Now does more harm than good

I’ve used this plugin for a few years but development seems to have ceased and sadly it’s now doing more harm than good for me, so I’m gradually uninstalling it everywhere. I’ve been on the free version so I’m grateful and I can’t complain, but the paid version was always too expensive.

The good: I originally installed it for the 2FA functionality and stayed for the alerts about obsolete and unpatched plugins, which are genuinely useful. It’s a “Swiss army knife” sort of plugin so there’s probably something useful there for everyone. If it blocks a genuine attack that would otherwise get through that’s obviously useful. And these things are free.

The bad: Dozens of false alerts about plugins that need updating but have already been updated (old and new version number the same) or will be automatically updated within a few hours. I have reported this and the problem was acknowledged but years have passed and nothing has been done and I just can’t afford to waste that much time any more.

The other bad is that 2FA has had its day and passkeys and WebAuthn are the state of the art now but WordFence has fallen behind. Similarly with the “Brute Force” feature blocking IP addresses – no-one uses the same IP address for more than half a dozen attempts these days, it has become pointless. I suspect the firewall sometimes uses more resources to block an attack than simply ignoring the attack.

Another problem is if you try to move a site or restore a backup that had the “Optimize the WordFence firewall” option enabled, all you get is a white screen that is quite hard to diagnose and fix (because the usual tricks like renaming .htaccess or /wp-content/plugins won’t help). I can’t remember the last time this option actually protected a site, but I can easily remember the last time it caused me problems, and that’s the problem.