Login

Tag Archives: All In One WP Security & Firewall

7 Oct 2022

All In One WP Security & Firewall Only WordPress Firewall Plugin to Increase Protection in Our Testing This Month

One of the ways we measure how much protection that WordPress security plugins provide against the real threat of vulnerabilities in other WordPress plugins, is to run software we have designed to make sure that our own firewall plugin’s protection isn’t broken when we make changes, against other plugins. Since May we have been doing a monthly run of that and logging the results, so that we can monitor changes in the results of the other plugins.

Until this month, there have been only two changes. One was that the amount of protection changed for plugins when we added tests for more exploit attempt variants, with most plugins not providing protection against the new tests. The other was that we detected that Shield Security’s protection became entirely broken. That first occurred in the June test and hasn’t been fixed yet. [Read more]

13 Sep 2022

Only Six WordPress Security Plugins Protected Against Exploitation of Zero-Day Vulnerability in BackupBuddy

Last week the developer of one of the most popular WordPress security plugins, iThemes Security, disclosed that another of their plugins, BackupBuddy, had recently had a zero-day vulnerability. That is a vulnerability being exploited by a hacker before the developer is aware of it. One of the implications of that is that keeping a website’s plugins up to date won’t always protect websites from being hacked through vulnerabilities in them. So this is the type of situation where a security plugin, like iThemes Security, could provide protection beyond keeping plugins up to date. If any security plugins should be able to do that, it should be iThemes Security if you believe their marketing, as they claim it is the best:

The Best WordPress Security Plugin to Secure & Protect WordPress [Read more]

7 Jul 2022

The All In One WP Security & Firewall Plugin Provides Little Firewall Protection With Recommended Settings

When we do testing of WordPress security plugins to see what protection, if any, they provide against vulnerabilities in other plugins; we try to enable any options that will cause them to provide all the protection they could possibly offer. A downside of that approach is that it doesn’t necessarily provide a good indication of how much protection they provide in the real world, as the average website might not have enabled the options that provide that protection. Testing we just did with one of the most popular WordPress security plugins, All In One WP Security & Firewall, which has 1+ million installs, highlights that. What we found was that most of the protection it can provide, not only is not enabled by default, but the developer recommends not using the option that provides that protection.

To see how our own WordPress firewall plugin is doing compared to other plugins, we do automated testing to see if they provide protection against the same threats that our firewall blocks. A benefit of that testing approach is that it is easy to test many plugins or to test a plugin with various different settings combinations. [Read more]

7 Jun 2022

Only Two WordPress Security Plugins Prevented Exploitation of Vulnerability in Security Plugin WP Cerber

Security plugins for WordPress are supposed to help protect websites from being hacked, but not only do most of them not do a good job of that, they often introduce security vulnerabilities of their own. Like most vulnerabilities in WordPress plugins, the security vulnerabilities in security plugins often are not too serious. That wasn’t the case with a vulnerability disclosed in February involving the security plugin WP Cerber, which has 200,000+ active installations according to WordPress.

The vulnerability, credited to Krzysztof Zając, allowed an attacker to cause malicious JavaScript to be loaded on one of the plugin’s admin pages. That is a type of vulnerability that hackers have been known to exploit. Troublingly, but in line with the plugin itself having such a serious vulnerability, the developer didn’t disclose in the changelog or their website that there had been a vulnerability or that it had been fixed. [Read more]

26 Apr 2022

Automattic Appears to Have Falsely Claimed That Competing WordPress Security Plugin Contained Reflected XSS Vulnerability

The company closely associated with WordPress, Automattic, has the most popular WordPress security plugin by installs, Jetpack. It has 5+ millions installs according to wordpress.org. Recently another piece of Automattic, WPScan claimed a competing plugin, All In One WP Security, which has 1+ million installs had contained a reflected cross-site scripting (XSS) vulnerability (emphasis ours):

The plugin does not validate, sanitise and escape the redirect_to parameter before using it to redirect user, either via a Location header, or meta url attribute, when the Rename Login Page is active, which could lead to an Arbitrary Redirect as well as Cross-Site Scripting issue. Exploitation of this issue requires the Login Page URL value to be known, which should be hard to guess, reducing the risk [Read more]

20 Apr 2022

Developers of 1+ Million Install WordPress Security Plugin All In One WP Security & Firewall Not Disclosing Change in Ownership

The latest version of the WordPress security plugin All In One WP Security & Firewall fixed a minor security vulnerability. While there is an extensive changelog for that version, there doesn’t appear to be any mention of that. Take a look for yourself:

  • FEATURE: Reset all settings by clicking on the “Reset Settings” button on the Settings Page.
  • FEATURE: Verify the Google reCaptcha Site key before rendering and disable it if the Google reCaptcha site key is invalid.
  • FIX: PHP Fatal error: Cannot redeclare wp_install_maybe_enable_pretty_permalinks() in specific server.
  • FIX: throwing database error for creating debug log table in specific MySQL server.
  • FIX: Compatibility issue with WPML plugin for login and logout functionality.
  • FIX: Update email sent in English instead of setting language.
  • FIX: The Simple Math Captcha can’t be validated when a third-party plugin clears transients more frequently.
  • FIX: The login lockdown unlock request was not working in a few specific server environments.
  • FIX: The warning headers already sent was displayed in a few specific server environments.
  • FIX: Handle invalid tabs appropriately in setting pages.
  • TWEAK: Add review notice.
  • TWEAK: Improve functionality of fake google bot prevents to access the site.
  • TWEAK: Remove IP address retrieval setting and detect IP address automatically.
  • TWEAK: Verify Google reCaptcha site key before rendering the reCaptcha.
  • TWEAK: Remove force logout checking from REST API Call.
  • TWEAK: Made Admin Dashboard > WP Security > Settings tabs extensible.
  • TWEAK: Add G2 review message in the admin footer.
  • TWEAK: Format failed login date time according to WordPress general settings.
  • TWEAK: Remove unused codes from AIOWPSecurity_Config.
  • TWEAK: Add more specific instructions to change the Display name compared to the username in Admin Dashboard > WP Security > User Accounts > “Display Name” tab > “Modify Accounts With Identical Login Name & Display Name” section.
  • TWEAK: Remove Admin Dashboard > WP Security > Site Info tab (now redundant because of WP’s “Site Health” tool)
  • TWEAK: The “Allow Login Lockout Request” checkbox is ticked by default.
  • FIX: Fix login lockout issue with different timezone.

As at least one of the customers of our main service used that plugin, we took a close look at that as the discoverers provided almost no information to confirm there was a vulnerability and that it had been fixed. What we found is that the developer had fixed the vulnerability, but hadn’t properly secured the code, increasing the chances that there could be another instance of this problem in the future. That should have been addressed, particularly considering this is a security plugin. [Read more]

23 Nov 2021

No WordPress Security Plugin Stopped Exploitation of Vulnerability That Disables Them

Last week, GoDaddy’s web security subsidiary Sucuri released a strange post about some WordPress websites being hacked. The post discussed a situation involving what they confusingly described as both “bogus” and “legitimate” WordPress plugin. The plugin, Directorist, had multiple security vulnerabilities fixed the day before that post was released, which might explain the hacking being mentioned in the post. Though, Sucuri was attributing it to compromised login credentials, despite their post indicating they hadn’t done basic checking that should have been done before making that attribution.

While reviewing the changes being made to the plugin, we noticed that among the vulnerabilities fixed in that new version, 7.0.6.1, were ones that would have allowed an attacker logged in to WordPress to deactivate or delete arbitrary plugins. [Read more]

5 Oct 2021

WordPress Security Plugins Failed to Protect Against Arbitrary File Upload Vulnerability Using Raw POST Data

On September 23, exploit code for an arbitrary file upload vulnerability in the WordPress plugin 3DPrint Lite was disclosed. With that type of vulnerability, the question isn’t whether it will be exploited, but how long until it happens. By the next day, we were already seeing what looked to be hackers probing for usage of the plugin.

In looking over the vulnerable code, we noticed that there were two ways the data for the file being uploaded to be sent with exploit attempt. One of those ways was with a file sent with exploit attempt and the other by sending raw POST data that can be read in PHP from php://input: [Read more]

27 Sep 2021

WordPress Security Plugins Failed to Protect Against Vulnerability When Using Gutenberg Editor

In WordPress 5.0, which was released in December 2018, a new editor was introduced, known as the block editor or Gutenberg. In our latest test of WordPress security plugins to see if they can protect against vulnerabilities, we found no plugins provided protection against a vulnerability when exploited through that editor. Further testing confirmed that two of the plugins that would likely provide protection against that type of vulnerability did when using the Classic editor. The other plugins that would likely to provide protection didn’t provide protection even with Classic editor, but further testing confirmed that it also fails to provide the same protection with the Gutenberg editor that it would provide when using the Classic editor.

The type of vulnerability used in the test is being found in WordPress plugins quite often recently. It is an authenticated persistent cross-site scripting (XSS) vulnerability caused by a lack of proper security handling of shortcode attributes. That would allow an attacker to cause arbitrary JavaScript code to run on frontend pages of the website. These are not a serious issue, since the attacker would need be able to generate content that includes a shortcode, which would normally require access to a WordPress account that can create a post. Making those of more a concern though is that we have been finding recently that developers are failing in attempts to fix those, as we found, for example, with a plugin with 200,000+ installs. [Read more]

17 Aug 2021

NinjaFirewall Only WordPress Security Plugin to Provide Any Protection Against Exploitation of Unfixed Privilege Escalation Vulnerability

On July 22 a new version of the WordPress plugin uListing was released with a very concerning changelog entry:

  • fixed: Unauthenticated Privilege Escalation for Registration

In looking into that, we found that what that referred to involved restoring a security check that had been removed in an earlier version. That a security check existed and then was removed is a bad sign for the security of the plugin, but it gets worse. While looking into that, we found that the change only addressed part of the privilege escalation issue in the plugin and new version of the plugin didn’t otherwise address the other part. We contacted the developer the same day, asking how we could report that to them. They only got back to us on Friday, though hopefully that can be resolved soon. [Read more]