2 Jan 2024

Five WordPress Security Plugins Prevented Exploitation of Serious Vulnerability in Another Security Plugin

One of the things that should have long ago raised a lot of alarm about the state of the WordPress security industry is how often security plugins are found to contain vulnerabilities. Instead, it has been treated as evidence that it is normal for plugins to be insecure, not that there is something very wrong with security providers. That is quite unfortunate because it means that the good providers are not getting the support they deserve and security is suffering for it.

In June 2022, we did a large-scale test to see if WordPress security plugins would have stopped a vulnerability of a type, persistent cross-site scripting (XSS), that hackers are known to widely exploit, which was found in the security plugin WP Cerber Security. The results were not good. Only two of 31 plugins provided protection against the vulnerability itself. Last year, another vulnerability of that type was disclosed in the plugin. So we were curious to see how many plugins protected against that one. [Read more]

20 Nov 2023

WordPress Firewall Plugins Protect Against Vulnerability Without Rule Needed for Wordfence Security To Do That

Last week, we noted that the marketing for the Wordfence Security plugin was promoting its firewall as being the industry leader, despite that not being supported by them with anything whatsoever and objective testing showing that being far from the case. In doing that, we included a screengrab of them making that claim:

[Read more]

7 Jun 2023

WordPress Firewall Plugins Lack Protection Against Arbitrary User Deletion Vulnerabilities

Last week, we ran across a vulnerability in a WordPress plugin that would allow an attacker to delete all the website’s WordPress user accounts, which would be nasty if exploited by an attacker. The ability to easily exploit the vulnerability involves, in part, a known bypass of WooCommerce’s security that hasn’t been addressed. The developer of WooCommerce, Automattic, has told us they are “aware of this and working on a fix to mitigate this issue”, though no timeline has been put forward for that (or clear information on how long they have been aware of that).

A way to help prevent this type of vulnerability from being exploited would be to use a WordPress firewall plugin that protects against non-Administrators being able to delete arbitrary WordPress users through a vulnerability like that. That is something we implemented in our own firewall plugin after running across the vulnerability. As part of adding that protection, we updated our regression testing software to make sure that the protection continues to work as we make additional changes to the plugin (the developer of one security plugin doesn’t appear to do that type of regression testing at all). [Read more]

2 Jan 2023

Wordfence Security and Wordfence Premium Fail to Provide Protection Against Privilege Escalation Vulnerability in Targeted Plugin

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

2 Dec 2022

Wordfence Security Falls to Fourth Place in December Test of WordPress Security Plugins’ Zero-Day Protection

While developing our WordPress firewall plugin, we created regression testing software to make sure that, as we updated that; we didn’t break existing protection, which is something at least one other developer hasn’t done. What we realized once we started developing that is that we could also use that to do automated testing to get a sense of how much protection other WordPress security plugins provided against zero-days, which are vulnerabilities being exploited before the developer knows about them. In May, we started doing a monthly run of that against a wide range of plugins to start tracking how their protection changed over time. So far there haven’t been many notable changes, but this month had a significant change.

Up until this month, the results have been that our plugin has provided the most protection, followed by NinjaFirewall providing protection in about a third of the exploit tests, and Wordfence Security coming third with protection for a fifth of the exploit tests. That seems like a good indication of the poor state of WordPress security plugins and a lack of understanding of how much protection they provide, as NinjaFirewall only has 80,000+ installs, while Wordfence security has 4,000,000+ installs. [Read more]

7 Nov 2022

Hide My WP Ghost Fails to Prevent SQL Injection Attack

One reality when it comes to WordPress security plugins is that if a developer claims their plugin will provide some sort of protection, people will repeat the claim without actually knowing if it is true.

That came up recently in our monitoring of the WordPress’ support forum for topics about vulnerabilities in plugins, with the plugin Hide My WP Ghost. Two recent reviews for the plugin, which came during a marketing promotion for it, claimed that it protects against SQL injection (emphasis ours): [Read more]

26 Oct 2022

Only Four WordPress Security Plugins Protected Against Exploitation of Serious Vulnerability in Plugin From WordPress

Earlier this month we spotted a serious vulnerability being introduced in to a WordPress plugin that comes directly from WordPress. It turned out that vulnerability had been introduced in to it by an employee of the company closely associated with WordPress, Automattic. The vulnerability would have allowed attackers to upload arbitrary files to the website, which is a type of vulnerability where it isn’t a question of if it would be exploited, but when. Usually a hacker would use that to upload PHP files and then from there they could do whatever else they want, as that would give them the ability to run arbitrary code on the website. That is a type of scenario WordPress security plugins could and should have a capability to protect against.

Whether WordPress security plugins actually provide protection against it is another story. While you can find lots of review of WordPress security plugins, the ones we run across don’t involve testing to see if they provide protection against real threats, making the reviews of limited value. Instead, the reviews focus on other things, meaning that developers of those plugins don’t necessarily have incentive to focus on security. When we did a test of a similar vulnerability six years ago, only three security plugins provided protection against the same scenario. [Read more]

20 Oct 2022

WordFence Security Fails to Provide the Protection Keeping WordPress Plugins Updated Would

One of the impediments to better security for WordPress websites (and security in general) is that people are not taking basic security measures and instead relying on security solutions that fail to provide the protection that those basic security measures would. Recently someone posted on the support forum for the plugin PDF.js Viewer, mentioning they were getting this message, which is from the Wordfence Security plugin, on their website:

Plugin Name: PDFjs Viewer
Current Plugin Version: 1.3
Details: To protect your site from this vulnerability, the safest option is to deactivate and completely remove “PDFjs Viewer” until a patched version is available. Get more information. [Read more]

7 Oct 2022

All In One WP Security & Firewall Only WordPress Firewall Plugin to Increase Protection in Our Testing This Month

One of the ways we measure how much protection that WordPress security plugins provide against the real threat of vulnerabilities in other WordPress plugins, is to run software we have designed to make sure that our own firewall plugin’s protection isn’t broken when we make changes, against other plugins. Since May we have been doing a monthly run of that and logging the results, so that we can monitor changes in the results of the other plugins.

Until this month, there have been only two changes. One was that the amount of protection changed for plugins when we added tests for more exploit attempt variants, with most plugins not providing protection against the new tests. The other was that we detected that Shield Security’s protection became entirely broken. That first occurred in the June test and hasn’t been fixed yet. [Read more]

13 Sep 2022

Only Six WordPress Security Plugins Protected Against Exploitation of Zero-Day Vulnerability in BackupBuddy

Last week the developer of one of the most popular WordPress security plugins, iThemes Security, disclosed that another of their plugins, BackupBuddy, had recently had a zero-day vulnerability. That is a vulnerability being exploited by a hacker before the developer is aware of it. One of the implications of that is that keeping a website’s plugins up to date won’t always protect websites from being hacked through vulnerabilities in them. So this is the type of situation where a security plugin, like iThemes Security, could provide protection beyond keeping plugins up to date. If any security plugins should be able to do that, it should be iThemes Security if you believe their marketing, as they claim it is the best:

The Best WordPress Security Plugin to Secure & Protect WordPress [Read more]