The popular WordPress security plugin Wordfence Security is marketed with the claim that it will protect websites from being hacked:
Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked.
Despite that, the developer sells two very expensive services for dealing with websites that have been hacked while using that plugin. That seems like it should be a big red flag to avoid both the plugin and those services, but isn’t for many, which can have significant consequences. A recent review tells that story.
The review involves a website that was presumably hacked while using Wordfence’s plugin and then they were hired to deal with that:
Horrific (and non-existent) “emergency response”. We had two sites protected with the WordFence premium plugin. Both came up with white screens of death this morning, so we went to WordFence as a ‘trusted’ provider to hopefully help us get back online.
It isn’t actually clear based on the review that the website was hacked, as opposed to some other issue causing the website to be broken and have the “white screen of death shown”. Wordfence should have made sure that there really was a hack before taking any money to do a hack cleanup. We always do and we would recommend avoiding any provider that doesn’t.
Instead, they got this person to pay way too much for a hack cleanup through their Wordfence Response service:
We fell for their $950 (NINE HUNDRED AND FIFTY) dollar “emergency” response plan where they are supposed to dedicate some urgent resources for “mission critical” websites to get you back online fast.
That is significantly more than we charge for a WordPress hack cleanup and we are not the cheapest option.
For all that money, you are not getting a response in line with what is supposed to be provided. Instead, they only promise to get back to you within an hour and address the hack within 24 hours:
Wordfence Response is for mission-critical WordPress websites that require 24/7/365 security monitoring with a 1-hour response time and 24-hour remediation.
It usually only takes a few hours to handle a cleanup, so them getting it done within 24 hours isn’t a great result. Perhaps that is why they emphasize responding within an hour, since that makes it sound like a better service. The reviewer’s result, though, was worse than that:
It look over an hour for the representative to come back and tell us that because we had 4 other subdomains completely outside of public_html on the server, that we would have to pay FOUR MORE TIMES (yes, $4000 more) to get them to even start looking at it.
So it took over an hour to respond that the overpriced service was going to be even more expensive.
After agreeing to pay the outrageous sum, things didn’t even move forward:
SEVERAL HOURS LATER (now NINE HOURS) after the emergency ticket was crated, a new “Director of Information Technology” sends us an email that they can’t help us at all because there are plugins that have “obsufated code” in them and so they can’t help us. They don’t bother to even tell us what plugins (we suspect Membermouse, some plugins do this), or even offer to simply remove that plugin and continue their search and help.
Instead, they send that email and then ignore us. So now $5000 and 9 hours later we still have a broken site and no emergency response from Wordfence.
It isn’t uncommon to deal with legitimate obfuscated code on a hacked website. It makes things slightly more difficult, but when you are overcharging for hack cleanup to the degree Wordfence is, it wouldn’t be a real issue.
The description of their service has some other significant red flags. For example, here is how they describe the cleanup process:
When a security incident impacts your site, our team works directly with you and securely clones your site onto a forensic server. Safely away from your production website, our team analyzes the incident using tools, processes, and data that have taken years to develop. We find the attack vector, track down indicators of compromise, and remediate your site.
Beyond a slew of buzz-words, what they are describing is either not accurate or is going to produce bad results. Usually a key part of cleaning up the hack and trying to figure out how the website involves reviewing log files, so copy the website isn’t going to do anything for that. Also, they are not being honest about an important reality, which is often you can’t actually determine how the website was hacked or, to use their parlance, find the attack vector. Surely they must know that, but somehow as a security company they don’t feel that being honest with perspective customers is important. It really isn’t surprising to then hear the result once they have gotten people’s money.