Comment by SunshineTheCat
18 hours ago
I've long since stopped building WordPress sites for clients, but you would be blown away by the number of people who have installed the free version of Securi or Wordfence, zero configuration, and then assume their site is completely safe from attacks.
You absolutely can't rely on the free version of WordFence. It should also be the last line of defense to handle anything that can't get caught by the server WAF.
I recently cleaned a WordPress site (that I now get to manage) of some malware that had multiple redundant persistence layers and the attacker had whitelisted the folders in the WordFence scan. Was actually kind of handy as a checklist to see if I'd missed anything.
What WordFence did manage to do was email an alert that there had been an unauthorised admin login as their admin password had been compromised.