Login
13 Sep 2022

Only Six WordPress Security Plugins Protected Against Exploitation of Zero-Day Vulnerability in BackupBuddy

Last week the developer of one of the most popular WordPress security plugins, iThemes Security, disclosed that another of their plugins, BackupBuddy, had recently had a zero-day vulnerability. That is a vulnerability being exploited by a hacker before the developer is aware of it. One of the implications of that is that keeping a website’s plugins up to date won’t always protect websites from being hacked through vulnerabilities in them. So this is the type of situation where a security plugin, like iThemes Security, could provide protection beyond keeping plugins up to date. If any security plugins should be able to do that, it should be iThemes Security if you believe their marketing, as they claim it is the best:

The Best WordPress Security Plugin to Secure & Protect WordPress

We had a hacker try to exploit this vulnerability on one of our websites (despite our not using the plugin) to try to view the contents of WordPress’ configuration file, so we had the information to see if security plugins would protect against a real hacking attempt. We tested out 31 security plugins and the results were not good.

Three security plugins with a million or more installs failed to provide protection. Those plugins were All In One WP Security & Firewall, iThemes, and Automattic’s Jetpack. As we noted in a previous post, the vulnerability could have easily been avoided, so iThemes not only failed to secure their own code when they should have, but their security plugin didn’t protect against the threat they caused. Despite that, they didn’t apologize for the situation.

Among the plugins that provided protection, was one with only 200+ installs, which is a reminder that the popularity of security plugins doesn’t correlate with the protection they provide. That is why those looking for a security plugin should instead look for evidence that the plugin provides real protection, from testing like this. Notably, we are the only provider that does that kind of testing, so unsurprisingly our Plugin Vulnerabilities Firewall provided protection against this.

The six plugins that provided protection were:

  • BBQ Firewall
  • NinjaFirewall
  • Plugin Vulnerabilities Firewall
  • SecuPress Free
  • Web Application Firewall
  • Wordfence Security

Testing Procedure

For each of the tested plugins, we set up an install of WordPress 6.0.2, installed version 8.7.4.1 of BackupBuddy, and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping the exploitation of the vulnerability. We didn’t set up any additional service connected with the plugins.

We used this exploit attempt we saw on our website, which tries to download the WordPress configuration file:

/wp-admin/admin-post.php?local-download=wp-config.php&local-destination-id=0

The 31 plugins we tested include the security plugins listed in the Popular plugins section of the Plugin Directory and some others that look to be intended or marketed to prevent this type of situation. If you would like to see an additional plugin included in future testing, please leave a comment on the post or contact us.

Results

Six plugins provided protection against the proof of concept: BBQ Firewall, NinjaFirewall, Plugin Vulnerabilities Firewall, SecuPress Free, Web Application Firewall, and Wordfence Security

The full results are below:

All In One WP Security & Firewall

Result: Failed to prevent exploitation.

Anti-Malware Security and Brute-Force Firewall

Result: Failed to prevent exploitation.

AntiHacker

Result: Failed to prevent exploitation.

BBQ Firewall

Result: Prevented exploitation.

BulletProof Security

Result: Failed to prevent exploitation.

Clearfy

Result: Failed to prevent exploitation.

Defender

Result: Failed to prevent exploitation.

Hide My WP

Result: Failed to prevent exploitation.

Hide My WP Ghost Lite

Result: Failed to prevent exploitation.

iThemes Security

Result: Failed to prevent exploitation.

Jetpack

Result: Failed to prevent exploitation.

Jetpack Protect

Result: Failed to prevent exploitation.

MalCare Security

Result: Failed to prevent exploitation.

NinjaFirewall

Result: Prevented exploitation.

Pareto Security

Result: Failed to prevent exploitation.

Patchstack

Result: Failed to prevent exploitation.

Plugin Vulnerabilities Firewall

Result: Prevented exploitation.

RSFirewall!

Result: Failed to prevent exploitation.

SecuPress Free

Result: Prevented exploitation.

Security by CleanTalk

Result: Failed to prevent exploitation.

Security Ninja

Result: Failed to prevent exploitation.

Shield Security

Result: Failed to prevent exploitation.

SiteGround Security

Result: Failed to prevent exploitation.

SiteGuard WP Plugin

Result: Failed to prevent exploitation.

Sucuri Security

Result: Failed to prevent exploitation.

Titan Anti-spam & Security

Result: Failed to prevent exploitation.

Web Application Firewall

Result: Prevented exploitation.

Wordfence Security

Result: Prevented exploitation.

WP Cerber Security, Anti-spam & Malware Scan

Result: Failed to prevent exploitation.

WP Hardening

Result: Failed to prevent exploitation.

WP Hide & Security Enhancer

Result: Failed to prevent exploitation.

No related posts.

Plugin Security Scorecard Grade for BBQ Firewall

Checked on June 17, 2025
D+

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for BulletProof Security

Checked on June 12, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Clearfy

Checked on August 20, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Defender

Checked on November 20, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Jetpack

Checked on November 24, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for MalCare Security

Checked on November 7, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for NinjaFirewall

Checked on June 12, 2025
D

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Patchstack

Checked on March 5, 2025
D

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Security Ninja

Checked on April 1, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Shield Security

Checked on January 19, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Sucuri Security

Checked on June 14, 2025
D+

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Titan Anti-spam & Security

Checked on June 20, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Wordfence Security

Checked on June 12, 2025
F

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published.