Tag Archives: Web Application Firewall

30 Apr 2024

One of the Best Performing WordPress Firewall Plugins is No More

The results of our testing to see how much of the protection our WordPress firewall plugin provides that other WordPress security plugins also offer shows how little connection there is between the popularity of WordPress security plugins and security they offer. A good example of that is the plugin Web Application Firewall, which as of last month provided the 7th most protection, but had only 300+ installs. By comparison, other plugins with hundreds of thousands or millions installs fail to provide any protection, even when marketed as if they do provide robust protection. In the case of one such plugin, WordPress allows them to market it as if the plugin contains a firewall despite not having one (while the developer sponsors one of the heads of the team running the WordPress’ plugin directory).

In this month’s testing, Web Application Firewall failed to provide any protection. That stood out in our reviewing the results of the testing. The changes made to the plugin since last month didn’t seem to provide a reasonable explanation for that, as the changelog suggested only vulnerabilities had been fixed: [Read more]

9 Jan 2024

Five Years In, Wordfence Security Still Doesn’t Provide Protection When Using WordPress Block Editor

In December 2018, WordPress 5.0 was released, which introduced a new default editor, the blocks editor (also known as Gutenberg). You would think that the developer of the most popular security only plugin, Wordfence Security, would have quickly made sure that they offered protection when using that, but that turned out not to be the case. In a test we did in September 2021, we found that wasn’t the case. It was also an issue at the time, with the best free option for protection, NinjaFirewall. And was also the case with our then in-development, Plugin Vulnerabilities Firewall. A recently fixed vulnerability in a popular plugin, Spectra, led to us revisiting this and finding that things haven’t changed for Wordfence Security, but have for the other two plugins.

On Sunday, a new firewall rule was added to the free data for the Wordfence Security plugin. Here is that rule: [Read more]

2 Jan 2024

Five WordPress Security Plugins Prevented Exploitation of Serious Vulnerability in Another Security Plugin

One of the things that should have long ago raised a lot of alarm about the state of the WordPress security industry is how often security plugins are found to contain vulnerabilities. Instead, it has been treated as evidence that it is normal for plugins to be insecure, not that there is something very wrong with security providers. That is quite unfortunate because it means that the good providers are not getting the support they deserve and security is suffering for it.

In June 2022, we did a large-scale test to see if WordPress security plugins would have stopped a vulnerability of a type, persistent cross-site scripting (XSS), that hackers are known to widely exploit, which was found in the security plugin WP Cerber Security. The results were not good. Only two of 31 plugins provided protection against the vulnerability itself. Last year, another vulnerability of that type was disclosed in the plugin. So we were curious to see how many plugins protected against that one. [Read more]

30 Jun 2023

NinjaFirewall and Plugin Vulnerabilities Firewall Are Only WordPress Security Plugins That Protected Against Recent Zero Day

Among the common, but inaccurate, security advice you will hear is that WordPress won’t get hacked if you take basic security measures, including keeping plugins up to date. While doing the basics is really important, the reality is that keeping plugins up to date does nothing to stop a zero-day, a vulnerability being exploited before the developer is aware of it. That is an area where a security plugin could provide additional protection. But just because they could, it doesn’t mean they will. More problematically, WordPress security plugin developers have for years claimed to provide zero-day protection when they don’t. The solution is to do testing to see which plugins really provide protection against zero-days.

Recently, a zero-day role change vulnerability in the 200,000+ install WordPress plugin Ultimate Member was spotted being exploited by the web host Tiger Technologies. That vulnerability was being exploited to create a new WordPress user and then change the user’s role to Administrator, which gives them full access to the website. [Read more]

7 Jun 2023

WordPress Firewall Plugins Lack Protection Against Arbitrary User Deletion Vulnerabilities

Last week, we ran across a vulnerability in a WordPress plugin that would allow an attacker to delete all the website’s WordPress user accounts, which would be nasty if exploited by an attacker. The ability to easily exploit the vulnerability involves, in part, a known bypass of WooCommerce’s security that hasn’t been addressed. The developer of WooCommerce, Automattic, has told us they are “aware of this and working on a fix to mitigate this issue”, though no timeline has been put forward for that (or clear information on how long they have been aware of that).

A way to help prevent this type of vulnerability from being exploited would be to use a WordPress firewall plugin that protects against non-Administrators being able to delete arbitrary WordPress users through a vulnerability like that. That is something we implemented in our own firewall plugin after running across the vulnerability. As part of adding that protection, we updated our regression testing software to make sure that the protection continues to work as we make additional changes to the plugin (the developer of one security plugin doesn’t appear to do that type of regression testing at all). [Read more]

13 Mar 2023

Only 25% of WordPress Security Plugins Protected Against Widely Exploited Plugin Vulnerability

In late January, an unfixed vulnerability in a WordPress plugin with 40,000+ installs started to receive widespread exploitation attempts and many websites were hacked. The hacking was in part caused by multiple WordPress security providers, including Wordfence, WPScan, and Patchstack, who all claim to have teams of experts reviewing vulnerabilities in WordPress plugins, claiming that the vulnerability had been fixed three months before that. The moderators of the WordPress Support Forum made the situation worse by deleting an early indication of the problem in the form a message complaining about a website being hacked because of the plugin.

The developer of the plugin promptly fixed the vulnerability once we advised them that it still existed. They then went further than other plugin developers usually do when a plugin has had an exploited vulnerability and got a security review done to ensure the plugin was now properly secured. [Read more]

6 Mar 2023

Here Are the 4 WordPress Security Plugins That Protected Against a Vulnerability Wordfence Failed to Protect Against Despite Having Discovered It

Last week, Wordfence disclosed the details of an authenticated persistent cross-site scripting (XSS) vulnerability they had found in a popular WordPress plugin with 3+ million installs (as well as something else that wasn’t really a vulnerability). There were some things they said in their post that are rather problematic.

One of them was that they were claiming to have responsibly disclosed the vulnerability, while also contradicting that. According to their post, the day before they notified the developer of the plugin about the vulnerability, they were already selling access to information about exploiting the vulnerability through their Wordfence Premium service. That isn’t responsible disclosure and any hacker willing to pay for the service could have started exploiting this before the developer was even notified about it. Wordfence’s paying customers would have been protected from it at the time, but others would not without having some other security in place. [Read more]

8 Feb 2023

WordPress Security Plugins Don’t Prevent Disclosure of One-Time Password Through Exploited Plugin Vulnerability

A month ago, we saw a hacker looking to exploit a vulnerability that had recently been fixed in the WordPress plugin User Verification. That vulnerability discovered by Lana Codes involved the plugin’s functionality to email a one-time password for logging in to WordPress. The problem with the functionality is that it didn’t just email the password, it also sent it back as part of the response from the request to have it emailed. So an attacker could submit the request to have that emailed for a WordPress user’s account, get the password that was only supposed to be emailed, and then log in to that account.

Trying to prevent an information disclosure issue like this would be difficult for a WordPress security plugin without being aware of the particular vulnerability, as it would have to realize that something that shouldn’t be disclosed is being disclosed, so it would be unlikely that a security plugin would provide protection. Our own firewall plugin, Plugin Vulnerabilities Firewall, doesn’t have protection against such a situation, but we are always looking to see how we might be able to expand its protection, so we were curious to see if any other plugins provided protection. [Read more]

26 Oct 2022

Only Four WordPress Security Plugins Protected Against Exploitation of Serious Vulnerability in Plugin From WordPress

Earlier this month we spotted a serious vulnerability being introduced in to a WordPress plugin that comes directly from WordPress. It turned out that vulnerability had been introduced in to it by an employee of the company closely associated with WordPress, Automattic. The vulnerability would have allowed attackers to upload arbitrary files to the website, which is a type of vulnerability where it isn’t a question of if it would be exploited, but when. Usually a hacker would use that to upload PHP files and then from there they could do whatever else they want, as that would give them the ability to run arbitrary code on the website. That is a type of scenario WordPress security plugins could and should have a capability to protect against.

Whether WordPress security plugins actually provide protection against it is another story. While you can find lots of review of WordPress security plugins, the ones we run across don’t involve testing to see if they provide protection against real threats, making the reviews of limited value. Instead, the reviews focus on other things, meaning that developers of those plugins don’t necessarily have incentive to focus on security. When we did a test of a similar vulnerability six years ago, only three security plugins provided protection against the same scenario. [Read more]

13 Sep 2022

Only Six WordPress Security Plugins Protected Against Exploitation of Zero-Day Vulnerability in BackupBuddy

Last week the developer of one of the most popular WordPress security plugins, iThemes Security, disclosed that another of their plugins, BackupBuddy, had recently had a zero-day vulnerability. That is a vulnerability being exploited by a hacker before the developer is aware of it. One of the implications of that is that keeping a website’s plugins up to date won’t always protect websites from being hacked through vulnerabilities in them. So this is the type of situation where a security plugin, like iThemes Security, could provide protection beyond keeping plugins up to date. If any security plugins should be able to do that, it should be iThemes Security if you believe their marketing, as they claim it is the best:

The Best WordPress Security Plugin to Secure & Protect WordPress [Read more]