One reality when it comes to WordPress security plugins is that if a developer claims their plugin will provide some sort of protection, people will repeat the claim without actually knowing if it is true.

That came up recently in our monitoring of the WordPress’ support forum for topics about vulnerabilities in plugins, with the plugin Hide My WP Ghost. Two recent reviews for the plugin, which came during a marketing promotion for it, claimed that it protects against SQL injection (emphasis ours):

Security breaches, hacking and bot attacks are the most common things that we hear in WordPress communities. Hide My WP Ghost plugin will help you prevent your website from several of those things like bot attack prevention, WP Admin area protection, SQL injection protection and many more. I am happy that I have it installed on my sites.

A very useful product by Squirrly.com. HMG adds filters and security layers to prevent SQL and Scripts injections, XML-RPC, Brute Force attacks.It hides and changes the plugins, common paths and themes path protecting against hacker bots attacks.

That is something that the developer claims is true:

The plugin adds filters and security layers to prevent Scripts and SQL Injections, Brute Force attacks, XML-RPC attacks, XSS, and more.

The developer of the plugin doesn’t provide any evidence that it provides that type of protection or provides any evidence of its effectiveness in general.

SQL Injection Test

To put the claim to the test, we found a recently disclosed SQL injection vulnerability with a proof of concept provided to test against the plugin. We tested this with the plugin’s firewall set to its highest strength.

The proof of concept provided was not blocked by the plugin, so it didn’t prevent that SQL injection from occurring.

To do a more practical test, we tried getting the contents of the website’s database using the popular SQL injection tool, sqlmap. That also wasn’t stopped as long as we used the “–random-agent” option flag.

Weak Firewall

The result isn’t all that surprising, when you know what the firewall is in the plugin. The developer of the plugin hasn’t created their own firewall, instead they are using the latest version of the nG Firewall, 7G Firewall. (Several other security plugins rely on the nG Firewall as well.) Testing we did in June showed that the 7G firewall doesn’t provide much protection.

Another way to measure that limited protection is that in the most recent run of automated testing software we use to compare the amount of protection WordPress firewall plugins provide, the plugin tied for 8th best protection. The best free option in that testing provided nearly four times as much protection.

Look For Evidence of Effectiveness

When considering a security product or service, you should look for evidence of effectiveness, preferably from independent testing. If the developer doesn’t offer that, they likely don’t know if what they provide works. As this plugin shows, that doesn’t stop them from making claims about what they are offering. It also usually means that what they are providing doesn’t provide good protection.