Wordfence Security and Wordfence Premium Fail to Provide Protection Against Exploited Plugin Vulnerability
The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:
Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked.
The paid Wordfence Premium service connected with the Wordfence Security plugin is promoted with the claim that it provides “real-time protection”:
If your website is mission-critical you can’t afford the downtime, reputation challenges or SEO impact of getting hacked. That’s why so many sites rely on the real-time protection provided by Wordfence Premium.
Yet the plugin and that service have again failed to provide protection which matches those claims. And, more notably and importantly, failed to provide protection that they should have provided and that other plugins provided.
On October 19, a new version of the plugin Age Gate was released, which had a changelog entry indicated a security improvement was made, “Fixes potential XSS issue with data imports”. While that reference a potential issue, in line with what we have often seen with issues claimed to be potential or possible, there really was a vulnerability.
On October 20, the NinjaFirewall plugin had a new rule added to protect against exploitation of this and we warned our customers about the vulnerability. The vulnerability was caused by the insecurity of the plugin’s import functionality and allowed malicious JavaScript code to be added to the website’s pages.
You might think that Wordfence team would have paid attention to what other security companies were doing and made sure they were providing protection against the vulnerability.
On October 21, it was being publicly discussed on the WordPress Support Forum that the vulnerability had been exploited.
If Wordfence hadn’t already added protection, it seems like they definitely should have added it on October 21. That turns out not to be the case.
The Wordfence Security plugin can provide protection either through a rule written for the specific vulnerability or through general protection that would protect against this type of vulnerability more generally.
Wordfence provides new rules for their firewall to their Wordfence Premium customers for the first 30 days, so you can trace back when and if protection was added for customers of that by seeing when and if it was added to their free data. 30 days from October 21 was November 20. So far, no rule has been added to protect against this vulnerability. (Update 11/24/2021: A rule was added to the free data today to address this, so they added it days after the vulnerability had been publicly known to be exploited. One possible explanation for the timing is that the WPScan Vulnerability Database (now owned by Automattic), belatedly added an entry for this vulnerability on October 25. )
That isn’t because the Wordfence Security plugin already provides general protection, as we tested exploitation of the vulnerability yesterday and confirmed it could be exploited on a website using the plugin. While the plugin does have “built-in XSS protection”, as this situation shows, that doesn’t get applied everywhere that it would need to be to provide the most protection possible.
By comparison, the NinjaFirewall plugin protects against exploitation due to the rule they had added before the exploitation was known to have started.
It would also be possible to protect against through general protection, as our Plugin Vulnerabilities Firewall provided general protection against exploitation of this at the time it was exploited (through both a default protection and a non-default protection). We also added a further general protection based on this vulnerability, so that we could provide protection in other situations where those existing protections wouldn’t come in to play.
Plugin Security Scorecard Grade for NinjaFirewall
Checked on June 12, 2025See issues causing the plugin to get less than A+ grade