A couple of hacked websites we were contacted about recently are reminders contrary the marketing of the most popular WordPress security plugin, Wordfence Security, that it “stops you from getting hacked”, it doesn’t accomplish that.
In one of those situation we were provided a list of malicious files that had been supplied by the web host and one of them was stored in directory for the Wordfence plugin:
/home3/[redacted]/public_html/thefaraharchives/wp-content/plugins/wordfence/modules/login-security/classes/model/wp-pingg.php: SL-PHP-SHELL-yp.UNOFFICIAL FOUND
So it clearly didn’t stop the website from being hacked.
In the other we were told after the website was hacked the plugin “locked the site down”, which means it only came in to play after the website was hacked.
That shouldn’t be surprising since a) the developer of that plugin doesn’t provide evidence to support the claim (before using something like that there should be that type of evidence provided) and b) a plugin simply can’t do that, so the developer is lying (something we ran across an employee of theirs admitting several years ago).