Only Four WordPress Security Plugins Protected Against Exploitation of Serious Vulnerability in Plugin From WordPress
Earlier this month we spotted a serious vulnerability being introduced in to a WordPress plugin that comes directly from WordPress. It turned out that vulnerability had been introduced in to it by an employee of the company closely associated with WordPress, Automattic. The vulnerability would have allowed attackers to upload arbitrary files to the website, which is a type of vulnerability where it isn’t a question of if it would be exploited, but when. Usually a hacker would use that to upload PHP files and then from there they could do whatever else they want, as that would give them the ability to run arbitrary code on the website. That is a type of scenario WordPress security plugins could and should have a capability to protect against.
Whether WordPress security plugins actually provide protection against it is another story. While you can find lots of review of WordPress security plugins, the ones we run across don’t involve testing to see if they provide protection against real threats, making the reviews of limited value. Instead, the reviews focus on other things, meaning that developers of those plugins don’t necessarily have incentive to focus on security. When we did a test of a similar vulnerability six years ago, only three security plugins provided protection against the same scenario.
To see if things have gotten better, we tested to see if 31 WordPress security plugins would provide protection when this vulnerability is exploited. The results of the test were not good. Only four plugins provided protection against the attack. Three of the plugins that provided protection were also the ones that provided protection six years ago. The only additional plugin to provide protection, was one that didn’t exist when the previous test was done. So none of the other plugins tested previously have been improved to provide the protection that the others offered six years ago. And other new plugins didn’t incorporate that type of protection.
Testing Procedure
For each of the tested plugins, we set up an install of WordPress 6.0.3, installed version 1.1.3 of Create Block Theme, and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping the exploitation of the vulnerability. We didn’t set up any additional service connected with the plugins.
We used the proof of concept we provided before and tried to upload a .php file containing PHP code.
The 31 plugins we tested include the security plugins listed in the Popular plugins section of the Plugin Directory and some others that look to be intended or marketed to prevent this type of situation. If you would like to see an additional plugin included in future testing, please leave a comment on the post or contact us.
Results
Only four plugins provided protection. Those are Anti-Malware Security and Brute-Force Firewall, NinjaFirewall, Plugin Vulnerabilities Firewall, and Wordfence Security
The full results are below:
All In One WP Security & Firewall
- WordPress.org Plugin Directory page
- Active Installs: 1+ Million
- Version Tested: 5.1.0
Result: Failed to prevent exploitation.
Anti-Malware Security and Brute-Force Firewall
- WordPress.org Plugin Directory page
- Active Installs: 200,000+
- Version Tested: 4.21.84
Result: Prevented exploitation.
AntiHacker
- WordPress.org Plugin Directory page
- Active Installs: 1,000+
- Version Tested: 4.19
Result: Failed to prevent exploitation.
BBQ Firewall
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 20221002
Result: Failed to prevent exploitation.
BulletProof Security
- WordPress.org Plugin Directory page
- Active Installs: 40,000+
- Version Tested: 6.7
Result: Failed to prevent exploitation.
Clearfy
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 2.0.5
Result: Failed to prevent exploitation.
Defender
- WordPress.org Plugin Directory page
- Active Installs: 70,000+
- Version Tested: 3.3.3
Result: Failed to prevent exploitation.
Hide My WP
- Code Canyon page
- Active Installs: N/A
- Version Tested: 6.2.6
Result: Failed to prevent exploitation.
Hide My WP Ghost Lite
- WordPress.org Plugin Directory page
- Active Installs: 200,000+
- Version Tested: 5.0.17
Result: Failed to prevent exploitation.
iThemes Security
- WordPress.org Plugin Directory page
- Active Installs: 1+ Million
- Version Tested: 8.1.3
Result: Failed to prevent exploitation.
Jetpack
- WordPress.org Plugin Directory page
- Active Installs: 5+ Million
- Version Tested: 11.4
Result: Failed to prevent exploitation.
Jetpack Protect
- WordPress.org Plugin Directory page
- Active Installs: 20,000+
- Version Tested: 1.0.4
Result: Failed to prevent exploitation.
MalCare Security
- WordPress.org Plugin Directory page
- Active Installs: 200,000+
- Version Tested: 4.82
Result: Failed to prevent exploitation.
NinjaFirewall
- WordPress.org Plugin Directory page
- Active Installs: 80,000+
- Version Tested: 4.5.4
Result: Prevented exploitation.
Pareto Security
- WordPress.org Plugin Directory page
- Active Installs: 500+
- Version Tested: 3.2.0
Result: Failed to prevent exploitation.
Patchstack
- WordPress.org Plugin Directory page
- Active Installs: 8,000+
- Version Tested: 2.1.22
Result: Failed to prevent exploitation.
Plugin Vulnerabilities Firewall
- Page on our website
- Active Installs: N/A
- Version Tested: 1.0.6
Result: Prevented exploitation.
RSFirewall!
- WordPress.org Plugin Directory page
- Active Installs: 2,000+
- Version Tested: 1.1.26
Result: Failed to prevent exploitation.
SecuPress Free
- WordPress.org Plugin Directory page
- Active Installs: 30,000+
- Version Tested: 2.2.3
Result: Failed to prevent exploitation.
Security by CleanTalk
- WordPress.org Plugin Directory page
- Active Installs: 10,000+
- Version Tested: 2.96
Result: Failed to prevent exploitation.
Security Ninja
- WordPress.org Plugin Directory page
- Active Installs: 10,000+
- Version Tested: 5.148
Result: Failed to prevent exploitation.
Shield Security
- WordPress.org Plugin Directory page
- Active Installs: 60,000+
- Version Tested: 16.1.9
Result: Failed to prevent exploitation.
SiteGround Security
- WordPress.org Plugin Directory page
- Active Installs: 600,000+
- Version Tested: 1.3.5
Result: Failed to prevent exploitation.
SiteGuard WP Plugin
- WordPress.org Plugin Directory page
- Active Installs: 500,000+
- Version Tested: 1.7.2
Result: Failed to prevent exploitation.
Sucuri Security
- WordPress.org Plugin Directory page
- Active Installs: 800,000+
- Version Tested: 1.8.35
Result: Failed to prevent exploitation.
Titan Anti-spam & Security
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 7.3.3
Result: Failed to prevent exploitation.
Web Application Firewall
- WordPress.org Plugin Directory page
- Active Installs: 200+
- Version Tested: 2.1.1
Result: Failed to prevent exploitation.
Wordfence Security
- WordPress.org Plugin Directory page
- Active Installs: 4+ Million
- Version Tested: 7.7.1
Result: Prevented exploitation.
WP Cerber Security, Anti-spam & Malware Scan
- WordPress.org Plugin Directory page
- Active Installs: 200,000+
- Version Tested: 9.2.2
Result: Failed to prevent exploitation.
WP Hardening
- WordPress.org Plugin Directory page
- Active Installs: 10,000+
- Version Tested: 1.2.6
Result: Failed to prevent exploitation.
WP Hide & Security Enhancer
- WordPress.org Plugin Directory page
- Active Installs: 80,000+
- Version Tested: 1.8.5
Result: Failed to prevent exploitation.
Plugin Security Scorecard Grade for All-In-One Security (AIOS)
Checked on November 19, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for BBQ Firewall
Checked on March 20, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for BulletProof Security
Checked on November 19, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Clearfy
Checked on August 20, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Defender
Checked on November 20, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Jetpack
Checked on November 24, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for MalCare Security
Checked on November 7, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for NinjaFirewall
Checked on April 1, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Patchstack
Checked on March 5, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Security Ninja
Checked on April 1, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Shield Security
Checked on January 19, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Sucuri Security
Checked on November 12, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Titan Anti-spam & Security
Checked on August 1, 2024See issues causing the plugin to get less than A+ grade
I would love for you to test bitfire RASP against any plugin vulnerability you can create. BitFire RASP can prevent PHP file modification by anyone not a logged-in administrator from the following code:
file_put_contents($_GET[‘x’], $_GET[‘x’]);
Would love for you guys to test us out. Also, our bot protection will completely prevent any automated scanner from scanning your website.
Kind Regards!
WordPress, and possibly plugins, on a website need to be able to modify PHP files, so restricting modifying files to only happening for a logged-in Administrator seems like a bad idea.