WordPress Plugin Directory is Allowing Completely Unsupported Extraordinary Claims of Security Plugin Efficacy

For those looking to improve the security of WordPress websites, security plugins are often thought of as an important part of the solution. Just look at the install count of security plugins. What our testing over the years has found is that very popular plugins often fail to provide much protection, if any. That is corroborated by the many complaints by those using those plugins that they failed to provide the promoted protection and websites got hacked. At the same time, there are much less popular plugins that are offering significantly more protection. What seems to be an obvious part of the explanation for this mismatch is that in the WordPress plugin directory, WordPress is allowing developers to make extraordinary claims of efficacy without even putting forward any supporting evidence for the claims. In other fields, this type of thing wouldn’t be allowed, because of the negative impact it has.

Take a plugin named Bad Bot Blocker. Here is the first paragraph of the description on the plugin directory (with our own emphasis):

Protect your WordPress blog with our amazing bot&SPAM blocker. Don’t let hackers get your website down, prevent spam and content scraping, block all hacking attempts and boost your blog performance.

Claiming to block all hacking attempts seems next to impossible to be true, unless you stop all attempts to access the website. There is nothing cited to support the claim.

Almost no one uses that plugin, so you could argue a claim like that would go unnoticed. So let’s look at a much more popular plugin, though, notably less popular than it used to be. Solid Security, which was previously known as iThemes Security. That previously was used on between a million and two million websites. Now the install count is between 900,000 and a million. The decrease in usage is odd if the first sentence in the description is true (emphasis not ours):

Reduce your WordPress website’s risk to nearly zero with Solid Security

That is only a slightly less extraordinary efficacy claim than with the other plugin and again there is nothing cited to back it up.

The claims by the developers of that plugin are rather obviously not reliable. When they claim it shouldn’t be easier to secure the plugin than the Chrome web browser or when they responded to the plugin failing to provide protection that it was focused on prevention (which clearly hadn’t worked). There is also the related issues of the plugin not containing a firewall and being focused on a threat that doesn’t exist.

It is a similar story with another plugin, which changed its name and still has a million or more installs. The developers of Security Optimizer, which was previously named Siteground Security, make this claim at the beginning of its description (emphasis theirs):

Bulletproof your website security in a few clicks against a range of security breaches, including brute-force attacks, malware threats and bots, with our free WordPress security plugin – Security Optimizer.

It is like the previous claim, completely unsourced and unsupported. If there was truly a way to bulletproof a website in a few clicks, why would any websites get hacked?

The reality of the plugin is very different. For example, it claims to offer what they call Advanced XSS Protection, but we found that feature doesn’t really offer any protection.

Making the situation with that plugin much more problematic, the developer pays one of the two team reps for the team running the Plugin Directory.

Finally, let’s look at the most popular security plugin, Wordfence Security. Curiously, they start by emphasizing that their plugin is the most popular security plugin and then move on to this (emphasis ours):

WordPress security requires a team of dedicated analysts researching the latest malware variants and WordPress exploits, turning them into firewall rules and malware signatures, and releasing those to customers in real-time. Wordfence is widely acknowledged as the number one WordPress security research team in the World.

Being the most popular doesn’t mean you are the best, so those two emphasizes seem at odds. But focusing on the emphasized text, there aren’t any cited sources supporting that. If they were really delivering on that, surely they would emphasize proof of it, but Wordfence doesn’t provide a listing of their new rules. That isn’t surprising considering how poor a job they are doing, as we found looking over the rules they added last year. And that we found they added “real-time firewall protection” over two months after a vulnerability was disclosed.

Things get worse, as later on they answer the question on how the plugin protects sites from attackers with this claim (emphasis ours):

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked.

Again, the claim there goes completely unsourced. It doesn’t match up with the actual situation. Something they indirectly acknowledge by selling services that include multiple hack cleanups for a website a year, which wouldn’t be needed if the plugin provided the claimed protection.

Our Plugin Security Scorecard is Warning About This

WordPress really should address this, but hasn’t despite many years to do that, so we don’t expect action to be taken any time soon on this. Stepping in to that breach, our new Plugin Security Scorecard is already starting to include a warning for security plugins that are making unsupported strong efficacy claims, like those egregious examples, as well as lesser examples. That follows on from already warning about security plugins that are making false claims about brute force attacks happening against WordPress websites and not properly warning of usage of unreliable data on vulnerabilities in WordPress plugins.

We strongly recommend only using security plugins that avoid all three of those issues, as the developers making those claims either don’t have a good grasp of security or do, but are actively misleading the public. In either case, those are developers you can’t trust, and trust is a necessary element of security solutions that will work well.