BulletProof Security Firewall Review: It Barely Offers Any Protection
When it comes to WordPress security plugins, it is easy to find claims that the plugins protect websites from being hacked, but almost impossible to find any evidence that actually backs that up. With the BulletProof Security plugin there are lots of positive reviews and very few negative reviews, but the install count for the plugin has dropped considerably over the years, which suggests it isn’t doing such a great job. Even positive reviews suggest it doesn’t provide that much protection. As an example, take this review that suggests it is only detecting the aftereffects of hacks:
I love it as a webmaster so far this is and has been the best security for finding and quarantining those pesky injected files.
One of the few negative reviews claimed that the plugin doesn’t contain a firewall or make your website secure:
It’s not a firewall, it doesn’t make your site secure, it can’t even process most simple settings, doesn’t block a single bot, cannot repair your DB.
The developer didn’t dispute those claims while responding to the review.
In our own odd interaction with the developer years ago, they stated that security plugins shouldn’t even try to protect against vulnerabilities in other software. That isn’t something they warn those using the plugin about. Certainly the bulletproof name doesn’t suggest that they are not even trying to offer protection that other solutions offer. That would be a big problem, since one of the few things that a security plugin is actually useful for is protecting against zero-day vulnerabilities in other WordPress plugins.
Part of what makes the developer’s claim odd is that their plugin actually contains a firewall that tries to stop some vulnerabilities in other software. Plenty of testing by us shows that it doesn’t do a good job of that.
One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin, Plugin Vulnerabilities Firewall. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations.
BulletProof Security does rather poorly in that testing. In the latest run of testing, earlier this month, it came in ninth place and only provided protection against 7.9% of the tests. Our own plugin protects against all of them and the best alternative provides protection against 39%, or nearly five times as much protection as BulletProof Security. That result makes the result of another method of testing unsurprising.
In 15 large-scale tests we have done of WordPress security plugins against real world vulnerabilities in other WordPress plugins, it has only provided effective protection in 1 test. That is much less than other options have.
In exchange for much less protection, as another positive review suggested, it seems like you “needed a PhD to learn how to do anything with the BPS plugin”. With our own Plugin Vulnerabilities Firewall you can simply activate the plugin to get most of its protection and with a few more steps you can further tighten the security.