Tag Archives: Plugin Vulnerabilities Firewall

26 Jul 2024

WordPress Plugin Security Review: Plugin Vulnerabilities Firewall

As part of our new push to improve the security of WordPress plugins through our Plugin Security Scorecard tool, next month it is going to start lowering the grade for plugins if the developer isn’t linking to the results of a security review of the plugin. To make sure that we practice what we preach, we are doing security reviews of our plugins and linking to those results in the way we are suggesting other developers do so. We can’t hire someone else to do them, as we are not aware of anyone else that actually does reviews and has released any results to check on accuracy of their results. By comparison, we have been doing that for years.

For our first review, we checked over our Plugin Vulnerabilities Firewall plugin. [Read more]

9 Jan 2024

Five Years In, Wordfence Security Still Doesn’t Provide Protection When Using WordPress Block Editor

In December 2018, WordPress 5.0 was released, which introduced a new default editor, the blocks editor (also known as Gutenberg). You would think that the developer of the most popular security only plugin, Wordfence Security, would have quickly made sure that they offered protection when using that, but that turned out not to be the case. In a test we did in September 2021, we found that wasn’t the case. It was also an issue at the time, with the best free option for protection, NinjaFirewall. And was also the case with our then in-development, Plugin Vulnerabilities Firewall. A recently fixed vulnerability in a popular plugin, Spectra, led to us revisiting this and finding that things haven’t changed for Wordfence Security, but have for the other two plugins.

On Sunday, a new firewall rule was added to the free data for the Wordfence Security plugin. Here is that rule: [Read more]

2 Jan 2024

Five WordPress Security Plugins Prevented Exploitation of Serious Vulnerability in Another Security Plugin

One of the things that should have long ago raised a lot of alarm about the state of the WordPress security industry is how often security plugins are found to contain vulnerabilities. Instead, it has been treated as evidence that it is normal for plugins to be insecure, not that there is something very wrong with security providers. That is quite unfortunate because it means that the good providers are not getting the support they deserve and security is suffering for it.

In June 2022, we did a large-scale test to see if WordPress security plugins would have stopped a vulnerability of a type, persistent cross-site scripting (XSS), that hackers are known to widely exploit, which was found in the security plugin WP Cerber Security. The results were not good. Only two of 31 plugins provided protection against the vulnerability itself. Last year, another vulnerability of that type was disclosed in the plugin. So we were curious to see how many plugins protected against that one. [Read more]

12 Dec 2023

How WordPress Firewall Plugins Could Have Stopped Recently Fixed Vulnerability in Elementor

Last week, we took a look at the first and second attempt to fix an authenticated arbitrary file upload vulnerability in the 5+ million install WordPress plugin Elementor. With a situation like that, one of the questions for security providers is did their security solutions protect against the issue before it was fixed. With our own Plugin Vulnerabilities Firewall plugin, we found that it did because exploitation of the vulnerability involved directory traversal. As we found recently, while looking into another vulnerability that could be stopped the same way, only two other security plugins could stop it that way. More could have if their protection was more robust, as eight plugins had detection for that issue, but only three detected it in POST data, which was where this was with the payload for the Elementor vulnerability.

Another method to detect this would be to detect PHP code being included in the data to be saved to the file. There are a couple of issue with doing that. First, the data is base64 encoded, so you would have to decode it and then check for something that tells you it is PHP code. Second, the data was part of JSON formatted data, so you need to deal with that as well. [Read more]

12 Dec 2023

Wordfence Security Still More Than Doubles Peak Memory Usage Over WordPress By Itself

In October 2021, we found that the Wordfence Security plugin for WordPress more than double the peak memory usage over WordPress by itself. That compared to a minimal memory increase by the two WordPress firewall plugins that provided more protection than it. Those two plugins also had a significantly smaller performance penalty than Wordfence Security. It obviously is a bad tradeoff to get less protection for more memory usage and a higher performance penalty.

In discussing that memory usage, we quoted a Wordfence employee that had claimed that they are “constantly working on making the plugin” “use less resources”. That certainly sounds impressive, but Wordfence has a long track record of impressive claims that turn out to not be true. It also doesn’t make sense. You can’t constantly do that. You should hit a point where you can’t do anymore. The changelog for the plugin doesn’t have entries that suggest that is true either. [Read more]

20 Nov 2023

WordPress Firewall Plugins Protect Against Vulnerability Without Rule Needed for Wordfence Security To Do That

Last week, we noted that the marketing for the Wordfence Security plugin was promoting its firewall as being the industry leader, despite that not being supported by them with anything whatsoever and objective testing showing that being far from the case. In doing that, we included a screengrab of them making that claim:

[Read more]

16 Nov 2023

Combining WordPress Security Plugins Doesn’t Provide Better Protection Than One Better Plugin

It isn’t uncommon to see people asking the developers of WordPress security plugins if they can be used alongside another security plugin. That often seems like an odd question, as the two plugins being asked about are all-in-one security plugins that both claim to provide all the protection you need. If someone doesn’t trust the developer of either to deliver what they promise, why would they trust that combining two of them would deliver that? The results of testing we do provides evidence that this isn’t the approach to get the best security or even any security.

Across testing we do of security plugins to see if they could provide protection against vulnerabilities in other plugins, many of the plugins provide no protection. Combining multiple plugins that provide no protection, won’t produce a better result. But what if you combine plugins that do provide protection? [Read more]

7 Nov 2023

How a WordPress Firewall Plugin Stops Exploitation of Zero-Day That Automattic’s Jetpack Didn’t

When it comes to protecting WordPress websites from being hacked through vulnerabilities in plugins, the solution is often simply keeping plugins up to date. But that doesn’t work when a hacker finds a vulnerability and starts exploiting it, otherwise known as a zero-day, as there is no update available. That is where an additional security plugin or service can possibly provide protection. But do they? The answer is often that they won’t. Making that more problematic is that often the marketing of the solutions would tell you otherwise.

Recently, we looked at one example of how firewall plugins could easily detect and stop exploit attempts for a widely exploited vulnerability, but most didn’t. Let’s look at another example of how a firewall plugin can provide protection. This time with a zero-day. We will touch on a couple of examples of why web application firewalls (WAFs) such as a cloud based security service are unable to handle things as well. [Read more]

6 Nov 2023

Latest WordPress Plugin to Include Firewall Provides Almost No Protection Against Zero-Days

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. In May of last year, we started doing a monthly run of that against other firewall plugins, so we could get a better understanding of how the WordPress security landscape is changing over time.

This month we added a new plugin to our test set. The name of the plugin is Advanced Google reCAPTCHA, which doesn’t sound like it should be a relevant plugin to such testing. But as is often the case with WordPress plugins, developers add features that seem unrelated to the main purpose of the plugin. In this case, firewall functionality was added to the plugin, despite the developer already providing another plugin, Security Ninja, which is supposed to have a firewall (but doesn’t have one). [Read more]

16 Oct 2023

3 WordPress Firewall Plugins Stop Recent Widely Exploit Vulnerability in tagDiv Composer Plugin

Last week there were a spate of largely unhelpful new stories run about websites getting hacked through an already fixed vulnerability in a WordPress plugin not available through the WordPress Plugin Directory, tagDiv Composer. There is a lot that could be discussed with that, but one element stands out to us. It looked like exploitation of the vulnerability should be easily stopped by WordPress security plugins with a firewall. We say that based on our own experience developing such a firewall plugin. That runs counter to something said by Dan Goodin, who inexplicable continues to be employed by Ars Technica, despite repeatedly getting things wrong in his stories. He wrote this:

The malicious injection uses obfuscated code to make it hard to detect. It can be found in the database used by WordPress sites, specifically in the “td_live_css_local_storage” option of the wp_options table. [Read more]