66% wordfence

Code Review | Wordfence Security - Firewall & Malware Scan

WordPress plugin Wordfence Security - Firewall & Malware Scan scored 66% from 54 tests.

About plugin

  • Plugin page: wordfence
  • Plugin version: 7.5.9
  • PHP compatiblity: 5.3+
  • PHP version: 7.4.16
  • WordPress compatibility: 3.9-5.9
  • WordPress version: 5.9.2
  • First release: Apr 21, 2012
  • Latest release: Mar 22, 2022
  • Number of updates: 404
  • Update frequency: every 9.5 days
  • Top authors: mmaunder (44.55%)wfryan (30.2%)wfmatt (21.78%)wfalexk (4.21%)

Code review

54 tests

User reviews

3775 reviews

Install metrics

4,000,000+ active / 232,843,213 total downloads

Benchmarks

Plugin footprint 63% from 16 tests

Installer Passed 1 test

🔺 Critical test (weight: 50) | The install procedure must perform silently
Install script ran successfully

Server metrics [RAM: ▲14.70MB] [CPU: ▼188.85ms] 25% from 4 tests

Analyzing server-side resources used by Wordfence Security - Firewall & Malware Scan
The following require your attention
  • RAM: Total memory usage must be kept under 10MB (currently 20.07MB on /wp-admin/admin.php?page=WordfenceOptions)
  • CPU: Total CPU usage should be kept under 500.00ms (currently 948.45ms on /wp-admin/admin.php?page=Wordfence)
  • Extra RAM: Extra memory usage should kept under 5MB (currently 14.70MB on /wp-admin/admin.php?page=WordfenceOptions)
PageMemory (MB)CPU Time (ms)
Home /16.86 ▲13.3579.15 ▲31.80
Dashboard /wp-admin18.65 ▲15.24113.01 ▲77.83
Posts /wp-admin/edit.php18.82 ▲15.17106.36 ▲68.57
Add New Post /wp-admin/post-new.php22.07 ▲15.09332.91 ▼933.59
Media Library /wp-admin/upload.php18.48 ▲15.18121.37 ▲97.63
Wordfence Central /wp-admin/admin.php?page=WordfenceCentral18.5095.16
Login Security /wp-admin/admin.php?page=WFLS19.01123.89
Help /wp-admin/admin.php?page=WordfenceSupport18.5797.95
Dashboard 1 /wp-admin/admin.php?page=Wordfence19.72948.45
Scan /wp-admin/admin.php?page=WordfenceScan19.63123.67
Firewall /wp-admin/admin.php?page=WordfenceWAF20.01148.42
Upgrade to Premium /wp-admin/admin.php?page=WordfenceUpgradeToPremium18.46103.20
Tools /wp-admin/admin.php?page=WordfenceTools18.6592.83
All Options /wp-admin/admin.php?page=WordfenceOptions20.07163.48

Server storage [IO: ▲14.61MB] [DB: ▲0.07MB] 67% from 3 tests

How much does this plugin use your filesystem and database?
Just a few items left to fix
  • The plugin illegally modified 10 files (7,502.04KB) outside of "wp-content/plugins/wordfence/" and "wp-content/uploads/"
    • (new file) wp-content/wflogs/GeoLite2-Country.mmdb
    • (new file) wp-content/wflogs/config.php
    • (new file) wp-content/wflogs/rules.php
    • (new file) wp-content/wflogs/config-livewaf.php
    • (new file) wp-content/wflogs/attack-data.php
    • (new file) wp-content/wflogs/ips.php
    • (new file) wp-content/wflogs/.htaccess
    • (new file) wp-content/wflogs/template.php
    • (new file) wp-content/wflogs/config-transient.php
    • (new file) wp-content/wflogs/config-synced.php
Filesystem: 714 new files
Database: 21 new tables, 6 new options
New tables
wp_wfblocks7
wp_wfcrawlers
wp_wflocs
wp_wfsnipcache
wp_wfknownfilelist
wp_wflivetraffichuman
wp_wfissues
wp_wfls_settings
wp_wflogins
wp_wftrafficrates
...
New WordPress options
wf_plugin_act_error
wordfenceActivated
wordfence_ls_version
wordfence_version
wordfence_installed
wordfence_case

Browser metrics Passed 4 tests

An overview of browser requirements for Wordfence Security - Firewall & Malware Scan
There were no issues detected in relation to browser resource usage
PageNodesMemory (MB)Script (ms)Layout (ms)
Home /4,619 ▲87516.98 ▲1.3712.09 ▲5.292.12 ▼0.07
Dashboard /wp-admin3,489 ▲6356.70 ▲0.53122.01 ▼12.98181.89 ▲24.93
Posts /wp-admin/edit.php2,915 ▲2243.21 ▼0.0269.94 ▲7.84139.16 ▲0.26
Add New Post /wp-admin/post-new.php1,783 ▲11519.86 ▲1.78456.58 ▲72.52172.72 ▲15.50
Media Library /wp-admin/upload.php1,953 ▲2556.00 ▲0.52128.45 ▼13.38181.91 ▼6.58
Wordfence Central /wp-admin/admin.php?page=WordfenceCentral1,4603.6584.49155.12
Login Security /wp-admin/admin.php?page=WFLS3,3145.00161.39173.41
Help /wp-admin/admin.php?page=WordfenceSupport3,0724.36102.35239.32
Dashboard 1 /wp-admin/admin.php?page=Wordfence2,3707.11223.07236.36
Scan /wp-admin/admin.php?page=WordfenceScan3,3244.23109.17233.27
Firewall /wp-admin/admin.php?page=WordfenceWAF3,6776.49254.43199.81
Upgrade to Premium /wp-admin/admin.php?page=WordfenceUpgradeToPremium1,3133.5070.06101.22
Tools /wp-admin/admin.php?page=WordfenceTools4,7976.25157.34261.18
All Options /wp-admin/admin.php?page=WordfenceOptions18,4926.55226.82154.05

Uninstaller [IO: ▲7.33MB] [DB: ▲0.07MB] 50% from 4 tests

🔸 Tests weight: 35 | The uninstall procedure must remove all plugin files and extra database tables
It is recommended to fix the following
  • Zombie tables detected upon uninstall: 21 tables
    • wp_wfhoover
    • wp_wfstatus
    • wp_wfhits
    • wp_wfreversecache
    • wp_wfconfig
    • wp_wfblocks7
    • wp_wflivetraffichuman
    • wp_wffilemods
    • wp_wfcrawlers
    • wp_wfpendingissues
    • ...
  • The uninstall procedure has failed, leaving 5 options in the database
    • wf_plugin_act_error
    • wordfence_installed
    • wordfenceActivated
    • wordfence_case
    • wordfence_version

Smoke tests 50% from 4 tests

Server-side errors Passed 1 test

🔹 Test weight: 20 | A shallow check that no server-side errors were triggered
Even though everything seems fine, this is not an exhaustive test

SRP 50% from 2 tests

🔹 Tests weight: 20 | SRP (Single-Responsibility Principle) - PHP files must act as libraries and never output text or perform any action when accessed directly in a browser
Almost there! Just fix the following items
  • 192× GET requests to PHP files have triggered server-side errors or warnings (only 10 are shown):
    • > PHP Notice
      Constant SODIUM_CRYPTO_AEAD_CHACHA20POLY1305_IETF_NPUBBYTES already defined in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/lib/php72compat_const.php on line 22
    • > PHP Fatal error
      Uncaught Error: Interface 'GeoIp2\\ProviderInterface' not found in wp-content/plugins/wordfence/vendor/geoip2/geoip2/src/Database/Reader.php:34
    • > PHP Fatal error
      Uncaught Error: Class 'ParagonIE_Sodium_Core_Util' not found in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/src/Core/Poly1305/State.php:11
    • > PHP Fatal error
      Uncaught Error: Class 'ParagonIE_Sodium_Core_Ed25519' not found in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/namespaced/Core/Ed25519.php:5
    • > PHP Notice
      Constant SODIUM_CRYPTO_PWHASH_SCRYPTSALSA208SHA256_OPSLIMIT_SENSITIVE already defined in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/lib/php72compat_const.php on line 68
    • > PHP Fatal error
      Uncaught Error: Class 'ParagonIE_Sodium_Core_XChaCha20' not found in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/namespaced/Core/XChaCha20.php:5
    • > PHP Fatal error
      require_once(): Failed opening required 'other/ide_stubs/libsodium.php' (include_path='.:/usr/share/php') in wp-content/plugins/wordfence/crypto/vendor/paragonie/random_compat/psalm-autoload.php on line 7
    • > PHP Fatal error
      Uncaught Error: Class 'GeoIp2\\Record\\AbstractPlaceRecord' not found in wp-content/plugins/wordfence/vendor/geoip2/geoip2/src/Record/Country.php:29
    • > PHP Notice
      Constant SODIUM_CRYPTO_KDF_BYTES_MAX already defined in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/lib/php72compat_const.php on line 38
    • > PHP Notice
      Constant SODIUM_CRYPTO_PWHASH_OPSLIMIT_MODERATE already defined in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/lib/php72compat_const.php on line 61

User-side errors 0% from 1 test

🔹 Test weight: 20 | This is a smoke test targeting browser errors/issues
There are user-side issues you should fix
    • > GET request to /wp-admin/admin.php?page=WordfenceUpgradeToPremium
    • > Javascript (severe) in unknown
    /wp-admin/admin.php?page=WordfenceUpgradeToPremium 87:18 Uncaught DOMException: Failed to execute 'replaceState' on 'History': A h…-admin/admin.php?page=WordfenceUpgradeToPremium'.

Optimizations

Plugin configuration 97% from 29 tests

readme.txt 94% from 16 tests

You should put a lot of thought into formatting readme.txt as it is used by WordPress.org to prepare the public listing of your plugin
Attributes that need to be fixed:
  • Tags: Too many tags (11 tag instead of maximum 10); only the first 5 tags are used in your directory listing
Please take inspiration from this readme.txt

wordfence/wordfence.php Passed 13 tests

The main file in "Wordfence Security - Firewall & Malware Scan" v. 7.5.9 serves as a complement to information provided in readme.txt and as the entry point to the plugin
58 characters long description:
Wordfence Security - Anti-virus, Firewall and Malware Scan

Code Analysis 95% from 3 tests

File types Passed 1 test

🔸 Test weight: 35 | There should be no dangerous file extensions present in any WordPress plugin
Success! There were no dangerous files found in this plugin114,377 lines of code in 614 files:
LanguageFilesBlank linesComment linesLines of code
PHP52611,46523,61697,507
JavaScript241,46680010,257
PO File12,6164,7445,331
CSS374653600
JSON300461
SVG2102181
XML2134240

PHP code 0% from 2 tests

Analyzing cyclomatic complexity and code structure
The following items need your attention
  • Cyclomatic complexity of classes should be reduced to less than 1000 (currently 1,895)
  • Cyclomatic complexity of methods should be reduced to less than 100 (currently 159)
Cyclomatic complexity
Average complexity per logical line of code0.43
Average class complexity32.18
▷ Minimum class complexity1.00
▷ Maximum class complexity1,895.00
Average method complexity4.30
▷ Minimum method complexity1.00
▷ Maximum method complexity159.00
Code structure
Namespaces26
Interfaces10
Traits0
Classes369
▷ Abstract classes369.76%
▷ Concrete classes33390.24%
▷ Final classes00.00%
Methods3,646
▷ Static methods1,38137.88%
▷ Public methods3,13986.09%
▷ Protected methods1544.22%
▷ Private methods3539.68%
Functions191
▷ Named functions17089.01%
▷ Anonymous functions2110.99%
Constants1,037
▷ Global constants12011.57%
▷ Class constants91788.43%
▷ Public constants917100.00%

Plugin size Passed 2 tests

Image compression Passed 2 tests

Often times overlooked, PNG files can occupy unnecessary space in your plugin
33 PNG files occupy 0.23MB with 0.07MB in potential savings
Potential savings
Compression of 5 random PNG files using pngquant
FileSize - originalSize - compressedSavings
css/images/ui-icons_555555_256x240.png6.82KB4.17KB▼ 38.82%
css/images/ui-icons_ffffff_256x240.png6.15KB4.17KB▼ 32.13%
css/images/ui-icons_777777_256x240.png6.83KB4.17KB▼ 38.92%
modules/login-security/img/ui-icons_ffffff_256x240.png6.15KB4.17KB▼ 32.13%
css/images/ui-icons_777620_256x240.png4.44KB4.17KB▼ 6.02%