TLDR: I tried the free version, I like it.
Amongst other things I do in my day job, I administer a WordPress site. We had a security audit and one of the findings was that our site was misconfigured to show a different failure message for a login when the username exists to when it doesn't. This allows for user enumeration which makes brute-forcing easier because you don't waste time trying to brute force accounts which don't exist.
My first thought was that the auditors had made a mistake, we were running very vanilla WordPress on the latest version and I thought surely that's something the WordPress team would have patched if it was an issue with the default install.
It turns out I was wrong, I couldn't find any definitive statement from the WordPress team but it seems they don't think user enumeration is an issue1. Along with different log in prompts, there are several other places in WordPress that leak usernames such as appending
?author=1 to the URL of the site.
So I went looking for a way looking for a way to patch that and found Wordfence.
After installing it I checked the password failure message and that was fixed. Then I started looking through some of the other features and was impressed with the brute force protection, they have sensible defaults and fairly good metrics.
I also saw they had a scanner which checks the integrity of the WordPress core files which is a good idea.
The plugin can also provide two-factor authentication which is a great idea but that's a paid feature.
Over all, I'd say it's a good plugin and I will be installing it on any WordPress sites I'm responsible for in the future.
To be clear, this is not an unreasonable view to hold. It's more of an information disclosure than a real security threat. It really depends on what type of site you are running as to how serious this is. ↩