Keeping WordPress Plugins Up to Date and Installing Wordfence Security Won’t Stop Websites From Being Hacked
When it comes to keeping WordPress websites secure, much of the advice out there, even when it comes from “reputable” security companies, isn’t accurate. We happened across a recent example of this on Reddit, where someone was asking about whether WordPress websites with up to date plugins and using the Wordfence Security plugin get hacked. They got a lot of inaccurate information in response, some of which seems worth addressing.
Their post was titled, “How many WP sites being hacked with fully up to date plugins and wordfence installs?”, and further explained their question with this:
I am looking at one site which shows no obvious sign of hacking and yet Google is reporting it as being compromised. With a quick look at the site I haven’t discovered anything obviously fishy but I am wondering if someone has managed to inject some bad URLs into the system. All plugins are showing as being fully up to date. I will know more when I get access to the clients Google Search Console. Has anyone had this scenario or similar happen to them where all precautions have been taken and yet site was still hacked?
Keeping plugins up to date certainly helps to prevent websites from being hacked. To the extent Wordfence Security provides a firewall, and it actually works (more on that later), it could provide some additional protection. These are not the only precautions you could or would want to take, though. Before we get to that, let’s address some of the claims in responses.
Wordfence Security Doesn’t Just Protect Against Known Vulnerabilities
The top rated response to that is this:
In my experience, 0.
However, keep in mind that WF can only protect you against KNOWN vulnerabilities. It also can’t protect you from your host – if you’re using shared hosting and it’s not setup correctly, compromised sites can infect others on the server.
EDIT: forgot to add other important information: WF will only apply the firewall rules of known vulnerabilities after 30 days on the free version. So you’re certainly open to attack for that amount of time if the developer of the plugin/theme hasn’t issued a patch.
The claim that Wordfence Security can only protect against known vulnerabilities was repeated in another response:
2. Wordfence works with known vulnerabilities.
That isn’t actually all that accurate. Wordfence Security’s firewall has both rules designed to protect against specific vulnerabilities, but it also has rules that provide more general protection. At the same time, it doesn’t include rules that would protect against many known vulnerabilities. In fact, Wordfence doesn’t add many rules for known vulnerabilities. So far this month, with their free data (so the data available to customers of their Wordfence Premium service, but with a 30 day delay), they had updated the rules on only two days. And on one of those days, they were removing rules for vulnerabilities, not adding them. So most of the protection it can offer depends on the general rules.
If someone doesn’t understand basic details of how the Wordfence Security plugin works, then the rest of what they are claiming probably isn’t all that accurate.
Most Websites Don’t Get Hacked
When it comes to understanding what protection a security product or service provides, it is important to remember that most websites don’t get hacked. One practical implication of that is that even if a security product or service doesn’t work at all, if many people are using it, there will be many people that will say it protected their website from being hacked, even if it did nothing. As a reminder that anecdotal evidence isn’t a reliable evidence of the effectiveness for security products and service, that top rated response received this response from someone that was hacked:
I had a site get hacked once in a situation where everything was up to date – I’m incredibly on point with updating every single plugin with 24 hours of release. Pretty sure I know which plugin was the culprit even though it was up to date, the vulnerability didn’t get discovered until after it had already been exploited in the wild. Unlucky I guess.
This particular site remained hacked for over a year – WordFence premium never found it, Sucuri Scans never found it, Search Console never found it. It’s effect only triggered if you hit the site on a mobile device and then reloaded the page – at that point you’d get redirected to some adware site. The only other symptom was high CPU usage on the host. By the time I stumbled onto it and determined the steps to trigger the malicious behavior, I’d already cycled through all my backups (I keep them for about a year). I actually never even figured out how to clean it – I ended up just rebuilding the site from scratch.
With a handful of years and a few dozen sites, that’s the only hacked experience I’ve had. Pardon me now while I go knock on every piece of wood I can find.
The response to that was to say that person was “unlucky”:
Ouch. You were just unlucky. What was the plugin?
Wordfence Security Has Failed When Tested
A good way to understand what protection, if any, a security product or service can provide you would want to test it out against real vulnerabilities. We have done that in the past with Wordfence Security and the results haven’t been very good. In one situation we found that with a vulnerability they claimed to have added protection against, the protection either didn’t exist or didn’t work. In other tests we did of many plugins, we found that it and every other plugin tested didn’t provide protection or that Wordfence Security’s protection was easily bypassed.
Based on our testing, Wordfence Security provides some protection, though not anywhere near the level you would believe based on the claims my by the company behind it or others, nor anywhere near what should be possible with that type of solution. Despite the NinjaFirewall plugin providing the same or better protection based on our testing and looking the rules they are adding, it never came up in the discussion.
Plugin Updates Can Make Websites Less Secure
Keeping plugins up to date prevents a website from being exploited due to known vulnerabilities that have been fixed in them, but it doesn’t impact vulnerabilities that haven’t been fixed. Keeping plugins up to date can also introduce vulnerabilities, as new vulnerabilities can be introduced in to plugins, which brings up another response:
Up-to-date does not mean secure. A plugin may appear up-to-date but may not be updated for months or years. Always look at the last update date.
A plugin not being updated in a long time would be a concern because the developer might not fix a security issue if it is discovered, but the security of a plugin, isn’t like milk, it doesn’t go bad. A plugin that hasn’t been updated in months wouldn’t be a big concern and one that is being updated frequently could be less secure, if the developer isn’t carefully insuring new code is properly secure. We should mention that one of the other responses addresses that information, but in less clear terms:
In theory the chance is pretty high, depending on the plugins and theme. Also, latest plugin updates can backfire as well, depending on the developers of the update, otherwise you can’t predict this
The risk that a new version of a plugin introduces a security vulnerability isn’t more than the risk of running an outdated version, so you should keep your plugins up to date, but it still is important to understand the risk.
Additional Precautions
The issue of unfixed vulnerabilities is where our services come in to play. With our main service, we can warn you about known WordPress plugin vulnerabilities that haven’t been fixed and there are a lot of them. With many of those vulnerabilities, we are also the discoverers of them, including vulnerabilities that hackers look to be getting ready to exploit, as well as newly introduced vulnerabilities that hacker would exploit in plugins.
Other similar data providers are often missing those, sometimes intentionally. Those other data providers also have serious quality issues with their data, say, telling you a vulnerability has been fixed when it hasn’t.
For websites that want to take all the possible precautions and can afford them, then having us do security reviews of plugins they use will provide the best assurance that the plugins don’t contain vulnerabilities that could lead to the website being hacked.