This plugin adds loads of dodgy looking code to your WordPress install, I just saw it and thought I had been hacked. It does turn out that this is WordPress code and there is nothing malicious about it but none the less it is not a great look for your HTML, is there not another way?
If you have installed this plugin then I suggest you look at your source code and make your own opinions. To me this could potentially harm your sites SEO but I may be wrong.
The other issue I found is that it adds a blank index.php file to wp-includes which Wordfence then flags as a high severity problem. The file remains if you deactivate the plugin but it can be removed by changing a setting in the plugin, obviously though this also removes the protection. Anyway I understand there is a solution coming for this.
My last issue with it is that on some sites I noticed I was unable to do a Wordfence manual scan with the plugin activated. This makes me wonder if it also causes problems with the automatic Wordfence scan.
This plugin is a great idea and does offer your site protection but at the cost of what I have written above.
It would be a great feature if you could install the plugin, apply the changes and then remove it. The reason I say this is that one of the features disables the WordPress file editor to admins which means a hacker can not inject code into your plugins/themes which is great! But if the hacker has gained access to your install then they can simply toggle this setting off and access the files. If the plugin put define(‘DISALLOW_FILE_EDIT’, true); in the wp-config.php file then the changes would stay, just a thought.
- The topic ‘Good idea but needs improving’ is closed to new replies.