NinjaFirewall Joins Plugin Vulnerabilities Firewall in Providing Protection Against WordPress User Deletion Vulnerabilities
One of the ways we measure how much protection that WordPress security plugins provide against the real threat of vulnerabilities in other WordPress plugins, is to run software we have designed to make sure that our own firewall plugin’s protection isn’t broken when we make changes, against other plugins. We do a monthly run of that and log the results, so that we can monitor changes in the results of the other plugins. The most notable aspect of that is how little change happens from month to month. Unfortunately, competing firewall plugins are not receiving almost any updates to improve the protection they offer to get closer to offering protection already include with our firewall plugin. That means that millions of websites relying on them are not getting a lot of the protection they could have.
Back in June, we added protection against vulnerabilities that allow deleting arbitrary WordPress users. At the time, we noted that we found that no other firewall plugin already had that protection. If they already had similar protection against other WordPress data being deleted, then implementing it shouldn’t have been hard.
At the end of last month, another plugin, NinjaFirewall, was updated and the changelog would suggest it was the second to have added that protection:
Added a new policy to protect against user accounts deletion. It can be found in the “Firewall Policies > WordPress > Permissions” section.
This month’s testing confirmed that it did add that. Though, the protection, unlike the protection in our plugin, is not enabled by default. As testing we did in July shows, NinjaFirewall missing a sizable portion of its possible protection without additional protection.
The results of this month’s testing continue to show the poor results being delivered by most firewall plugins. Here is the percentage of the exploit tests they blocked:
1. Plugin Vulnerabilities Firewall – 100.0%
2. NinjaFirewall – 37.29%
3. Wordfence Security – 20.90%
4. Pareto Security – 19.77%
5. All-In-One Security (AIOS) – 15.25%
6. Web Application Firewall – 10.17%
7. Hide My WP – 9.60%
8. Hide My WP Ghost – 8.47%
9. Bulletproof Security – 7.91%
10. Anti-Malware Security and Brute-Force Firewall – 3.95%
With only one plugin other than ours blocking over a third of the tests and only two blocking a fifth, there is a lot of room for improvement.