Here Are the 4 WordPress Security Plugins That Protected Against a Vulnerability Wordfence Failed to Protect Against Despite Having Discovered It

Last week, Wordfence disclosed the details of an authenticated persistent cross-site scripting (XSS) vulnerability they had found in a popular WordPress plugin with 3+ million installs (as well as something else that wasn’t really a vulnerability). There were some things they said in their post that are rather problematic.

One of them was that they were claiming to have responsibly disclosed the vulnerability, while also contradicting that. According to their post, the day before they notified the developer of the plugin about the vulnerability, they were already selling access to information about exploiting the vulnerability through their Wordfence Premium service. That isn’t responsible disclosure and any hacker willing to pay for the service could have started exploiting this before the developer was even notified about it. Wordfence’s paying customers would have been protected from it at the time, but others would not without having some other security in place.

The way they were selling access to this was through a firewall rule they released to their paying customers, which is another problematic element of this. There shouldn’t have needed to have been a firewall rule created for this vulnerability, since the general protection in their firewall should have already been able to protect against the vulnerability based on the proof of concept they provided. We confirmed that it should have, as testing our own firewall plugin confirmed it protected against this vulnerability before it was even discovered by Wordfence.

One implication of that lack of protection without a rule written for this specific instance of the vulnerability is that their firewall would fail to protect against the same vulnerability if it was found in another plugin. It didn’t take long to confirm that was the case, as three days later the Yoast SEO plugin, which has 5+ million installs, was updated to address the same issue. Testing confirmed that Wordfence Security failed to protect against exploitation of that.

We already knew that our plugin would also protect against that vulnerability in Yoast SEO, but we were curious to see if other plugins could as well. What we found was that out of 30 additional security plugins tested, only 3 of them provided protection. One of those only has 200+ installs, which is astronomically less than Wordfence Security’s 4+ million installs. That is a good reminder that the popularity of security plugins isn’t based on the amount of security they provide.

The four plugins that provided protection are:

NinjaFirewall
Hide My WP
Plugin Vulnerabilities Firewall
Web Application Firewall

It would be a bad idea to select a security plugin to use based on one test result. If you want to get a more complete idea of how much protection plugins you can take a look at additional comparisons we have done of WordPress security plugins.

Testing Procedure

For each of the tested plugins, we set up an install of WordPress 6.1.1, installed version 20.2 of Yoast SEO, and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping the disclosure of the one-time password. We didn’t set up any additional service connected with the plugins.

We used the proof of concept Wordfence had provided for the instance of the vulnerability in the other plugin but applied it to the instance of the issue in Yoast SEO.

The 32 plugins we tested include the security plugins listed in the Popular plugins section of the Plugin Directory and some others that look to be intended or marketed to prevent this type of situation. If you would like to see an additional plugin included in future testing, please leave a comment on the post or contact us.