WordPress Firewall Plugins Are Barely Improving the Zero-Day Protection They Offer

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. In May of last year, we started doing a monthly run of that against other firewall plugins, so we could get a better understanding of how the WordPress security landscape is changing over time.

With over a year’s worth of results, it seemed like a good time to review how things are going. We will focus on the top four plugins, as those are the only plugins that have better results from the first test. The results for those in May of last year were not great:

NinjaFirewall: 35.95%
Wordfence Security: 20.26%
Pareto Security: 15.69%
All-In-One Security (AIOS): 15.03%

The best one did was to protect against slightly over a third of the tests and from there, the results drop to only a fifth for the next plugin. The install count of those also says a lot as the most protection is offered by a plugin that now only has 90,000+ installs versus 4+ and 1+ million for two of the others. Pareto Security only has 400+ installs, but provides better protection than most firewall plugins out there.

All of those plugins pre-date our firewall plugin significantly, so the limited amount of protection they are providing seems like a good indication that providing protection is of limited focus of the developers of WordPress firewall plugins.

As the software is part of our regression testing software, we continue to add more test, both for new types of vulnerabilities and also for different ways vulnerabilities might be exploited. That means that the results over time are not a direct comparison. That could lead to a plugin doing better or worse, even if no changes are made to the plugin, depending on if the test is something they have protection against.

Here are the results from the test at the beginning of this month, along with the percentage point change from May of last year:

NinjaFirewall: 37.28% (1.33)
Wordfence Security: 21.89% (1.63)
Pareto Security: 20.71% (5.02)
All-In-One Security (AIOS): 15.98% (.95)

The only plugin that had a significant change in over a year was Pareto Security, again that is a plugin with only 400+ installs. It isn’t like in the last year WordPress websites have been safe and secure, so there should have been continued focus on improving the security of WordPress websites. And yet, the developers of the best firewall plugins other than ours don’t appear to be focused on doing that.

Those results suggest that more attention on the protection or lack of protection that WordPress security plugins provide could be a huge benefit. As more attention could lead to the security plugins being used on millions of websites improving their protection or websites moving over to plugins that provide more and improving protection, like our own plugin.