Login
30 Jun 2023

NinjaFirewall and Plugin Vulnerabilities Firewall Are Only WordPress Security Plugins That Protected Against Recent Zero Day

Among the common, but inaccurate, security advice you will hear is that WordPress won’t get hacked if you take basic security measures, including keeping plugins up to date. While doing the basics is really important, the reality is that keeping plugins up to date does nothing to stop a zero-day, a vulnerability being exploited before the developer is aware of it. That is an area where a security plugin could provide additional protection. But just because they could, it doesn’t mean they will. More problematically, WordPress security plugin developers have for years claimed to provide zero-day protection when they don’t. The solution is to do testing to see which plugins really provide protection against zero-days.

Recently, a zero-day role change vulnerability in the 200,000+ install WordPress plugin Ultimate Member was spotted being exploited by the web host Tiger Technologies. That vulnerability was being exploited to create a new WordPress user and then change the user’s role to Administrator, which gives them full access to the website.

As part of reviewing that vulnerability, we tested to make sure the protection for that type of vulnerability in our Plugin Vulnerabilities Firewall plugin worked correctly. It did. So what about competing plugins? Yesterday, we tested 31 of those to see if they also protected against this. Only one, NinjaFirewall, provided protection. That is a rather poor result considering that NinjaFirewall is much less popular than plenty of the other plugins tested. Like our plugin, NinjaFirewall provided protection that didn’t rely on a rule written for the vulnerability, so a future zero-day would also be protected against by the plugin.

Making that result even worse, it isn’t like WordPress security plugins developers shouldn’t be aware that protection against that type of vulnerability is possible, as we did a previous test against this type of vulnerability in another plugin in August 2021.

Testing Procedure

For each of the tested plugins, we set up an install of WordPress 6.2.2, installed version 2.6.3 of Ultimate Member, and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping exploitation of the vulnerability. We didn’t set up any additional service connected with the plugins.

We try exploitation with the WordPress data prefix set to the default wp_, which would allow poorly developed security to still provide protection.

The 32 plugins we tested include the security plugins listed in the Popular plugins section of the Plugin Directory and some others that look to be intended or marketed to prevent this type of situation. If you would like to see an additional plugin included in future testing, please leave a comment on the post or contact us.

The full results are below:

All-In-One Security (AIOS)

Result: Failed to prevent exploitation.

Anti-Malware Security and Brute-Force Firewall

Result: Failed to prevent exploitation.

AntiHacker

Result: Failed to prevent exploitation.

BBQ Firewall

Result: Failed to prevent exploitation.

Bitfire

Result: Failed to prevent exploitation.

BulletProof Security

Result: Failed to prevent exploitation.

Clearfy

Result: Failed to prevent exploitation.

Defender

Result: Failed to prevent exploitation.

Hide My WP

Result: Failed to prevent exploitation.

Hide My WP Ghost Lite

Result: Failed to prevent exploitation.

iThemes Security

Result: Failed to prevent exploitation.

Jetpack

Result: Failed to prevent exploitation.

Jetpack Protect

Result: Failed to prevent exploitation.

MalCare Security

Result: Failed to prevent exploitation.

NinjaFirewall

Result: Prevented exploitation.

Pareto Security

Result: Failed to prevent exploitation.

Patchstack

Result: Failed to prevent exploitation.

Plugin Vulnerabilities Firewall

Result: Prevented exploitation.

RSFirewall!

Result: Failed to prevent exploitation.

SecuPress Free

Result: Failed to prevent exploitation.

Security by CleanTalk

Result: Failed to prevent exploitation.

Security Ninja

Result: Failed to prevent exploitation.

Shield Security

Result: Failed to prevent exploitation.

SiteGround Security

Result: Failed to prevent exploitation.

SiteGuard WP Plugin

Result: Failed to prevent exploitation.

Sucuri Security

Result: Failed to prevent exploitation.

Titan Anti-spam & Security

Result: Failed to prevent exploitation.

Web Application Firewall

Result: Failed to prevent exploitation.

Wordfence Security

Result: Failed to prevent exploitation.

WP Cerber Security, Anti-spam & Malware Scan

Result: Failed to prevent exploitation.

WP Hardening

Result: Failed to prevent exploitation.

WP Hide & Security Enhancer

Result: Failed to prevent exploitation.

No related posts.

Plugin Security Scorecard Grade for All-In-One Security (AIOS)

Checked on November 19, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for BBQ Firewall

Checked on March 20, 2025
D+

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for BulletProof Security

Checked on November 19, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Clearfy

Checked on August 20, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Defender

Checked on November 20, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Jetpack

Checked on November 24, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for MalCare Security

Checked on November 7, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for NinjaFirewall

Checked on April 1, 2025
D

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Patchstack

Checked on March 5, 2025
D

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Security Ninja

Checked on April 1, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Shield Security

Checked on January 19, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Sucuri Security

Checked on November 12, 2024
C

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Titan Anti-spam & Security

Checked on August 1, 2024
D+

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Ultimate Member

Checked on November 23, 2024
C+

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Wordfence Security

Checked on March 19, 2025
F

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published. Required fields are marked *