61% wordfence

Code Review | Wordfence Security - Firewall, Malware Scan, and Login Security

WordPress plugin Wordfence Security - Firewall, Malware Scan, and Login Security scored61%from 54 tests.

About plugin

  • Plugin page: wordfence
  • Plugin version: 7.11.0
  • PHP compatiblity: 5.5+
  • PHP version: 7.4.16
  • WordPress compatibility: 3.9-6.4
  • WordPress version: 6.3.1
  • First release: Apr 21, 2012
  • Latest release: Nov 28, 2023
  • Number of updates: 454
  • Update frequency: every 9.8 days
  • Top authors: mmaunder (39.65%)wfryan (29.96%)wfmatt (19.82%)wfalexk (11.23%)

Code review

54 tests

User reviews

3973 reviews

Install metrics

4,000,000+ active /323,951,173 total downloads
Download (5.79 MB)

Benchmarks

Plugin footprint 63% from 16 tests

Installer Passed 1 test

🔺 Critical test (weight: 50) | Verifying that this plugin installs correctly without errors
The plugin installed gracefully, with no errors

Server metrics [RAM: ▲11.60MB] [CPU: ▲79.55ms] 25% from 4 tests

Analyzing server-side resources used by Wordfence Security - Firewall, Malware Scan, and Login Security
Please fix the following
  • RAM: The total memory usage must be kept under 10MB (currently 14.99MB on /wp-admin/admin.php?page=WordfenceSupport)
  • CPU: Total CPU usage must kept under 500.00ms (currently 744.21ms on /wp-admin/admin.php?page=Wordfence)
  • Extra RAM: The extra memory usage must be under 5MB (currently 11.60MB on /wp-admin/admin.php?page=WordfenceSupport)
Page Memory (MB) CPU Time (ms)
Home / 14.90 ▲11.43 130.75 ▲89.63
Dashboard /wp-admin 15.08 ▲11.77 140.34 ▲84.11
Posts /wp-admin/edit.php 15.05 ▲11.68 119.81 ▲70.60
Add New Post /wp-admin/post-new.php 17.54 ▲11.65 168.47 ▲73.86
Media Library /wp-admin/upload.php 14.86 ▲11.63 133.57 ▲99.85
Upgrade to Premium /wp-admin/admin.php?page=WordfenceUpgradeToPremium 14.84 111.64
Scan /wp-admin/admin.php?page=WordfenceScan 16.10 1,397.90
Firewall /wp-admin/admin.php?page=WordfenceWAF 13.55 76.04
Tools /wp-admin/admin.php?page=WordfenceTools 14.56 100.15
All Options /wp-admin/admin.php?page=WordfenceOptions 16.36 794.33
Login Security /wp-admin/admin.php?page=WFLS 15.43 129.45
Dashboard 0 /wp-admin/admin.php?page=Wordfence 16.11 744.21
Install /wp-admin/admin.php?page=WordfenceInstall 14.92 112.31
Help /wp-admin/admin.php?page=WordfenceSupport 14.99 110.98

Server storage [IO: ▲15.05MB] [DB: ▲0.04MB] 67% from 3 tests

Filesystem and database footprint
It is recommended to fix the following issues
  • The plugin illegally modified 10 files (6,054.66KB) outside of "wp-content/plugins/wordfence/" and "wp-content/uploads/"
    • (new file) wp-content/wflogs/GeoLite2-Country.mmdb
    • (new file) wp-content/wflogs/config.php
    • (new file) wp-content/wflogs/config-transient.php
    • (new file) wp-content/wflogs/config-synced.php
    • (new file) wp-content/wflogs/attack-data.php
    • (new file) wp-content/wflogs/template.php
    • (new file) wp-content/wflogs/.htaccess
    • (new file) wp-content/wflogs/ips.php
    • (new file) wp-content/wflogs/rules.php
    • (new file) wp-content/wflogs/config-livewaf.php
Filesystem: 713 new files
Database: 24 new tables, 12 new options
New tables
wp_wfhoover
wp_wflocs
wp_wffilechanges
wp_wfls_settings
wp_wffilemods
wp_wfblockediplog
wp_wfnotifications
wp_wfwaffailures
wp_wfcrawlers
wp_wfsecurityevents
...
New WordPress options
wf_plugin_act_error
wordfenceActivated
widget_recent-comments
theysaidso_admin_options
widget_recent-posts
wordfence_case
widget_theysaidso_widget
wordfence_version
wordfence_ls_version
db_upgraded
...

Browser metrics Passed 4 tests

Wordfence Security - Firewall, Malware Scan, and Login Security: an overview of browser usage
Minimal impact on browser resources
Page Nodes Memory (MB) Script (ms) Layout (ms)
Home / 3,579 ▲817 13.92 ▼0.79 9.24 ▲7.59 30.34 ▼15.16
Dashboard /wp-admin 2,783 ▲603 5.07 ▼0.57 103.35 ▲10.93 70.02 ▲27.27
Posts /wp-admin/edit.php 2,411 ▲311 2.44 ▲0.46 37.48 ▼2.80 43.11 ▲4.30
Add New Post /wp-admin/post-new.php 1,877 ▲351 21.94 ▼1.16 696.65 ▲91.44 52.16 ▼5.91
Media Library /wp-admin/upload.php 1,714 ▲314 4.58 ▲0.42 101.85 ▲8.76 53.22 ▲12.08
Upgrade to Premium /wp-admin/admin.php?page=WordfenceUpgradeToPremium 1,083 2.40 47.58 38.88
Scan /wp-admin/admin.php?page=WordfenceScan 2,532 3.45 88.51 110.07
Firewall /wp-admin/admin.php?page=WordfenceWAF 2,741 5.32 229.54 115.67
Tools /wp-admin/admin.php?page=WordfenceTools 5,975 2.45 39.68 54.25
All Options /wp-admin/admin.php?page=WordfenceOptions 10,290 4.91 172.55 79.02
Login Security /wp-admin/admin.php?page=WFLS 2,586 3.78 98.40 90.13
Dashboard 0 /wp-admin/admin.php?page=Wordfence 1,722 5.84 193.36 82.80
Install /wp-admin/admin.php?page=WordfenceInstall 1,307 2.51 36.40 62.54
Help /wp-admin/admin.php?page=WordfenceSupport 2,063 2.84 62.72 61.66

Uninstaller [IO: ▲5.91MB] [DB: ▲0.04MB] 50% from 4 tests

🔸 Tests weight: 35 | All plugins must uninstall correctly, removing their source code and extra database tables they might have created
Please fix the following items
  • The uninstall procedure failed, leaving 24 tables in the database
    • wp_wfknownfilelist
    • wp_wfcrawlers
    • wp_wffilechanges
    • wp_wflivetraffichuman
    • wp_wflocs
    • wp_wfconfig
    • wp_wfls_2fa_secrets
    • wp_wflogins
    • wp_wfnotifications
    • wp_wfsecurityevents
    • ...
  • This plugin did not uninstall successfully, leaving 11 options in the database
    • db_upgraded
    • wordfence_case
    • wordfenceActivated
    • wf_plugin_act_error
    • widget_recent-comments
    • wordfence_version
    • can_compress_scripts
    • widget_theysaidso_widget
    • widget_recent-posts
    • wordfence_installed
    • ...

Smoke tests 25% from 4 tests

Server-side errors 0% from 1 test

🔹 Test weight: 20 | This is a shallow check for server-side errors
These errors were triggered by the plugin
    • > GET request to /wp-admin/admin.php?page=WordfenceWAF
    • > Warning in wp-content/plugins/wordfence/lib/wordfenceClass.php+2223
    unlink(wp-content/wflogs/template.0529828001701634713.tmp): No such file or directory
    • > GET request to /wp-admin/admin.php?page=WordfenceTools
    • > Notice in wp-content/plugins/wordfence/lib/wfDiagnostic.php+354
    Only variables should be passed by reference

SRP 50% from 2 tests

🔹 Tests weight: 20 | It is important to ensure that your PHP files perform no action when accessed directly, respecting the single-responsibility principle
Almost there! Just fix the following items
  • 174× PHP files trigger server-side errors or warnings when accessed directly (only 10 are shown):
    • > PHP Fatal error
      Uncaught Error: Class 'ParagonIE_Sodium_Core_Util' not found in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/src/Core/ChaCha20.php:11
    • > PHP Notice
      Constant SODIUM_CRYPTO_PWHASH_SCRYPTSALSA208SHA256_SALTBYTES already defined in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/lib/php72compat_const.php on line 64
    • > PHP Fatal error
      Uncaught Error: Interface 'Wordfence\\MmdbReader\\IpAddressInterface' not found in wp-content/plugins/wordfence/vendor/wordfence/mmdb-reader/src/IpAddress.php:7
    • > PHP Notice
      Constant SODIUM_CRYPTO_KX_SECRETKEYBYTES already defined in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/lib/php72compat_const.php on line 46
    • > PHP Fatal error
      Uncaught Error: Class 'ParagonIE_Sodium_Core32_ChaCha20_Ctx' not found in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/src/Core32/ChaCha20/IetfCtx.php:11
    • > PHP Notice
      Constant SODIUM_CRYPTO_BOX_SEALBYTES already defined in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/lib/php72compat_const.php on line 30
    • > PHP Notice
      Constant SODIUM_LIBRARY_MAJOR_VERSION already defined in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/lib/php72compat_const.php on line 4
    • > PHP Notice
      Constant SODIUM_CRYPTO_AUTH_KEYBYTES already defined in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/lib/php72compat_const.php on line 29
    • > PHP Warning
      Use of undefined constant WORDFENCE_PATH - assumed 'WORDFENCE_PATH' (this will throw an Error in a future version of PHP) in wp-content/plugins/wordfence/lib/sodium_compat_fast.php on line 4
    • > PHP Notice
      Constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NSECBYTES already defined in wp-content/plugins/wordfence/crypto/vendor/paragonie/sodium_compat/lib/php72compat_const.php on line 25

User-side errors 0% from 1 test

🔹 Test weight: 20 | A shallow check that no browser errors were triggered
Please fix the following user-side errors
    • > GET request to /wp-admin/admin.php?page=WordfenceUpgradeToPremium
    • > Javascript (severe) in unknown
    /wp-admin/admin.php?page=WordfenceUpgradeToPremium 87:18 Uncaught DOMException: Failed to execute 'replaceState' on 'History': A h…-admin/admin.php?page=WordfenceUpgradeToPremium'.

Optimizations

Plugin configuration 97% from 29 tests

readme.txt 94% from 16 tests

It's important to format your readme.txt file correctly as it is parsed for the public listing of your plugin
These attributes need your attention:
  • Tags: Too many tags (16 tag instead of maximum 10); only the first 5 tags are used in your directory listing
You can look at the official readme.txt

wordfence/wordfence.php Passed 13 tests

Analyzing the main PHP file in "Wordfence Security - Firewall, Malware Scan, and Login Security" version 7.11.0
58 characters long description:
Wordfence Security - Anti-virus, Firewall and Malware Scan

Code Analysis 95% from 3 tests

File types Passed 1 test

🔸 Test weight: 35 | An overview of files in this plugin; executable files are not allowed
Good job! No executable or dangerous file extensions detected113,208 lines of code in 617 files:
Language Files Blank lines Comment lines Lines of code
PHP 532 11,882 22,875 101,532
JavaScript 23 1,510 804 10,644
CSS 38 46 53 549
JSON 3 0 0 302
SVG 21 0 2 181

PHP code 0% from 2 tests

A short review of cyclomatic complexity and code structure
Please fix the following
  • Please reduce cyclomatic complexity of classes to less than 1000 (currently 1,996)
  • Please reduce cyclomatic complexity of methods to less than 100 (currently 168)
Cyclomatic complexity
Average complexity per logical line of code 0.42
Average class complexity 32.37
▷ Minimum class complexity 1.00
▷ Maximum class complexity 1,996.00
Average method complexity 4.11
▷ Minimum method complexity 1.00
▷ Maximum method complexity 168.00
Code structure
Namespaces 17
Interfaces 11
Traits 0
Classes 386
▷ Abstract classes 33 8.55%
▷ Concrete classes 353 91.45%
▷ Final classes 0 0.00%
Methods 4,063
▷ Static methods 1,593 39.21%
▷ Public methods 3,485 85.77%
▷ Protected methods 156 3.84%
▷ Private methods 422 10.39%
Functions 217
▷ Named functions 188 86.64%
▷ Anonymous functions 29 13.36%
Constants 1,152
▷ Global constants 130 11.28%
▷ Class constants 1,022 88.72%
▷ Public constants 1,022 100.00%

Plugin size Passed 2 tests

Image compression Passed 2 tests

Often times overlooked, PNG files can occupy unnecessary space in your plugin
33 compressed PNG files occupy 0.23MB
Potential savings
Compression of 5 random PNG files using pngquant
File Size - original Size - compressed Savings
images/flags.png 80.28KB 26.56KB ▼ 66.91%
images/loading_background.png 0.15KB 0.15KB ▼ 0.64%
images/sort_asc.png 0.16KB 0.25KB 0.00%
modules/login-security/img/ui-icons_777620_256x240.png 4.44KB 4.17KB ▼ 6.02%
images/sort_asc_disabled.png 0.14KB 0.25KB 0.00%