When it comes to WordPress security plugins, one is by far the most popular. That plugin being Wordfence Security, which has over 2+ million active installs according to wordpress.org (the next most popular one has 800,00+ active installs). At least some of its popularity is based on people believing that the plugins is much more capable than it really is.
Some of that belief is based on the company behind the plugins simply lying about its capabilities. For example, here is the second sentence of their description of the plugin on wordpress.org:
Powered by the constantly updated Threat Defense Feed, our Web Application Firewall stops you from getting hacked.
Would it be possible for the plugin to stop some hacks? Sure, but it can’t possibly stop all hacks. For example, if the website is hacked through a compromise of the FTP login details or a server level breach, that is occurring below the level the plugin is operating, so it can’t stop that. While a security plugin could try to detect a change made by that hack, the hacker would also likely have the ability to remove, disable, or modify the plugin with the access they have as well. It isn’t hard to understand why Wordfence would lie about this, since people will believe it and other false claims they make.
Even in situations where the plugin might be able to provide protection, unless you are paying for their premium service, they will leave you vulnerable for 30 days or more after they add protection (their ability to do that would require them knowing about the vulnerability, which isn’t a given), so Wordfence knows that a blanket claim that the plugin will stop you from being hacked isn’t true.
The claims being made don’t always come from the makers of Wordfence. For example, last year we noted an instance when someone posted on the wordpress.org support forum looking for help with hacked website they were told by two people that Wordfence Security would fix it, despite the person looking for help having already said that they had tried to use it to fix the website.
The latest incident of a belief that Wordfence Security is more capable than it really is, involved someone who came to us looking for advice on a claim from their web host that their website had been hacked. They believed that their web host’s claim was false in part because Wordfence Security couldn’t find any malicious files on the website.
Our experience from people presenting us results from numerous different automated tools for detecting malicious code over the years, is that they miss a lot of malicious code and can produce some bad false positives. So you can’t rely on them to determine that a website isn’t hacked. Due to the false positives you can’t totally trust them to determine that a website is hacked, though we would have more confidence of a claim that a website is hacked than it isn’t based on their results.
In this case what the website’s owner hadn’t done was to ask the web host for evidence to back up their claim that the website was hacked. Instead of looking to Wordfence Security or another plugin/service to try to determine if a website is hacked in this type of situation that should be the first thing done. Once you have that evidence, if you are unable to determine if the evidence backs up the claim we would recommend that you get a second opinion from a company that deals with hacked websites. We are always happy to do that for free and we would hope that other would as well.
When we were sent one of the files from the website, we not only immediately recognized it contained malicious code, but it was something that would have been picked by our partially automated scanning for malicious code (a human reviews all the results this scanning produces to determine if the code is actually malicious code). So the website was actually hacked and Wordfence Security had just missed malicious files, despite containing fairly common malicious code.
Since Wordfence Security couldn’t even detect the malicious code, it also wouldn’t have been able to clean it up, a further reminder that Wordfence Security’s ability to clean up hacked websites is also limited.