Shield Security’s Firewall Has Now Been Broken for 3 Months
When it comes to WordPress security plugins, the developers are often much better at marketing them than they are with security. Hence, these plugins are widely used despite failing to provide much, if any, protection. The developer of the Shield Security plugin markets their plugin with criticism of competing plugins’ marketing:
It’s time to stop our obsession with malware. Malware scanning is important after you’re hacked. Get a security plugin that prioritises security protection before “malware marketing”.
Leave Behind the Security Marketing Hype and Scare Mongering
Our Security solution isn’t designed to scare you and make you feel unsafe.
We’re all about delivering powerful security without the scary stories and fear-based marketing. We’re all about WordPress security without the marketing hype.
Shield Security is full of great security tools that let it make intelligent decisions to protect your site and maintain your site security and integrity, so you don’t have to.
Though if you read the rest of the description of the plugin, it is actually full of marketing hype of its own.
The developer’s claim of prioritizing “security protection” doesn’t line up with testing results to see if the plugin actually provides protection against the very real threat of vulnerabilities in other plugins.
We developed automated testing software to make sure that changes made to our Plugin Vulnerabilities Firewall didn’t break existing protection. When we started working on that, we realized we could also run it against other WordPress firewall plugins to compare how much protection they provide.
In May, we started doing a monthly run of that testing and recording the results, so that we could track how those plugins are improving (or worsening) in the protection they provide. When we ran the test in June, there was a curious result. Shield Security went from providing protection against 3.9% of the attacks to 0%. That wasn’t an expected result, and we looked into this further to confirm that was accurate and not a problem with our testing software. We found that the protection was working through version 14.1.7 and then stopped. The next version came out in early May, but after we did our monthly run of the testing.
It has been another two months and the protection still hasn’t been restored. So it would seem the developer isn’t doing the kind of regression testing we do to make sure that the protection we provide isn’t broken. Despite the developer of that plugin lying to and about us in the past (the security industry is full of some of the worst people), we did notify them about the situation through Twitter at the beginning of June.
It probably doesn’t matter much that protection isn’t working, since when it did work, it barely provided any protection. Of the plugins we currently include in testing, 10 of them provide protection against more than 3.9% of the tested attacks and the best free option provides protection against 36.6% of the attacks.