / DOM Fingerprints

CSS Classes
wordfence-ls-2fa-management-formwordfence-ls-admin-noticewordfence-ls-admin-pagewordfence-ls-admin-sectionwordfence-ls-buttonwordfence-ls-button-dangerwordfence-ls-button-primarywordfence-ls-button-secondary+103 more
Data Attributes
data-wordfence-ls-actiondata-wordfence-ls-noncedata-wordfence-ls-uid
JS Globals
WordfenceLS
REST Endpoints
/wp-json/wordfence-ls/v1/admin
Shortcode Output
[wordfence_2fa_management]
FAQ

Frequently Asked Questions about Wordfence Login Security