When we do testing of WordPress security plugins to see what protection, if any, they provide against vulnerabilities in other plugins; we try to enable any options that will cause them to provide all the protection they could possibly offer. A downside of that approach is that it doesn’t necessarily provide a good indication of how much protection they provide in the real world, as the average website might not have enabled the options that provide that protection. Testing we just did with one of the most popular WordPress security plugins, All In One WP Security & Firewall, which has 1+ million installs, highlights that. What we found was that most of the protection it can provide, not only is not enabled by default, but the developer recommends not using the option that provides that protection.

To see how our own WordPress firewall plugin is doing compared to other plugins, we do automated testing to see if they provide protection against the same threats that our firewall blocks. A benefit of that testing approach is that it is easy to test many plugins or to test a plugin with various different settings combinations.

In All In One WP Security & Firewall’s default state, the plugin blocks 0% of the malicious requests from that testing.

The configuration process for the plugin’s firewall is rather complicated. On the admin page for configuring the firewall, there are seven tabs with configuration options:

If you enable all the options, save for those on the 6G Blacklist Firewall Rules page, the results are not much better than the default state. As All In One WP Security & Firewall only blocks 1.31% of the malicious requests.

On the 6G Blacklist Firewall Rules tab, there are two options that can be enabled:

Those options being enabling the 6G Firewall or the “legacy” 5G Firewall. Though both of those are actually legacy options, as the developer of those released the 7G Firewall some time ago. (We tested the 7G Firewall recently and found it doesn’t provide much protection.)

It is unclear why there is an option to enable the 5G Firewall, as it suggested that you should use the 6G Firewall instead:

The 6G Blacklist is updated and improved version of 5G Blacklist. If you have 5G Blacklist active, you might consider activating 6G Blacklist instead.

Or is it explained why there is an option to enable both.

If you enable only the 6G Firewall, All In One WP Security & Firewall now blocks 6.54% of the malicious requests.

If you enable both the 5G and 6G Firewalls, All In One WP Security & Firewall now blocks 15.03% of the malicious requests.

If you enable only the 5G Firewall, All In One WP Security & Firewall still blocks 15.03% of the malicious requests. So it appears that 6G firewall provides only a subset of the protection that the 5G firewall provides.

Most Available Protection Comes from an Option Not Recommended

What that all adds up to is most of the firewall protection the plugin comes from the 5G Firewall, which isn’t enabled by default and that the developer doesn’t recommend enabling.

Also, it would appear the developer hasn’t actually done basic testing to see what protection their plugin can offer, since if they had, they should have seen that the 6G Firewall offers significantly less protection than the 5G Firewall.

Better Options

If someone wanted to implement the 5G Firewall, they could do that without this plugin, as enabling that option only adds code to the website’s .htaccess from another developer. That being said, there are other firewall plugins that our automated testing shows provide much more protection. Our Plugin Vulnerabilities Firewall provides protection against 100% of the malicious requests tested and the best free option, NinjaFirewall, provides protection against 35.9%.