Login
5 Dec 2023

Wordfence Premium Added “Real-Time Firewall Protection” for Plugin Vulnerability Over Two Months After It Was Disclosed

In the middle of August, we publicly warned that the WordPress plugin WooODT Lite contained an authenticated option update vulnerability, which would allow logged-in attackers to change arbitrary WordPress options (settings). The possibility of the vulnerability was flagged by proactive monitoring we have to try to catch serious vulnerabilities as they are introduced in to plugins. It wasn’t a new issue, though. It had been in the plugin’s code for 13 months.

Based on earlier testing, two WordPress security plugins could have protected against common exploitation of that type of vulnerability even before we had warned about it. Those were our own Plugin Vulnerabilities Firewall and NinjaFirewall.

Notably, missing from the plugins that would have protected against that is the Wordfence Security plugin. The developer hasn’t implemented the same type of protection. That is despite claiming their firewall “stops you from getting hacked.” They do offer a payed Wordfence Premium service that they claim provides “real-time firewall protection”. It doesn’t, as what that involves is them having to write rules for specific instances of vulnerabilities. As this situation shows, they could offer general protection, like those two other plugins often provide, but they don’t. That is a frequent issue.

While they claim to offer real-time protection, they only added a rule for this vulnerability in early November. That rule just made it over to the free rules, which are delayed by 30 days. They also failed to warn about the vulnerability through their vulnerability data until November, despite claiming it is “impeccable“.

It isn’t as if they were busy writing rules for other vulnerabilities, as over the last 30 days they have only added rules vulnerabilities in five plugins, which is far below the number they would need to provide effective coverage or would justify the amount of money they are likely taking in for these rules.

No related posts.

Plugin Security Scorecard Grade for Wordfence Security

Checked on March 19, 2025
F

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published. Required fields are marked *