iThemes Security (Solid Security) and iThemes Security Pro Won’t Protect Against Zero-Days Contrary to Their Marketing
A zero-day is a vulnerability being exploited before the developer is aware of it. One of the implications of that is that keeping software up to date won’t protect against it. So for WordPress websites, a WordPress security plugin can possibly provide protection beyond doing security basics like updating software. That is, if the plugin actually provides that type of protection. iThemes Security (which is being rebranded to Solid Security) is marketed as being just such a plugin. Here is how the developer starts marketing the plugin on the WordPress Plugin Directory (emphasis theirs):
The Best WordPress Security Plugin to Secure & Protect WordPress
Then a paragraph later they say this:
The good news is that most security disasters can be prevented. Using iThemes Security, you can identify and stop attacks on your website. Saving yourself the time and cost of repairing a hacked website.
Unfortunately, the WordPress Plugin Directory doesn’t have any regulation against making false claims about security provided by plugins. So providers can (and often do) make false claims about them there.
Recently someone asked the developer if it protected against zero-days. Here was the response:
Thank you for reaching out to us.
iThemes Security hardens your WordPress application to protect against attacks in many ways. But it’s impossible to say if it’ll protect against a certain infection without knowing exactly how it exploited the site.
As for making sure that your website is secured, here are our official recommended features and settings:
- Enforcing Strong Passwords
- Enabling reCAPTCHA for your WordPress login
- Enabling Two-factor Authentication
- Enabling Automatically ban “admin” user
- Enabling Force Unique Nickname and Disable Extra User Archives
- Optional: Disable XML-RPC (This is optional as some plugins require this to function, instead, ensure that “Allow Multiple Authentication Attempts per XML-RPC Request” is unchecked to block multiple login attempts)
- Optional: Set REST API to Restricted Access
- Highly recommended: Keep WordPress, theme, and plugins up-to-date and remove vulnerable/outdated plugins.
- Highly recommended: Looking into web application firewalls such as Cloudflare and a server-side firewall to use with iThemes Security Pro
- Highly recommended: Ensure to use a secure hosting provider, as sometimes an attack comes from another compromised site on the server.
They don’t really directly answer the question, but if their plugin actually protected against attacks in general, as the marketing quoted above says it does, it wouldn’t need to be combined with another firewall (as was recommended). Worse still, they recommend two types of firewall solutions that are not optimal. Cloudflare doesn’t even attempt to do a good job of protecting websites, and server-side firewall are not much better.
What that also obliquely acknowledges is that iThemes Security and iThemes Security Pro don’t have a firewall and therefore can’t protect against zero-days, which, as a recent discussion we had with a security provider shows, is something that apparently isn’t well known. Security providers would know that if they were doing testing or had just looked at the results of testing we do.
The features listed that iThemes Security is supposed to provide will do little to nothing to protect websites, while in some cases causing problems with the intended functionality of WordPress.
There are other WordPress security plugins that do offer protection against zero-days, though, as we noted recently, the protection most of them are offering leaves a lot to be desired.
While WordPress isn’t making sure that security providers are not make false claims about security plugins they offer through the Plugin Directory. The Certified WP Security program allows reputable security providers to get a certification that they are really providing what they claim to offer.