Existing WordPress Security Plugins Fail to Provide Non-Bypassble Protection Against Easy to Stop WordPress Plugin Vulnerability
When we did testing several years back to see if WordPress security plugins could prevent the exploitation of vulnerabilities in other WordPress plugins, the results were not good. In one test, we found that only two plugins provided any protection, and that protection was easily bypassed. In another, we found only three provided any protection and only one of them had protection that couldn’t be easily bypassed. In another, we found no plugins provided protection despite one of them having supposed to have had protection and we later found that another one that was supposed to have later gained protection also didn’t provide protection.
Based on those results and later testing, what we saw was that there was a place for a firewall plugin as a piece of the security strategy for WordPress websites, but the existing options were not something we could recommend. We couldn’t recommend them not only due to the poor results, but because the developers of the plugins that provided the most protection were not being honest about what the plugins can and cannot accomplish (if you can’t trust a security company then you probably shouldn’t rely on them). That has led to us working on our own firewall plugin, which we plan on releasing soon.
To create a firewall plugin that actually delivers what should be possible to deliver with one of those, doing more of that type of testing is critical. As it allows us to confirm that protection we have implemented works and isn’t bypassable in a way that should be prevented, to understand if other plugins have provided better protection that we should match or exceed, and finally to allow us to make sure there isn’t protection possible that we haven’t thought of.
For our first test, we picked a vulnerability to test that should have been stopped by one one of the first things we had implemented protection for with our plugin. Since it something so obvious to provide protection for and so easy to do, that seemed like a good place to get an idea of how our plugin compares to existing ones. The vulnerability that we tested, which we had discovered in June in the plugin Quiz And Survey Master, involves code that doesn’t properly validate whether a value that is supposed to be an IP address is actually an IP address. It is easy to implement code that handles doing just that in a firewall plugin, as we did.
As detailed further below, despite the ease of doing that, only 2 of 22 other plugins tested prevented exploitation in our testing. Those plugins being NinjaFirewall and Wordfence Security. But we found that in line with our previous tests, the robustness of their protection was not good and we could easily bypass the protection with both plugins. Whereas we couldn’t figure out how to bypass our protection, which is an early indication that our plugin will be able to provide protection than existing options don’t provide.
Testing Procedure
For each of the tested plugin we set up an install of WordPress 5.8, installed version 7.1.18 of Quiz And Survey Master, and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping exploitation of the vulnerability. We didn’t set up any additional service connected with the plugins.
We used the proof of concept provided in our disclosure of the vulnerability in the exploit attempts.
The 23 plugins we tested include the security plugins listed in the Popular plugins section of the Plugin Directory and some others that look to be intended or marketed to prevent this type of situation. If you would like to see an additional plugin included in future testing, please leave a comment on the post or contact us.
Results
We found that in addition to our plugin, only 2 of the 22 other plugins tested, NinjaFirewall and Wordfence Security, protected against exploitation. That those two plugins were the only others that provided protection isn’t all that surprising based on our previous testing, as those two plugins were the only two plugins that provided any protection in more than one of our previous tests.
One takeaway of that result is that the popularity of the security plugins doesn’t seem to be tied to the security they provide, as while Wordfence Security is the most popular of the plugins tested, NinjaFirewall is not only not similarly popular, but isn’t even close to the second most popular. In doing some additional checking, it looks like the NinjaFirewall provides more robust protection against the underlying issue here than Wordfence Security does. That more robust protection is closer to the protection our plugin provided.
After completing the first round of testing, though, we then tried to bypass the protection provided by the plugins that had succeeded in blocking this in the first round. We had little trouble bypassing the protection provided by NinjaFirewall and Wordfence Security. In the first round of testing we tried to exploit the vulnerability in the line with the proof of concept we provided in our disclosure of the vulnerability, which involved passing JavaScript code through the HTTP header “X-FORWARDED-FOR”, but the code in the plugin will rely on other HTTP headers as well:
1979 1980 1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 | private function get_user_ip() { $ip = __( 'Not collected', 'quiz-master-next' ); $settings = (array) get_option( 'qmn-settings' ); $ip_collection = '0'; if ( isset( $settings['ip_collection'] ) ) { $ip_collection = $settings['ip_collection']; } if ( '1' != $ip_collection ) { if ( $_SERVER['REMOTE_ADDR'] ) { $ip = $_SERVER['REMOTE_ADDR']; } else { $ip = __( 'Unknown', 'quiz-master-next' ); } if ( getenv( 'HTTP_CLIENT_IP' ) ) { $ip = getenv( 'HTTP_CLIENT_IP' ); } elseif ( getenv( 'HTTP_X_FORWARDED_FOR' ) ) { $ip = getenv( 'HTTP_X_FORWARDED_FOR' ); } elseif ( getenv( 'HTTP_X_FORWARDED' ) ) { $ip = getenv( 'HTTP_X_FORWARDED' ); } elseif ( getenv( 'HTTP_FORWARDED_FOR' ) ) { $ip = getenv( 'HTTP_FORWARDED_FOR' ); } elseif ( getenv( 'HTTP_FORWARDED' ) ) { $ip = getenv( 'HTTP_FORWARDED' ); } elseif ( getenv( 'REMOTE_ADDR' ) ) { $ip = getenv( 'REMOTE_ADDR' ); } else { $ip = $_SERVER['REMOTE_ADDR']; } } return $ip; } |
As we started trying the others out, we found was that NinjaFirewall didn’t block request using “FORWARDED” and Wordfence Security didn’t block request using “CLIENT-IP”. When we were developing our protection, we spent a fair amount of time trying to ensure that we covered as many HTTP headers that might be used, which clearly paid off with better results, as we provided protection for all the HTTP headers being checked and we couldn’t figure out how to bypass our protection.
The full results are below:
All In One WP Security & Firewall
- WordPress.org Plugin Directory page
- Active Installs: 900,000+
- Version Tested: 4.4.9
Result: Failed to prevent exploitation.
Anti-Malware Security and Brute-Force Firewall
- WordPress.org Plugin Directory page
- Active Installs: 200,000+
- Version Tested: 4.20.72
Result: Failed to prevent exploitation.
AntiHacker
- WordPress.org Plugin Directory page
- Active Installs: 1,000+
- Version Tested: 3.26
Result: Failed to prevent exploitation.
BBQ Firewall
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 20210719
Result: Failed to prevent exploitation.
BulletProof Security
- WordPress.org Plugin Directory page
- Active Installs: 50,000+
- Version Tested: 5.1
Result: Failed to prevent exploitation.
Clearfy
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 1.9.4
Result: Failed to prevent exploitation.
Defender
- WordPress.org Plugin Directory page
- Active Installs: 50,000+
- Version Tested: 2.5.5
Result: Failed to prevent exploitation.
Hide My WP Ghost Lite
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 4.1.08
Result: Failed to prevent exploitation.
iThemes Security
- WordPress.org Plugin Directory page
- Active Installs: 1+ Million
- Version Tested: 8.0.1
Result: Failed to prevent exploitation.
Jetpack
- WordPress.org Plugin Directory page
- Active Installs: 5+ Million
- Version Tested: 10.0
Result: Failed to prevent exploitation.
MalCare Security
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 4.63
Result: Failed to prevent exploitation.
NinjaFirewall
- WordPress.org Plugin Directory page
- Active Installs: 60,000+
- Version Tested: 4.4
Result: Prevented exploitation, but bypass around protection was easily found.
Plugin Vulnerabilities Firewall
- Page on our website
- Active Installs: N/A
- Version Tested: Alpha
Result: Prevented exploitation.
SecuPress Free
- WordPress.org Plugin Directory page
- Active Installs: 30,000+
- Version Tested: 2.0.3
Result: Failed to prevent exploitation.
Security by CleanTalk
- WordPress.org Plugin Directory page
- Active Installs: 9,000+
- Version Tested: 2.71
Result: Failed to prevent exploitation.
Security Ninja
- WordPress.org Plugin Directory page
- Active Installs: 10,000+
- Version Tested: 5.122
Result: Failed to prevent exploitation.
Shield Security
- WordPress.org Plugin Directory page
- Active Installs: 60,000+
- Version Tested: 11.5.4
Result: Failed to prevent exploitation.
SiteGuard WP Plugin
- WordPress.org Plugin Directory page
- Active Installs: 400,000+
- Version Tested: 1.6.0
Result: Failed to prevent exploitation.
Sucuri Security
- WordPress.org Plugin Directory page
- Active Installs: 800,000+
- Version Tested: 1.8.27
Result: Failed to prevent exploitation.
Titan Anti-spam & Security
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 7.2.7
Result: Failed to prevent exploitation.
Wordfence Security
- WordPress.org Plugin Directory page
- Active Installs: 4+ Million
- Version Tested: 7.5.4
Result: Prevented exploitation, but bypass around protection was easily found.
WP Cerber Security, Anti-spam & Malware Scan
- WordPress.org Plugin Directory page
- Active Installs: 200,000+
- Version Tested: 8.9
Result: Failed to prevent exploitation.
WP Hardening
- WordPress.org Plugin Directory page
- Active Installs: 5,000+
- Version Tested: 1.2.2
Result: Failed to prevent exploitation.
Plugin Security Scorecard Grade for BBQ Firewall
Checked on June 17, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for BulletProof Security
Checked on June 12, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Clearfy
Checked on August 20, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Defender
Checked on November 20, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Jetpack
Checked on November 24, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for MalCare Security
Checked on November 7, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for NinjaFirewall
Checked on June 12, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Security Ninja
Checked on April 1, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Shield Security
Checked on January 19, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Sucuri Security
Checked on June 14, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Titan Anti-spam & Security
Checked on June 20, 2025See issues causing the plugin to get less than A+ grade