Only 25% of WordPress Security Plugins Protected Against Widely Exploited Plugin Vulnerability
In late January, an unfixed vulnerability in a WordPress plugin with 40,000+ installs started to receive widespread exploitation attempts and many websites were hacked. The hacking was in part caused by multiple WordPress security providers, including Wordfence, WPScan, and Patchstack, who all claim to have teams of experts reviewing vulnerabilities in WordPress plugins, claiming that the vulnerability had been fixed three months before that. The moderators of the WordPress Support Forum made the situation worse by deleting an early indication of the problem in the form a message complaining about a website being hacked because of the plugin.
The developer of the plugin promptly fixed the vulnerability once we advised them that it still existed. They then went further than other plugin developers usually do when a plugin has had an exploited vulnerability and got a security review done to ensure the plugin was now properly secured.
As the vulnerability existed in the latest version of the plugin at the time, security basics like keeping plugins up to date didn’t protect websites from this. Going further and using a service that is supposed to warn about known vulnerable plugins didn’t work either with the providers mentioned above and many others that rely on their data. Another potential source of protection would be a security plugin. Someone managing one of the websites that was hacked, posted the malicious code that the hacking had added on to the website, allowing us to test to see if WordPress security plugins could protect against the vulnerability in a way close to how a hacker would have tried to exploit it.
Based on other testing we do, as this involved cross-site scripting (XSS), the chances of security plugins protecting against it were better than other types of attacks. In line with that, we found that 8 of the 32 plugins we tested blocked the exploit attempts. That isn’t a great result and many popular plugins didn’t provide protection, but it was the best result we have had so far. As with other testing we have done, the popularity of plugins hasn’t been a good predictor of the protection offered, as the plugins that provided protection include plugins with almost no installs up to millions of installs.
Testing Procedure
For each of the tested plugins, we set up an install of WordPress 6.1.1, installed version 2.10.0 of Beautiful Cookie Consent Banner, and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping exploitation of the vulnerability. We didn’t set up any additional service connected with the plugins.
We used the malicious code that had been left on a hacked website for the test.
The 32 plugins we tested include the security plugins listed in the Popular plugins section of the Plugin Directory and some others that look to be intended or marketed to prevent this type of situation. If you would like to see an additional plugin included in future testing, please leave a comment on the post or contact us.
The full results are below:
All-In-One Security (AIOS)
- WordPress.org Plugin Directory page
- Active Installs: 1+ Million
- Version Tested: 5.1.5
Result: Failed to prevent exploitation.
Anti-Malware Security and Brute-Force Firewall
- WordPress.org Plugin Directory page
- Active Installs: 200,000+
- Version Tested: 4.21.91
Result: Failed to prevent exploitation.
AntiHacker
- WordPress.org Plugin Directory page
- Active Installs: 1,000+
- Version Tested: 4.27
Result: Failed to prevent exploitation.
BBQ Firewall
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 20221002
Result: Failed to prevent exploitation.
Bitfire
- WordPress.org Plugin Directory page
- Active Installs: 10+
- Version Tested: 3.9.3
Result: Prevented exploitation.
BulletProof Security
- WordPress.org Plugin Directory page
- Active Installs: 40,000+
- Version Tested: 6.8
Result: Failed to prevent exploitation.
Clearfy
- WordPress.org Plugin Directory page
- Active Installs: 90,000+
- Version Tested: 2.1.4
Result: Failed to prevent exploitation.
Defender
- WordPress.org Plugin Directory page
- Active Installs: 80,000+
- Version Tested: 3.9.0
Result: Failed to prevent exploitation.
Hide My WP
- Code Canyon page
- Active Installs: N/A
- Version Tested: 6.2.9
Result: Prevented exploitation.
Hide My WP Ghost Lite
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 5.0.18
Result: Prevented exploitation.
iThemes Security
- WordPress.org Plugin Directory page
- Active Installs: 1+ Million
- Version Tested: 8.1.4
Result: Failed to prevent exploitation.
Jetpack
- WordPress.org Plugin Directory page
- Active Installs: 5+ Million
- Version Tested: 11.8.4
Result: Failed to prevent exploitation.
Jetpack Protect
- WordPress.org Plugin Directory page
- Active Installs: 60,000+
- Version Tested: 1.2.0
Result: Failed to prevent exploitation.
MalCare Security
- WordPress.org Plugin Directory page
- Active Installs: 300,000+
- Version Tested: 4.87
Result: Failed to prevent exploitation.
NinjaFirewall
- WordPress.org Plugin Directory page
- Active Installs: 90,000+
- Version Tested: 4.5.6
Result: Prevented exploitation.
Pareto Security
- WordPress.org Plugin Directory page
- Active Installs: 500+
- Version Tested: 3.2.4
Result: Prevented exploitation.
Patchstack
- WordPress.org Plugin Directory page
- Active Installs: 10,000+
- Version Tested: 2.1.23
Result: Failed to prevent exploitation.
Plugin Vulnerabilities Firewall
- Page on our website
- Active Installs: N/A
- Version Tested: 1.0.14
Result: Prevented exploitation.
RSFirewall!
- WordPress.org Plugin Directory page
- Active Installs: 2,000+
- Version Tested: 1.1.26
Result: Failed to prevent exploitation.
SecuPress Free
- WordPress.org Plugin Directory page
- Active Installs: 40,000+
- Version Tested: 2.2.3
Result: Failed to prevent exploitation.
Security by CleanTalk
- WordPress.org Plugin Directory page
- Active Installs: 20,000+
- Version Tested: 2.104
Result: Failed to prevent exploitation.
Security Ninja
- WordPress.org Plugin Directory page
- Active Installs: 10,000+
- Version Tested: 5.154
Result: Failed to prevent exploitation.
Shield Security
- WordPress.org Plugin Directory page
- Active Installs: 50,000+
- Version Tested: 17.0.9
Result: Failed to prevent exploitation.
SiteGround Security
- WordPress.org Plugin Directory page
- Active Installs: 800,000+
- Version Tested: 1.4.1
Result: Failed to prevent exploitation.
SiteGuard WP Plugin
- WordPress.org Plugin Directory page
- Active Installs: 500,000+
- Version Tested: 1.7.3
Result: Failed to prevent exploitation.
Sucuri Security
- WordPress.org Plugin Directory page
- Active Installs: 800,000+
- Version Tested: 1.8.36
Result: Failed to prevent exploitation.
Titan Anti-spam & Security
- WordPress.org Plugin Directory page
- Active Installs: 100,000+
- Version Tested: 7.3.4
Result: Failed to prevent exploitation.
Web Application Firewall
- WordPress.org Plugin Directory page
- Active Installs: 200+
- Version Tested: 2.1.1
Result: Prevented exploitation.
Wordfence Security
- WordPress.org Plugin Directory page
- Active Installs: 4+ Million
- Version Tested: 7.9.1
Result: Prevented exploitation.
WP Cerber Security, Anti-spam & Malware Scan
- WordPress.org Plugin Directory page
- Active Installs: 200,000+
- Version Tested: 9.2.2
Result: Failed to prevent exploitation.
WP Hardening
- WordPress.org Plugin Directory page
- Active Installs: 10,000+
- Version Tested: 1.2.6
Result: Failed to prevent exploitation.
WP Hide & Security Enhancer
- WordPress.org Plugin Directory page
- Active Installs: 80,000+
- Version Tested: 1.9.9
Result: Failed to prevent exploitation.
Plugin Security Scorecard Grade for All-In-One Security (AIOS)
Checked on June 12, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for BBQ Firewall
Checked on June 17, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Beautiful Cookie Consent Banner
Checked on March 12, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for BulletProof Security
Checked on October 21, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Clearfy
Checked on August 20, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Defender
Checked on November 20, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Jetpack
Checked on November 24, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for MalCare Security
Checked on November 7, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for NinjaFirewall
Checked on June 12, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Patchstack
Checked on October 9, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Security Ninja
Checked on July 12, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Shield Security
Checked on September 19, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Sucuri Security
Checked on June 14, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Titan Anti-spam & Security
Checked on June 20, 2025See issues causing the plugin to get less than A+ grade