26 Oct 2022

Only Four WordPress Security Plugins Protected Against Exploitation of Serious Vulnerability in Plugin From WordPress

Earlier this month we spotted a serious vulnerability being introduced in to a WordPress plugin that comes directly from WordPress. It turned out that vulnerability had been introduced in to it by an employee of the company closely associated with WordPress, Automattic. The vulnerability would have allowed attackers to upload arbitrary files to the website, which is a type of vulnerability where it isn’t a question of if it would be exploited, but when. Usually a hacker would use that to upload PHP files and then from there they could do whatever else they want, as that would give them the ability to run arbitrary code on the website. That is a type of scenario WordPress security plugins could and should have a capability to protect against.

Whether WordPress security plugins actually provide protection against it is another story. While you can find lots of review of WordPress security plugins, the ones we run across don’t involve testing to see if they provide protection against real threats, making the reviews of limited value. Instead, the reviews focus on other things, meaning that developers of those plugins don’t necessarily have incentive to focus on security. When we did a test of a similar vulnerability six years ago, only three security plugins provided protection against the same scenario.

To see if things have gotten better, we tested to see if 31 WordPress security plugins would provide protection when this vulnerability is exploited. The results of the test were not good. Only four plugins provided protection against the attack. Three of the plugins that provided protection were also the ones that provided protection six years ago. The only additional plugin to provide protection, was one that didn’t exist when the previous test was done. So none of the other plugins tested previously have been improved to provide the protection that the others offered six years ago. And other new plugins didn’t incorporate that type of protection.

Testing Procedure

For each of the tested plugins, we set up an install of WordPress 6.0.3, installed version 1.1.3 of Create Block Theme, and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping the exploitation of the vulnerability. We didn’t set up any additional service connected with the plugins.

We used the proof of concept we provided before and tried to upload a .php file containing PHP code.

The 31 plugins we tested include the security plugins listed in the Popular plugins section of the Plugin Directory and some others that look to be intended or marketed to prevent this type of situation. If you would like to see an additional plugin included in future testing, please leave a comment on the post or contact us.

Results

Only four plugins provided protection. Those are Anti-Malware Security and Brute-Force Firewall, NinjaFirewall, Plugin Vulnerabilities Firewall, and Wordfence Security

The full results are below:

All In One WP Security & Firewall

Result: Failed to prevent exploitation.

Anti-Malware Security and Brute-Force Firewall

Result: Prevented exploitation.

AntiHacker

Result: Failed to prevent exploitation.

BBQ Firewall

Result: Failed to prevent exploitation.

BulletProof Security

Result: Failed to prevent exploitation.

Clearfy

Result: Failed to prevent exploitation.

Defender

Result: Failed to prevent exploitation.

Hide My WP

Result: Failed to prevent exploitation.

Hide My WP Ghost Lite

Result: Failed to prevent exploitation.

iThemes Security

Result: Failed to prevent exploitation.

Jetpack

Result: Failed to prevent exploitation.

Jetpack Protect

Result: Failed to prevent exploitation.

MalCare Security

Result: Failed to prevent exploitation.

NinjaFirewall

Result: Prevented exploitation.

Pareto Security

Result: Failed to prevent exploitation.

Patchstack

Result: Failed to prevent exploitation.

Plugin Vulnerabilities Firewall

Result: Prevented exploitation.

RSFirewall!

Result: Failed to prevent exploitation.

SecuPress Free

Result: Failed to prevent exploitation.

Security by CleanTalk

Result: Failed to prevent exploitation.

Security Ninja

Result: Failed to prevent exploitation.

Shield Security

Result: Failed to prevent exploitation.

SiteGround Security

Result: Failed to prevent exploitation.

SiteGuard WP Plugin

Result: Failed to prevent exploitation.

Sucuri Security

Result: Failed to prevent exploitation.

Titan Anti-spam & Security

Result: Failed to prevent exploitation.

Web Application Firewall

Result: Failed to prevent exploitation.

Wordfence Security

Result: Prevented exploitation.

WP Cerber Security, Anti-spam & Malware Scan

Result: Failed to prevent exploitation.

WP Hardening

Result: Failed to prevent exploitation.

WP Hide & Security Enhancer

Result: Failed to prevent exploitation.


Plugin Security Scorecard Grade for All-In-One Security (AIOS)

Checked on November 19, 2024
F

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for BBQ Firewall

Checked on March 20, 2025
D+

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for BulletProof Security

Checked on November 19, 2024
F

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for Clearfy

Checked on August 20, 2024
F

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for Defender

Checked on November 20, 2024
F

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for Jetpack

Checked on November 24, 2024
F

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for MalCare Security

Checked on November 7, 2024
F

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for NinjaFirewall

Checked on April 1, 2025
D

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for Patchstack

Checked on March 5, 2025
D

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for Security Ninja

Checked on April 1, 2025
F

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for Shield Security

Checked on January 19, 2025
F

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for Sucuri Security

Checked on November 12, 2024
C

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for Titan Anti-spam & Security

Checked on August 1, 2024
D+

See issues causing the plugin to get less than A+ grade


Plugin Security Scorecard Grade for Wordfence Security

Checked on March 19, 2025
F

See issues causing the plugin to get less than A+ grade

2 thoughts on “Only Four WordPress Security Plugins Protected Against Exploitation of Serious Vulnerability in Plugin From WordPress

  1. I would love for you to test bitfire RASP against any plugin vulnerability you can create. BitFire RASP can prevent PHP file modification by anyone not a logged-in administrator from the following code:

    file_put_contents($_GET[‘x’], $_GET[‘x’]);

    Would love for you guys to test us out. Also, our bot protection will completely prevent any automated scanner from scanning your website.

    Kind Regards!

    • WordPress, and possibly plugins, on a website need to be able to modify PHP files, so restricting modifying files to only happening for a logged-in Administrator seems like a bad idea.

Leave a Reply

Your email address will not be published. Required fields are marked *