The developers of WordPress firewall plugins make a lot of impressive claims about the protection they offer, but they usually are not providing any evidence of effectiveness of their plugins. That evidence is important because there are a variety of issues that can cause WordPress security plugins to fail provide effective firewall protection.

As part of ensuring our Plugin Vulnerabilities Firewall plugin for WordPress provides the best possible protection against exploitation of zero-day vulnerabilities in other plugins, we currently do two types of testing that provide a good comparison of the protection provided by WordPress firewall plugins. That testing also allows us to meet the requirements to be a Certified WP Security product, so you can be assured that it delivers the promised results.

 

We have created regression testing software to make sure each release of our firewall plugin continues to provide the intended protection. That software can be run against any WordPress firewall plugin where we can identify the response it provides when blocking a request, to see if they are able to block the same malicious requests. That should provide a measure of the robustness of the protection they do or don’t provide. The results below are what protection the security plugins we could check, provided in those tests, as of June 3, 2024.

Plugin Security Scorecard Result

In line with those results, the Plugin Security Scorecard grades for other firewall plugins are not good:

1. BBQ Firewall     D+
2. Anti-Malware Security and Brute-Force Firewall     D
3. Hide My WP Ghost     D
4. NinjaFirewall (WP Edition)     D
5. All-In-One Security (AIOS)     F
6. BitFire Security     F
7. BulletProof Security     F
8. SecuPress Free     F
9. Wordfence Security     F
10. Shield Security     F

Latest Grade From November 22, 2024

Our firewall plugin has none of the issues that would cause a  grade less than an A+.

Testing Against Real World Vulnerabilities

We also do testing of a large group of plugins, currently 34, to see what protection, if any, they provide against real world vulnerabilities in other plugins. The results of our recent tests can be found in the blog posts about those tests:

• Five WordPress Security Plugins Prevented Exploitation of Serious Vulnerability in Another Security Plugin
• NinjaFirewall and Plugin Vulnerabilities Firewall Are Only WordPress Security Plugins That Protected Against Recent Zero Day
• Only 25% of WordPress Security Plugins Protected Against Widely Exploited Plugin Vulnerability
• Here Are the 4 WordPress Security Plugins That Protected Against a Vulnerability Wordfence Failed to Protect Against Despite Having Discovered It
• WordPress Security Plugins Don’t Prevent Disclosure of One-Time Password Through Exploited Plugin Vulnerability
• Only Four WordPress Security Plugins Protected Against Exploitation of Serious Vulnerability in Plugin From WordPress
• Only Six WordPress Security Plugins Protected Against Exploitation of Zero-Day Vulnerability in BackupBuddy
• Only Two WordPress Security Plugins Prevented Exploitation of Vulnerability in Security Plugin WP Cerber
• No WordPress Security Plugin Stopped Exploitation of Vulnerability That Disables Them
• WordPress Security Plugins Failed to Protect Against Arbitrary File Upload Vulnerability Using Raw POST Data
• WordPress Security Plugins Failed to Protect Against Vulnerability When Using Gutenberg Editor
• NinjaFirewall Only WordPress Security Plugin to Provide Any Protection Against Exploitation of Unfixed Privilege Escalation Vulnerability
• Only Two WordPress Security Plugins Prevented Enabling User Registration Through Unfixed Option Update Vulnerability
• Five WordPress Security Plugins Provide Some Protection Against Unfixed Reflected XSS Vulnerability in Plugin with 200,000+ Installs
• Existing WordPress Security Plugins Fail to Protect Against PHP Object Injection Vulnerability
• Existing WordPress Security Plugins Fail to Provide Non-Bypassble Protection Against Easy to Stop WordPress Plugin Vulnerability