You’ve been running your website and are looking to get a security plugin that works for your needs. You know how important security is, so you decide to do some research. After a few hours of reading and reviewing, you realize that Wordfence and WP Cerber keep coming up in listicles. You’re looking for an article that compares the two, so you can make an informed decision. Well, you’re at the right place. We’ve tested both plugins, as much as we could, and are ready to lay it all out.
Wordfence boasts a wide range of features, such as a scanner, cleaner, and firewall—all of which are essential for website security. However, is it really as good as people say it is? Are there any downsides to using Wordfence?
Our testing with WPCerber security started with a hiccup. We were shocked to discover that it had been removed from the WordPress repository due to a ‘security issue’. Nonetheless, we proceeded to download the plugin from their website and tested it objectively.
In this article, we’ll talk about the good, the bad, and the ugly of both plugins.
Wordfence is the clear winner. We would give Wordfence a score of 12/15 as a security plugin, while WP Cerber would receive a score of 0. If you’re looking for an even better security plugin than Wordfence, we highly recommend MalCare.
Security is a top priority for website owners and there are so many features that are important to consider when choosing the right security plugin:
How well does it scan for malware?
How effective is the firewall?
Does it have an option to clear out detected malware?
We took all these factors into account when testing out WP Cerber and Wordfence, so you can make an informed decision.
Overview: WP Cerber or Wordfence
Wordfence and WP Cerber are both security plugins designed to protect WordPress websites from various threats such as malware, brute force attacks, and hacking attempts. However, when it comes to features and effectiveness, there is a night-and-day difference between the two.
Wordfence is a popular and well-regarded security plugin that offers a wide range of features, including a powerful scanner, firewall, and two-factor authentication. The scanner is capable of detecting many types of malware and vulnerabilities, but it does have some limitations.
The firewall is another critical feature of Wordfence, which helps prevent unauthorized access to your website. While the firewall is good, the free version of the plugin gets regular updates late, which could leave your site vulnerable to known attacks.
When it comes to WP Cerber, the security plugin has been deemed ineffective by many security experts. The scanner, firewall, and cleaner all lack functionality, and the two-factor authentication and brute force protection features don’t work. Moreover, WP Cerber was removed from the WordPress repository due to a security issue that the developers did not appear to address. This lack of attention to security concerns is a significant red flag for website owners who rely on security plugins to protect their sites.
Overall, Wordfence is a better choice for WordPress security than WP Cerber. While Wordfence may have some limitations, it offers a more comprehensive set of features and has a better track record when it comes to detecting and preventing security threats.
Wordfence in a nutshell
Wordfence offers many features, but it does come with some big drawbacks. To begin with, it can only detect 70-80% of malware, missing out on database-based malware altogether. Additionally, Wordfence’s scanner will not detect malware in premium plugins and themes due to its signature-matching mechanism.
Moving on to the firewall feature, and there are a few things to point out right away. The free firewall gets regular updates on a 30-day lag after the premium one. So, while the firewall is good, if you’re using the free version of the plugin, your site is susceptible to known attacks just because it is on the free version. The firewall does keep out threats, but it has also been known to keep out site visitors and admin. Finally, the firewall generates a ton of alerts. Expect your inbox to be overwhelmed.
And worst of all, Wordfence is a terrible resource hog. So much so, that you’ll need to check with your hosting provider if they allow Wordfence at all. Many web hosts ban Wordfence altogether because of the toll it takes on their servers.
WP Cerber Security in a nutshell
WP Cerber is by far the worst security plugin we have ever tested.
The scanner was lacking, the firewall was ineffective, and the cleaner relied on the unreliable scanner to remove malware. Furthermore, we found that the two-factor authentication and brute force protection didn’t work either.
We remained objective when evaluating the plugin’s effectiveness, but we cannot not acknowledge that WP Cerber was removed from the WordPress repository for having a security issue in September 2022.
As of writing this article, that was over 6 months ago. It has become clear in the interim that WP Cerber has no intention of resolving the issue, and has chosen to bash WordPress in some of its content. It is all quite distasteful.
WP Cerber security vs Wordfence: Head-to-head feature comparison
Let’s talk about how WP Cerber and Wordfence stack up with their features in mind.
Wordfence was slightly better than WP Cerber at detecting malware, although both suffered from issues. Neither detected malware in the database or in premium themes. WP Cerber threw up more false positives than Wordfence though.
We noticed a few issues with Wordfence’s free scanner. The dashboard, for example, indicates that it only runs at 60% efficiency, which is far from ideal. While the scans are quick, this is of little use if they are not accurate in detecting malware.
Another flaw is that Wordfence utilizes signature-matching to detect malware, meaning they have a large database of malware signatures to compare the code on your website to. Despite their impressive efforts to keep the database updated, this method cannot detect newer malware and therefore is not a surefire defense against zero-day attacks.
Moreover, this system only works to detect file-based malware. Malware can also be present in the database, and in fact, redirect malware is often found in databases more than in files on websites. We found that Wordfence was able to detect all of our file-based malware, with an estimated detection rate of 70-80%. Unfortunately, it is also susceptible to false positives.
Lastly, the scanner is limited in terms of its capability of detecting malware in open-source or free plugins and themes. This is because it uses publicly available code to compare against the code on the website in order to identify any unauthorized additions. As such, premium plugins and themes—which make up the majority of themes—are not included in the scan.
For WP Cerber, the scanner can be found in the site integrity section, which we discovered after a bit of searching.
Upon starting a full scan, we were pleased to find that it flagged most of the malware. However, it also labeled a number of legitimate files from other security plugins, such as Sucuri and MalCare, as malicious.
The main consequence is that it relies on the files in the WordPress repository to detect added or modified code, resulting in the ‘checksum mismatch’ message. This is an ineffective way to detect malware since premium plugins and themes are not available in the repository.
We’d score the scanner at 50% for its ability to detect the malware present. But it also flagged a significant portion of our site as malicious.
If you suspect that your site is hacked, WP Cerber is likely to give you a positive result. Use MalCare’s free scanner to get a definite yes or no instead.
Wordfence removed all file-based malware. WP Cerber’s method of malware removal is destructive to say the least.
Wordfence offers two automated options on the dashboard for dealing with hacked files: delete all deletable files and repair all repairable files. There is also the option of choosing their expert cleaning service. All of these approaches were successful in removing the malware from our website. However, the automated removal process comes with a warning that the site may be disrupted as a result of the changes.
Wordfence successfully removed all of the file-based malware from our website, so we also tested it against database malware and premium plugins. Unfortunately, the scanner was unable to identify this type of malware, so the automatic repair option was not available.
The other alternative was to request malware removal. This service is meant to eliminate malware, backdoors, and includes a security audit of the website to identify potential vulnerabilities. Additionally, if the website has been placed on a blacklist, Wordfence can help get it taken down. The service comes with a one-year guarantee, provided that the site administrator follows the post-hack recommendations exactly.
Please note: We cannot speak to the efficacy of Wordfence’s malware removal service, as we didn’t try it out.
On WP Cerber, cleaning is a premium feature, which is reasonable. However, it does provide a list of what the automatic cleaning process entails. Essentially, it will reset files to their original settings, so any custom code will be lost unless precautions are taken. It is possible to designate some files as off limits, but this is a very destructive cleaning method and we would be hesitant to test it out on an active website.
Wordfence is definitely better, despite only a 35% efficacy. At least it doesn’t affect organic traffic, unlike WP Cerber which tends to block search engine bots.
Wordfence’s firewall operates out of the box, and is successful in blocking attacks. Immediately after installation, the firewall entered a learning mode. Wordfence suggested leaving learning mode on for a week, which is understandable considering that firewalls learn from live traffic. However, since there was no live traffic to our test websites, we saw no need to wait a week and enabled the active mode right away.
The free firewall is advertised to be only 35% effective, which is displayed on the dashboard. To understand why this might be the case, we looked further into it. Firstly, the free firewall operates as a plugin and is loaded after WordPress core. This can be an issue since the firewall won’t be able to block all malicious traffic, if it loads after WordPress.
Secondly, the premium version of Wordfence receives updates in real-time, whereas the free version receives updates after 30 days. This delay could be potentially dangerous since hackers could exploit the window between updates. The biggest indication, however, is that Wordfence gives it a rating of only 35% compared to the premium version. This is not an impressive figure.
WP Cerber’s firewall is called the Traffic Inspector. While it does a reasonable job of keeping out some attacks, its bot protection mechanism is a serious cause of concern.
Bot protection is essential for websites, but it is critical to differentiate between good and bad bots. WP Cerber blocks most bots without discrimination, including search engine bots. There are numerous frustrated WP Cerber users who have witnessed their search engine rankings fall due to this plugin. They are correct; blocking search engine bots is disastrous for organic traffic. There is some spambot prevention, which is a positive feature. However, spambots are not the only type of malicious bots. Thus, this provides only limited protection and can be a problem. So, while WP Cerber does deflect some threats, it doesn’t deflect them all nor does it deflect the right ones.
On the positive side, it does provide the ability to log firewall activity. There are several filtering options so you can gain insights about the type of traffic your site receives.
There is also geoblocking, which they refer to as Security Rules. It is a premium feature, however, so we were unable to test it.
Wordfence identified all the outdated plugins perfectly. WP Cerber failed at identifying any vulnerabilities in themes or plugins.
Wordfence identified all of the outdated plugins as medium threats. Furthermore, it correctly flagged the ones with vulnerabilities as critical threats. Less optimistically, it did flag iThemes and Backupbuddy as dangerous, even though they weren’t.
We already addressed WP Cerber’s lackluster scanner above, so we were unsurprised to note that it is unable to identify vulnerabilities that have to be addressed in plugins and themes. It’s all smoke and mirrors with this plugin.
Brute force login protection
Wordfence is flawless and easy. WP Cerber was utterly pointless.
Brute force protection is enabled by default on Wordfence. It works flawlessly each time, blocking users who make too many incorrect attempts based on the configuration set in the dashboard.
The settings can be found in the firewall section. There are many choices in the menu, including the ability to set lockout periods for failed logins, the length of the lockout, and more. The options are not overwhelming and Wordfence provides clear explanations and documentation for each one.
Additionally, it is possible to configure password management, ensuring that strong passwords are required and preventing the use of passwords discovered in data breaches.
It is possible to add IP addresses to a whitelist in this section, however, there is some uncertainty about its effectiveness. Device IPs can change, so having an allowlist does not guarantee that an authentic user is not blocked.
On the WP Cerber dashboard, there are login security options to limit login attempts. However, these do not work. It is possible to modify the default message to avoid stating that the username entered does not exist. We are sure that the brute force attack bot will appreciate this courtesy in limiting its workload.
Altering the login page url is a futile endeavor. We would not suggest doing it, and especially not with WP Cerber. We would not want to risk losing our login page entirely.
Citadel mode is a whitelist feature which is triggered after 200 failed attempts in 15 minutes. Very generous, we must say.
Neither have a good activity log.
We were surprised to observe that Wordfence lacks an activity log. Especially since it is an important part of website security. There is an option to activate debugging in the Diagnostics section of the Tools menu, which causes the firewall logs to be more detailed, however, this is not the same as an activity log.
After extensive research, we located an activity log in the Scan section that is specifically for Wordfence events. It is unrefined, evidently intended for Wordfence developers only.
We noticed an activity report on the WP Cerber, which we assumed to be an activity log. We enabled it and attempted to generate a report (which was supposed to be sent to us via email). Unfortunately, this failed to generate a report after multiple attempts.
There is a user log though. It is by no means a replacement for an activity log, but it can be practical if you have reason to believe there is suspicious activity from a user account.
Wordfence has great two factor authentication. WP Cerber claims to have it too but we couldn’t set it up.
Wordfence two-factor authentication is functional from the start, with simple settings to customize the experience. It was previously a premium feature, but has since been included in the free plugin.
In the user policies section of the WP Cerber dashboard, there is a 2FA feature. It can be enabled by user role, although oddly enough, it cannot be enabled for admin accounts. Typically, they are the ones that need it the most. We activated the option for editor accounts, but nothing occurred. There does not appear to be any way to set it up. This is very strange.
Server resource usage
They both use server resources and slow down your page load speed.
Wordfence is a resource-intensive plugin. Every action this plugin does on the website uses significant server resources.
Our test websites are very small, and we noticed the disk usage increase by two or even three times when we ran scans. This affected loading time, response time, and the overall user experience on the website.
We did not have any server load when using WP Cerber. However, from what we have read in other customer reviews, it appears to be a major issue.
Both give way too many alerts though WP Cerber lets you modify the type of alerts you can get.
The alerts are overly numerous. Our inboxes were filled up quickly. Too many alerts is as problematic as not having any alerts, as both can result in inaction when necessary.
It is possible to modify the type and quantity of the alerts you receive from WP Cerber. This is beneficial, although we are not impressed with what triggers an alert: someone is locked out, a new version of WP Cerber is available, or an upgrade is available for another plugin. This could become chaotic quickly if you have more than 30 plugins on your site, which is a typical number for a WordPress site.
Installation, configuration and usability
Wordfence is an easy plugin to install and configure. WP Cerber comes across as shady and isn’t transparent in what it does behind the scenes.
Wordfence’s installation, configuration, and general user experience is one of the best we have experienced. Walkthroughs are available in each main section, which explain the most important settings and features in straightforward, non-intimidating language.
The configuration recommendations of this tool are top-notch. It’s highly contextual documentation and can be accessed from the tooltips on the dashboard. Each feature is easily explained, with instant access to instructions on how to implement it on your website.
Although installing WP Cerber was not very difficult, it was quite mysterious.
Firstly, we were taken aback to find that WP Cerber was not visible when we looked for it in the WordPress plugin repository. It had been present earlier as we had tested it for a previous article. So we did some research. It turns out the plugin had been removed from the repository in September 2022 due to a security issue. Let us take a moment to reflect on the fact that a security plugin had a security issue that still hasn’t been fixed, more than 6 months later, at the time of writing this article.
A quick look at WP Scan showed 3 big vulnerabilities in 2022. This explains a lot.
WP Cerber took an interesting stance in its response. From the 9.4 version release notes:
Additionally, it might be unrelated, but they also created a bug bounty program recently. All signs point to security being shady with this plugin.
Despite this, we decided to give the plugin a fair chance, so we downloaded it from their site. There doesn’t seem to be any setup as such here. So, we went through the settings screen by screen. One setting, “Initialization Mode” under Main Settings in the Dashboard menu caught our attention. It states that it toggles “How WP Cerber loads its core and security mechanisms”.
By default, ‘legacy mode’ had been selected, so we changed it to ‘standard mode’ as this seemed like the better option. However, we have no idea what is actually happening in the background.
The notifications section alerted us about which plugins and themes required immediate attention due to their critical or medium threat levels. This is definitely helpful.
Wordfence Central, a dashboard for managing multiple sites on the same account, has a section in the wp-admin of each connected site. Although this may be useful for some, it does not offer the necessary functionality for larger agencies with hundreds of managed sites.
We then examined the Tools section, which includes the Live Traffic logs, which give more information than Google Analytics. These logs classify website traffic into categories such as Human, Bot, Warning, and Blocked, granting a better understanding of the types of visitors to the site.
The Whois lookup option in the Tools section provides the ability to view an attacker’s information without leaving wp-admin.
We also found the Diagnostics section to be particularly interesting and useful. It contains extensive information about the website, from process owners to database tables, which developers can use like a specification sheet for the website.
WP Cerber has a few useful hardening options. We recommend disabling XML-RPC access and directory listing, as well as blocking PHP in the uploads folder since there should be no executable scripts there.
There are user account policies offered by WP Cerber, such as prohibiting admin as a username. Though, they are of limited utility in our opinion.
It also has a comprehensive anti-spam feature, including a reCAPTCHA setup and a variety of spambot blockers.
WP Cerber can be used to create a dashboard for all sites on the same license. While this is a watered-down version of an external dashboard. An external dashboard provides great value if something were to go wrong and wp-admin cannot be accessed. WP Cerber’s version is of significantly less value.
Wordfence is definitely more worth your money than WP Cerber.
The free version of Wordfence is fairly robust and the annual subscription fee of $99 is quite reasonable.
Previously, a one-time malware clean-up fee of $490 was required in addition to the subscription fee. However, with the introduction of Care and Response plans, customers can opt-in to a $99 plan that includes a $490 fee if the site is hacked. The Response plan guarantees a 1-hour response to hacked sites for $950 a year per site; while this is great, it puts the Care plan in a less favorable light.
The free version of WP Cerber is inadequate already. We can’t imagine that the paid version is much better, so paying $99 a year per site is not of good value.
Wordfence is an exceptional free security plugin, with an above-average scanner that surpasses most other available options except for MalCare. The only downsides are the lack of bot protection and an activity log.
Is it fair to say that it is missing everything? The scanner in WP Cerber relies on open source code to detect any changes and marks them as malware. This is even worse than signature-matching as plugins and themes can contain customisations, and entire themes can be custom-developed. This means that even if there is genuine malware, it won’t be flagged separately, making the scanner almost useless. Additionally, all the other necessary security features are either missing or poorly implemented.
How to choose a security plugin that is worth your money?
Our concise and informative guide on essential security plugin features draws from our extensive WordPress security knowledge. We have excluded any non-security related features to ensure that our guide is focused and relevant.
Essential security features:
Scanning for malware: This means to identify any malicious code, files, or scripts that have been added to the website, alerting the user of potential threats.
Cleaning malware: It is the removal of any malicious code that has been detected. This is an essential step in keeping your website secure.
Firewall: This refers to the ability to block malicious traffic or requests from reaching the website, as well as preventing potential threats from entering the website. It will also alert the user of any suspicious activity, such as attempted brute-force attacks.
Good-to-have security features:
Vulnerability detection: Can the plugin identify any potential vulnerabilities in the website which could be exploited by hackers. It is essential to locate and patch these vulnerabilities as soon as possible.
Brute-force login protection: A good security plugin blocks any attempts at brute-force attacks on the website, which are often used by hackers to gain access to the website.
Activity log: This feature tracks any suspicious activity on the website, such as malicious requests or failed login attempts, so that they can be blocked before they cause any damage.
Two-factor authentication: You’ve probably heard this term before. This feature adds an extra layer of security to the website by requiring the user to enter an additional code before they can access the website. This makes it harder for hackers to gain access to the website.
Impact on server resources: Resource usage is an important aspect to consider when selecting a security plugin. Security plugins can often be resource-intensive, resulting in slow loading times and other performance problems.
Better alternative to Wordfence and WP Cerber Security: MalCare
In our opinion, the best alternative to both Wordfence and WP Cerber is MalCare. It is a comprehensive security plugin that has everything you need, and more. It provides the bot protection and activity log that Wordfence is lacking, and is far more dependable.
When selecting a WordPress security plugin for your website, it is important to consider the scanner, cleaner, and firewall features. Although the other features can be implemented with other plugins, these three features form the core of a good security plugin. Unfortunately, neither Wordfence or WPCerber are the best at all of these. MalCare is much more reliable.
At MalCare, our goal is to make website security stress-free and painless, so that you can focus on the more important aspects of your business. Leave the security to us, while you grow your business.
The post WP Cerber Security vs Wordfence: Which Security Plugin is Right for You? appeared first on MalCare.