larrypress

Realizing I typed a massive wall of text, I’ll just say up front that Wordfence is a great script, and this is in no way trying to shame the developers. We always encourage users to go with Wordfence.

Wordfence does it’s job and it does it well. That being said, I have to weigh in my opinion. This is my first post, sorry if I’m stepping out of line.

@deanysus,
>> Since I see that tons of people are having issues with Wordfence,
>> with scans not working and all, and WF doesn’t really care,

The guys that make Wordfence obviously do care. I think it’s fair to mention that they’re (from what I know) the most used security plugin, and popularity is usually for very good reason.

@stratosphere,
>> That is simply not true, Wordfence works beautifully for me,
>> every time, every update for months now.

Everyone’s usercase will be different. Wordfence .htaccess rules do conflict with a lot of other plugins’ .htaccess rules. Your website wouldn’t be a standard to measure whether something’s wrong or right, just an example of a working state.

>> A lot of comments about usage depends ultimately on the server,
>> the hosting company and the settings. Most people unfortunately
>> use low end hosting companies. I did that once and lived to
>> regret it, since the hosting company got hacked and therefore
>> so did I.

I’ve browsed this forum enough to know that it’s mostly configuration issues due to user error, and not necessarily the host’s fault most of the time. A company I work for gets complaints all the time regarding plugin issues and Wordfence issues. We’re put in a position that forces us to fix their website at no cost just to keep their business. They say our servers can’t keep up with a simple plugin, yet after they leave they continue to experience the issue, and then we demonstrate that it’s their 200+ plugins causing the issues, we disable a plugin, and boom, the website’s back up again. Neither Wordfence, “NOR” the hosting companies should always be the target of blame, it’s the user’s responsibility to research what’s broken, and why.

I had to weigh in on this one especially because my income depends on the success of the company I work for. Too many customers go lost when there’s a plugin that breaks Wordfence, or vice versa. Some hosts are to blame, but then again it’s rather difficult sometimes to determine where to point the finger.

>> I have since used a better hosting company and they understand
>> security is my top priority.

I’m sure you’ve moved for good reason, my message above is not intended to debunk your statement.

>> As far as comparable plugins – I doubt you will find one that does
>> as much as Wordfence – but you are welcomed to go look for one.

Maybe not the entire suite of protection Wordfence provides, but nothing beats 5 .htaccess lines and a .htpasswd for wp-login.php. Wordfence adds a massive amount of overhead when a website is under brute force attack. Your .htaccess file is the best line of protection when it comes to wp-login.php brute attacks.

@deanysus
@bluebearmedia
I won’t quote in this one. Everyone here has a unique setup. You can have the “Perfect Setup” and the “Perfect Server” – That said, I’ll mention that I have seen performance issues with Wordfence across the board since recent updates. I think this has something to do with how Wordfence logs data. I’ve seen servers that fluctuate between 0.8~1.5 loads spike up to 4.0-8.0 since the past 4 weeks and latest Wordfence updates. When I grep for the wf folders with lsof and ps aux (simple Linux stuff), I see Wordfence the predominant scripts being executed and consuming large amounts of system resources across all servers. Maybe there’s a new attack out in the wild. I know Wordfence is protecting against this, but the resource usage seems more suitable for a dedicated server rather than shared hosting.

@deanysus
>> As for the server, we’re on a powerful dedicated server with a
>> reputable company, who – by the way – has been looking into this for
>> three days since I asked them. Unlike Wordfence, my hosting company
>> does care and are extremely professional. They didn’t find a single
>> thing that would prevent Wordfence from working smoothly.

The most common issue I’ve seen with Wordfence “Not working” is with incompatible plugins or bad .htaccess rules. If you’re running multiple plugins that interact with the .htaccess file, I’d consider disabling those and give it another go to see if it works after that. I don’t think it would be the host, nor Wordfence. Just plugins that don’t play right together. Web hosting companies have an unspoken standard on what goes into a server, and what’s deployed thanks to cPanel.

@stratosphere,
>> Your “powerful dedicated server” doesn’t mean it’s not hackable
>> and if you think otherwise, you are a novice.
>> If your hosting company were professional they’d fix their holes
>> as I requested of mine.

I don’t think this helps the discussion, sorry.

>> Wordfence is working perfectly for me and many others,
>> I guess that’s why it is so popular with over 1 million users,
>> the highest number I’ve seen in 8 years!

These numbers can’t be accurate because the error will not always be prevalent. Just because a plugin is installed doesn’t mean it’s working correctly.

>> What you say is so totally false, unproven and that’s the reason
>> I responded was because it is so incorrect, so there goes your
>> conspiracy theory.

Again, doesn’t help.

>> It’s best you unplug Wordfence and go find something better.
>> Some people have nothing better to do, than to complain, so use
>> your time more wisely.

I think it would be better to help. Most of us are so set with what we use that we’d endorse it without a second thought (not assuming anything here). I’d suggest going through a series of troubleshooting steps and see if there’s an issue with his install. In most cases, it’s a plugin issue as I said above a few times.

>> By the way, I use this forum everyday, to learn of new events,
>> as well as subscribe to the Newsletter. The man who developed
>> this plugin greatly cares about website owners and their security.

I agree, the developer(s) at Wordfence do care. There’s a lot of effort put into this plugin. I just don’t think this contributes to the discussion however.

@everyone else,
There is an issue currently, two in fact.

1. Wordfence overhead has increased substantially. I don’t think Wordfence addresses website performance when it’s under a brute force attack. WordPress still has to be fully loaded when logging in. This doesn’t help with loads, I think Wordfence can improve here.

2. Wordfence doesn’t seem to be working well with some plugins. Who’s at fault? That shouldn’t be any plugin developers’ job to figure out unless it’s a conflict with WordPress core. This part should be handled by the community, and reported to the respective developers to find out a work-around, or developers can possibly patch out something that makes the two compatible.

I’ve said my peace, I don’t use this community for much other than reading.

What prompted me to post here were performance issues across 100+ servers and seeing Wordfence as the primary process across the board. Servers running WordPress with Wordfence were the most impacted servers.