3 WordPress Firewall Plugins Stop Recent Widely Exploit Vulnerability in tagDiv Composer Plugin
Last week there were a spate of largely unhelpful new stories run about websites getting hacked through an already fixed vulnerability in a WordPress plugin not available through the WordPress Plugin Directory, tagDiv Composer. There is a lot that could be discussed with that, but one element stands out to us. It looked like exploitation of the vulnerability should be easily stopped by WordPress security plugins with a firewall. We say that based on our own experience developing such a firewall plugin. That runs counter to something said by Dan Goodin, who inexplicable continues to be employed by Ars Technica, despite repeatedly getting things wrong in his stories. He wrote this:
The malicious injection uses obfuscated code to make it hard to detect. It can be found in the database used by WordPress sites, specifically in the “td_live_css_local_storage” option of the wp_options table.
As explained in an article by a security provider that does a very bad job of protecting their customers’ websites, but does a good job of getting press coverage when it doesn’t protect its customers, the payload was in this format:
<style id=”tdw-css-placeholder”></style><script>…malicious injection…</script><style></style>
Those scripts tags (<script>,</script>) sent in POST input should make it easy for firewall plugins to block the exploit attempts. As legitimate requests shouldn’t include that, except in limited circumstances that a well-developed firewall can allow to pass through.
It can be rather confusing trying to tell what WordPress security plugins actually have firewalls, since developers frequently make it sound like their plugins do things they don’t. Even if they have a firewall, it won’t necessarily provide much of the protection it could offer or the protection might be completely broken.
With the most expansive testing we do of the protection offered by WordPress security plugins, we now test 32 of those plugins. Of those, 17 actually contain firewall functionality. With those, we have an automated testing suite that we run against them monthly to measure the protection they are offering. Using that system, we ran the exploit format shown above against all 17 plugins. Despite the ease there should be to flag that as probably malicious and block the request, we found only three plugins provided protection. Those are not really surprising based on the results of other tests we have done. They were our own Plugin Vulnerabilities Firewall, NinjaFirewall, and Wordfence Security.
What all three of those plugins have in common is that they are firewall plugins and not web application firewalls (WAFs), which don’t have the same capability to differentiate between requests coming from someone who have a legitimate reason to be including those tags in a request to the website and those not.
Notably, only one of those plugins is among the most popular WordPress security plugins. Other security plugins with millions of installs failed to protect against this, either because they don’t really contain a firewall or it isn’t very effective.
When a Firewall Plugin Make Sense Against Exploited Vulnerabilities
Considering that the exploitation being covered last week appears to involve websites hacked after the vulnerability was fixed, a firewall plugin isn’t the best solution here. The best solution would be to keep plugins up to date. The second best solution would be to be alerted about usage of known vulnerable plugins (but by a service that actually checks to make sure vulnerabilities have been fixed, which most don’t do).
Where a firewall plugin provides its best protection is against zero-day, which a vulnerability being exploited where there isn’t an update available and the vulnerability isn’t yet publicly known.
For those with the budget, getting a security review done of plugins can offer even more protection than a firewall plugin can offer. This vulnerability should have been caught during just such a review. But as the vulnerability showed, developers are not getting those reviews done on their own.
Plugin Security Scorecard Grade for NinjaFirewall
Checked on June 12, 2025See issues causing the plugin to get less than A+ grade