Latest WordPress Plugin to Include Firewall Provides Almost No Protection Against Zero-Days
One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. In May of last year, we started doing a monthly run of that against other firewall plugins, so we could get a better understanding of how the WordPress security landscape is changing over time.
This month we added a new plugin to our test set. The name of the plugin is Advanced Google reCAPTCHA, which doesn’t sound like it should be a relevant plugin to such testing. But as is often the case with WordPress plugins, developers add features that seem unrelated to the main purpose of the plugin. In this case, firewall functionality was added to the plugin, despite the developer already providing another plugin, Security Ninja, which is supposed to have a firewall (but doesn’t have one).
The plugin might as well not have a firewall, as it provides almost no protection. It only provided protection against 0.6% of the tests. That result shouldn’t come as much surprise, considering it only claims to offer protection against directory traversal attacks. Even with that type of attack, it only managed to protect against one of six of the relevant tests.
WordPress Firewall Plugins Provide Limited Directory Traversal Protection
Directory traversal protection is also lacking among other firewall plugins tested. Our own plugin protects against all six tests, but the second best plugin in the testing overall, NinjaFirewall, provides no protection. The third best plugin, Wordfence Security, only provides protection against four of the tests. The only other plugin to provide protection against more than one is Anti-Malware Security and Brute-Force Firewall, which protects against two.
Overall Results
The overall results for firewall plugins continue to be lackluster. With the best free option only protecting against 39% of the tests. And protection dropping off quite a bit with the plugins that provide less protection than that. As has been the case since we started this testing, the install count of the tested plugins doesn’t correlate with the amount of protection offered. Continuing to suggest that most users of these plugins are not aware of how much or little protection they are really getting.
Here are the top 10 plugins in the latest testing round and the percentage of the exploit tests they blocked:
1. Plugin Vulnerabilities Firewall – 100.0%
2. NinjaFirewall – 39.0%
3. Wordfence Security – 23.2%
4. Pareto Security – 19.8%
5. All-In-One Security (AIOS) – 13.6%
6. Web Application Firewall – 9.6%
7. Hide My WP – 6.2%
8. Hide My WP Ghost – 8.5%
9. Bulletproof Security – 7.9%
10. Anti-Malware Security and Brute-Force Firewall – 4.0%
Plugin Security Scorecard Grade for Security Ninja
Checked on April 1, 2025See issues causing the plugin to get less than A+ grade