In version 5 of the WordPress security plugin All-In-One Security (AIOS) an update was made to its firewall functionality, which implemented “6G firewall rules in the new PHP-based firewall.” Someone posted on the support forum for the plugin requesting to have the previous functionality restored. They made a series of claims, several of which we worth thought were checking on (emphasis theirs):

This change has affected users for whom these rules were working.

With the removal of the 6G rules from .htaccess, these users have been de facto forced to use your PHP-based firewall.
But:

• we are not familiar with its effectiveness…
• this solution is based on PHP and not .htaccess, which has traditionally been the first line of defense
• this change prevents the use of other, proven / favorite / premium WAFs that may already be installed on our systems

Please consider the possibility of restoring the 6G (or newer) .htaccess rules for users who do not wish to use your PHP firewall.

I hope you understand that users may have different preferences for their WAF solutions.

There is a lot of inaccurate information in that, which we won’t get in to, but what we can easily look into are the claims about effectiveness. Past testing we have done has shown that when used with this plugin, the newer 6G rules provided less protection than 5G rules, despite the developer of the plugin recommending using 6G instead of 5G. Testing also showed that the related newer 7G rules implemented as .htaccess rules provided much less protection than WordPress firewall plugins.

To see how our own WordPress firewall plugin is doing compared to other plugins, we do automated testing to see if they provide protection against the same threats that our firewall blocks. A benefit of that testing approach is that it is easy to test many plugins or to test a plugin with various different settings combinations.

To test things here, we tested the last 4.x version of the plugin, 4.4.12, in its default state other than enabling the 5G or 6G firewall rules. The results were not good, with 5G providing protection in 12.21% of the tests and 6G did even worse, with it providing protection in only 4.65% of the test.

We then tested the latest version, 5.1.9, in its default state other than enabling the PHP firewall and having the 5G or 6G firewall rules enabled. The result was the same with the 5G rules, which still are implemented in a .htaccess file, and somewhat better with 6G, which provided protection in 8.72% of the tests. In our testing, it looked like the PHP firewall doesn’t provide any protection without other firewall options, like the 6G rules enabled.

Based on those results, it seems that the rules the post claimed are working are not working all that well. It also seems that this person is familiar with what is effective or not, considering they are suggesting using less effective options in the plugin.

It is also important to mention that .htaccess based protection is going to necessarily provide rather limited protection, since it is composed of rules for the web server, which isn’t a security solution. It shouldn’t be able to provide any protection that can’t be done through a PHP firewall, and both can be run before WordPress and other software on the website even loads.

In our testing, even configured to provide the maximum protection, All-In-One Security (AIOS) provides significantly less firewall protection than several other WordPress security plugins. So those looking for a plugin firewall, which can provide protection that web application firewalls (WAFs) can’t, shouldn’t rely on this plugin. Considering the limited protection provided by the 6G .htaccess rules, it seems unlikely that would provide much benefit in addition to a better solution.

---

Plugin Security Scorecard Grade for All-In-One Security (AIOS)

Checked on November 19, 2024

See issues causing the plugin to get less than A+ grade