61% wordfence

Code Review | Wordfence Security - Firewall, Malware Scan, and Login Security

WordPress plugin Wordfence Security - Firewall, Malware Scan, and Login Security scored61%from 54 tests.

About plugin

  • Plugin page: wordfence
  • Plugin version: 7.11.0
  • PHP compatiblity: 5.5+
  • PHP version: 7.4.16
  • WordPress compatibility: 3.9-6.4
  • WordPress version: 6.3.1
  • First release: Apr 21, 2012
  • Latest release: Nov 28, 2023
  • Number of updates: 454
  • Update frequency: every 9.8 days
  • Top authors: mmaunder (39.65%)wfryan (29.96%)wfmatt (19.82%)wfalexk (11.23%)

Code review

54 tests

User reviews

3973 reviews

Install metrics

4,000,000+ active /323,951,173 total downloads

Benchmarks

Plugin footprint 63% from 16 tests

Installer Passed 1 test

🔺 Critical test (weight: 50) | Verifying that this plugin installs correctly without errors
The plugin installed gracefully, with no errors

Server metrics [RAM: ▲11.60MB] [CPU: ▲79.55ms] 25% from 4 tests

Analyzing server-side resources used by Wordfence Security - Firewall, Malware Scan, and Login Security
Please fix the following
  • RAM: The total memory usage must be kept under 10MB (currently 14.99MB on /wp-admin/admin.php?page=WordfenceSupport)
  • CPU: Total CPU usage must kept under 500.00ms (currently 744.21ms on /wp-admin/admin.php?page=Wordfence)
  • Extra RAM: The extra memory usage must be under 5MB (currently 11.60MB on /wp-admin/admin.php?page=WordfenceSupport)
PageMemory (MB)CPU Time (ms)
Home /14.90 ▲11.43130.75 ▲89.63
Dashboard /wp-admin15.08 ▲11.77140.34 ▲84.11
Posts /wp-admin/edit.php15.05 ▲11.68119.81 ▲70.60
Add New Post /wp-admin/post-new.php17.54 ▲11.65168.47 ▲73.86
Media Library /wp-admin/upload.php14.86 ▲11.63133.57 ▲99.85
Upgrade to Premium /wp-admin/admin.php?page=WordfenceUpgradeToPremium14.84111.64
Scan /wp-admin/admin.php?page=WordfenceScan16.101,397.90
Firewall /wp-admin/admin.php?page=WordfenceWAF13.5576.04
Tools /wp-admin/admin.php?page=WordfenceTools14.56100.15
All Options /wp-admin/admin.php?page=WordfenceOptions16.36794.33
Login Security /wp-admin/admin.php?page=WFLS15.43129.45
Dashboard 0 /wp-admin/admin.php?page=Wordfence16.11744.21
Install /wp-admin/admin.php?page=WordfenceInstall14.92112.31
Help /wp-admin/admin.php?page=WordfenceSupport14.99110.98

Server storage [IO: ▲15.05MB] [DB: ▲0.04MB] 67% from 3 tests

Filesystem and database footprint
It is recommended to fix the following issues
  • The plugin illegally modified 10 files (6,054.66KB) outside of "wp-content/plugins/wordfence/" and "wp-content/uploads/"
    • (new file) wp-content/wflogs/GeoLite2-Country.mmdb
    • (new file) wp-content/wflogs/config.php
    • (new file) wp-content/wflogs/config-transient.php
    • (new file) wp-content/wflogs/config-synced.php
    • (new file) wp-content/wflogs/attack-data.php
    • (new file) wp-content/wflogs/template.php
    • (new file) wp-content/wflogs/.htaccess
    • (new file) wp-content/wflogs/ips.php
    • (new file) wp-content/wflogs/rules.php
    • (new file) wp-content/wflogs/config-livewaf.php
Filesystem: 713 new files
Database: 24 new tables, 12 new options
New tables
wp_wfhoover
wp_wflocs
wp_wffilechanges
wp_wfls_settings
wp_wffilemods
wp_wfblockediplog
wp_wfnotifications
wp_wfwaffailures
wp_wfcrawlers
wp_wfsecurityevents
...
New WordPress options
wf_plugin_act_error
wordfenceActivated
widget_recent-comments
theysaidso_admin_options
widget_recent-posts
wordfence_case
widget_theysaidso_widget
wordfence_version
wordfence_ls_version
db_upgraded
...

Browser metrics Passed 4 tests

Wordfence Security - Firewall, Malware Scan, and Login Security: an overview of browser usage
Minimal impact on browser resources
PageNodesMemory (MB)Script (ms)Layout (ms)
Home /3,579 ▲81713.92 ▼0.799.24 ▲7.5930.34 ▼15.16
Dashboard /wp-admin2,783 ▲6035.07 ▼0.57103.35 ▲10.9370.02 ▲27.27
Posts /wp-admin/edit.php2,411 ▲3112.44 ▲0.4637.48 ▼2.8043.11 ▲4.30
Add New Post /wp-admin/post-new.php1,877 ▲35121.94 ▼1.16696.65 ▲91.4452.16 ▼5.91
Media Library /wp-admin/upload.php1,714 ▲3144.58 ▲0.42101.85 ▲8.7653.22 ▲12.08
Upgrade to Premium /wp-admin/admin.php?page=WordfenceUpgradeToPremium1,0832.4047.5838.88
Scan /wp-admin/admin.php?page=WordfenceScan2,5323.4588.51110.07
Firewall /wp-admin/admin.php?page=WordfenceWAF2,7415.32229.54115.67
Tools /wp-admin/admin.php?page=WordfenceTools5,9752.4539.6854.25
All Options /wp-admin/admin.php?page=WordfenceOptions10,2904.91172.5579.02
Login Security /wp-admin/admin.php?page=WFLS2,5863.7898.4090.13
Dashboard 0 /wp-admin/admin.php?page=Wordfence1,7225.84193.3682.80
Install /wp-admin/admin.php?page=WordfenceInstall1,3072.5136.4062.54
Help /wp-admin/admin.php?page=WordfenceSupport2,0632.8462.7261.66

Uninstaller [IO: ▲5.91MB] [DB: ▲0.04MB] 50% from 4 tests

🔸 Tests weight: 35 | All plugins must uninstall correctly, removing their source code and extra database tables they might have created
Please fix the following items
  • The uninstall procedure failed, leaving 24 tables in the database
    • wp_wfknownfilelist
    • wp_wfcrawlers
    • wp_wffilechanges
    • wp_wflivetraffichuman
    • wp_wflocs
    • wp_wfconfig
    • wp_wfls_2fa_secrets
    • wp_wflogins
    • wp_wfnotifications
    • wp_wfsecurityevents
    • ...
  • This plugin did not uninstall successfully, leaving 11 options in the database
    • db_upgraded
    • wordfence_case
    • wordfenceActivated
    • wf_plugin_act_error
    • widget_recent-comments
    • wordfence_version
    • can_compress_scripts
    • widget_theysaidso_widget
    • widget_recent-posts
    • wordfence_installed
    • ...

Smoke tests 25% from 4 tests

Server-side errors 0% from 1 test

🔹 Test weight: 20 | This is a shallow check for server-side errors
These errors were triggered by the plugin
    • > GET request to /wp-admin/admin.php?page=WordfenceWAF
    • > Warning in wp-content/plugins/wordfence/lib/wordfenceClass.php+2223
    unlink(wp-content/wflogs/template.0529828001701634713.tmp): No such file or directory
    • > GET request to /wp-admin/admin.php?page=WordfenceTools
    • > Notice in wp-content/plugins/wordfence/lib/wfDiagnostic.php+354
    Only variables should be passed by reference

SRP 50% from 2 tests

🔹 Tests weight: 20 | It is important to ensure that your PHP files perform no action when accessed directly, respecting the single-responsibility principle
Almost there! Just fix the following items
  • 174× PHP files trigger server-side errors or warnings when accessed directly (only 10 are shown):
    • > PHP Fatal error
      Uncaught Error: Class 'ParagonIE_Sodium_Core_Util' not found in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/src/Core/ChaCha20.php:11
    • > PHP Notice
      Constant SODIUM_CRYPTO_PWHASH_SCRYPTSALSA208SHA256_SALTBYTES already defined in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/lib/php72compat_const.php on line 64
    • > PHP Fatal error
      Uncaught Error: Interface 'Wordfence\\MmdbReader\\IpAddressInterface' not found in wp-content/plugins/wordfence/vendor/wordfence/mmdb-reader/src/IpAddress.php:7
    • > PHP Notice
      Constant SODIUM_CRYPTO_KX_SECRETKEYBYTES already defined in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/lib/php72compat_const.php on line 46
    • > PHP Fatal error
      Uncaught Error: Class 'ParagonIE_Sodium_Core32_ChaCha20_Ctx' not found in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/src/Core32/ChaCha20/IetfCtx.php:11
    • > PHP Notice
      Constant SODIUM_CRYPTO_BOX_SEALBYTES already defined in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/lib/php72compat_const.php on line 30
    • > PHP Notice
      Constant SODIUM_LIBRARY_MAJOR_VERSION already defined in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/lib/php72compat_const.php on line 4
    • > PHP Notice
      Constant SODIUM_CRYPTO_AUTH_KEYBYTES already defined in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/lib/php72compat_const.php on line 29
    • > PHP Warning
      Use of undefined constant WORDFENCE_PATH - assumed 'WORDFENCE_PATH' (this will throw an Error in a future version of PHP) in wp-content/plugins/wordfence/lib/sodium_compat_fast.php on line 4
    • > PHP Notice
      Constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NSECBYTES already defined in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/lib/php72compat_const.php on line 25

User-side errors 0% from 1 test

🔹 Test weight: 20 | A shallow check that no browser errors were triggered
Please fix the following user-side errors
    • > GET request to /wp-admin/admin.php?page=WordfenceUpgradeToPremium
    • > Javascript (severe) in unknown
    /wp-admin/admin.php?page=WordfenceUpgradeToPremium 87:18 Uncaught DOMException: Failed to execute 'replaceState' on 'History': A h…-admin/admin.php?page=WordfenceUpgradeToPremium'.

Optimizations

Plugin configuration 97% from 29 tests

readme.txt 94% from 16 tests

It's important to format your readme.txt file correctly as it is parsed for the public listing of your plugin
These attributes need your attention:
  • Tags: Too many tags (16 tag instead of maximum 10); only the first 5 tags are used in your directory listing
You can look at the official readme.txt

wordfence/wordfence.php Passed 13 tests

Analyzing the main PHP file in "Wordfence Security - Firewall, Malware Scan, and Login Security" version 7.11.0
58 characters long description:
Wordfence Security - Anti-virus, Firewall and Malware Scan

Code Analysis 95% from 3 tests

File types Passed 1 test

🔸 Test weight: 35 | An overview of files in this plugin; executable files are not allowed
Good job! No executable or dangerous file extensions detected113,208 lines of code in 617 files:
LanguageFilesBlank linesComment linesLines of code
PHP53211,88222,875101,532
JavaScript231,51080410,644
CSS384653549
JSON300302
SVG2102181

PHP code 0% from 2 tests

A short review of cyclomatic complexity and code structure
Please fix the following
  • Please reduce cyclomatic complexity of classes to less than 1000 (currently 1,996)
  • Please reduce cyclomatic complexity of methods to less than 100 (currently 168)
Cyclomatic complexity
Average complexity per logical line of code0.42
Average class complexity32.37
▷ Minimum class complexity1.00
▷ Maximum class complexity1,996.00
Average method complexity4.11
▷ Minimum method complexity1.00
▷ Maximum method complexity168.00
Code structure
Namespaces17
Interfaces11
Traits0
Classes386
▷ Abstract classes338.55%
▷ Concrete classes35391.45%
▷ Final classes00.00%
Methods4,063
▷ Static methods1,59339.21%
▷ Public methods3,48585.77%
▷ Protected methods1563.84%
▷ Private methods42210.39%
Functions217
▷ Named functions18886.64%
▷ Anonymous functions2913.36%
Constants1,152
▷ Global constants13011.28%
▷ Class constants1,02288.72%
▷ Public constants1,022100.00%

Plugin size Passed 2 tests

Image compression Passed 2 tests

Often times overlooked, PNG files can occupy unnecessary space in your plugin
33 compressed PNG files occupy 0.23MB
Potential savings
Compression of 5 random PNG files using pngquant
FileSize - originalSize - compressedSavings
images/flags.png80.28KB26.56KB▼ 66.91%
images/loading_background.png0.15KB0.15KB▼ 0.64%
images/sort_asc.png0.16KB0.25KB0.00%
modules/login-security/img/ui-icons_777620_256x240.png4.44KB4.17KB▼ 6.02%
images/sort_asc_disabled.png0.14KB0.25KB0.00%