Some WordPress Firewall Plugins Provide No Zero-Day Protection Without Additional Configuration
One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations.
Usually, we do that testing with the plugins configured in a way that they provide the most protection. That way developers or someone else can’t claim that we have made those plugins look bad by not enabling a feature, but that can mean that our testing could overstate the protection that average user of the plugins is receiving. In some cases configuring the plugins as recommended by developer leads to significantly less protection. So we were curious to see what the results for the best performing plugins were going the opposite direction, when the plugin simply activated and no additional configuration is done.
Here are the latest results of that testing with the top five performing plugins when configured by us to provide the most protection:
- Plugin Vulnerabilities Firewall: 100%
- NinjaFirewall: 36.2%
- Wordfence Security: 21.3%
- Pareto Security: 20.1%
- All-In-One Security (AIOS): 15.5%
Here are the results when the plugins are simply activated, along with the percentage point change from the configured result:
- Plugin Vulnerabilities Firewall: 100% (0.0)
- NinjaFirewall: 31.0% (-5.2)
- Wordfence Security: 0.0% (-21.3)
- Pareto Security: 20.1% (0.0)
- All-In-One Security (AIOS): 0% (-15.5)
The biggest change is that Wordfence Security and All-In-One Security (AIOS) provide no protection without additional configuration. That result stands out more, considering that two of the other plugins didn’t lose any protection and NinjaFirewall only lost about 14%.
It’s also interesting to see that among free options, NinjaFirewall without configuration continues to provide significantly more protection than Wordfence Security and Pareto Security remains very close.
Plugin Security Scorecard Grade for All-In-One Security (AIOS)
Checked on June 12, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for NinjaFirewall
Checked on June 12, 2025See issues causing the plugin to get less than A+ grade