Login
2 Jan 2024

Five WordPress Security Plugins Prevented Exploitation of Serious Vulnerability in Another Security Plugin

One of the things that should have long ago raised a lot of alarm about the state of the WordPress security industry is how often security plugins are found to contain vulnerabilities. Instead, it has been treated as evidence that it is normal for plugins to be insecure, not that there is something very wrong with security providers. That is quite unfortunate because it means that the good providers are not getting the support they deserve and security is suffering for it.

In June 2022, we did a large-scale test to see if WordPress security plugins would have stopped a vulnerability of a type, persistent cross-site scripting (XSS), that hackers are known to widely exploit, which was found in the security plugin WP Cerber Security. The results were not good. Only two of 31 plugins provided protection against the vulnerability itself. Last year, another vulnerability of that type was disclosed in the plugin. So we were curious to see how many plugins protected against that one.

The results were better, but not much better. This time, five plugins provided protection. Three of the plugins are not surprising, based on our previous testing. Our own Plugin Vulnerabilities Firewall, NinjaFirewall, and Wordfence Security have provided the most protection in other testing. With our Plugin Vulnerabilities Firewall providing the most protection overall, followed by NinjaFirewall. One of the other plugins that provided protection, Web Application Firewall, is a good reminder of how bad things are with security plugins, as it only has 300+ installs and yet it provided protection while other plugins with hundreds of thousands or more of installs failed to provide protection.

The difference in the results is unlikely to be related to improvement in the plugins since the last test, but instead because the malicious payload is in a different part of the data sent to the website. The previous vulnerability involved malicious input in the URL, while the second vulnerability involves POST data. Most security plugins that even provide protection don’t provide it in a lot of places they should, limiting the amount of protection they offer.

Testing Procedure

For each of the tested plugins, we set up an install of WordPress 6.4.2, installed version 9.1 of WP Cerber and installed the latest version of the security plugin (other than when testing WP Cerber itself). We tried to enable any feature of the plugin that could possibly have an impact on stopping the exploitation of the vulnerability. We didn’t set up any additional service connected with the plugins.

We used the proof of concept provided in a disclosure of the vulnerability in the exploit attempts. The proof of concept requires knowing the login URL of the website, as we were testing if there was protection against XSS, we assumed the attacker would know that, even if a seuciryt plugin offers an ability to try to hide it.

The 34 plugins we tested include the security plugins listed in the Popular plugins section of the Plugin Directory and some others that look to be intended or marketed to prevent this type of situation. If you would like to see an additional plugin included in future testing, please leave a comment on the post or contact us.

Results

Five plugins provided protection against the proof of concept: Hide My WP, Plugin Vulnerabilities Firewall, NinjaFirewall, Web Application Firewall, and Wordfence Security.

The full results are below:

Advanced Google reCAPTCHA

Result: Failed to prevent exploitation.

All-In-One Security (AIOS)

Result: Failed to prevent exploitation.

Anti-Hacker

Result: Failed to prevent exploitation.

Anti-Malware Security and Brute-Force Firewall

Result: Failed to prevent exploitation.

AntiHacker

Result: Failed to prevent exploitation.

BBQ Firewall

Result: Failed to prevent exploitation.

Bitfire

Result: Failed to prevent exploitation.

BulletProof Security

Result: Failed to prevent exploitation.

Clearfy

Result: Failed to prevent exploitation.

Defender

Result: Failed to prevent exploitation.

Hide My WP

Result: Prevented exploitation.

Hide My WP Ghost Lite

Result: Failed to prevent exploitation.

Jetpack

Result: Failed to prevent exploitation.

Jetpack Protect

Result: Failed to prevent exploitation.

MalCare Security

Result: Failed to prevent exploitation.

NinjaFirewall

Result: Prevented exploitation.

Pareto Security

Result: Failed to prevent exploitation.

Patchstack

Result: Failed to prevent exploitation.

Plugin Vulnerabilities Firewall

Result: Prevented exploitation.

RSFirewall!

Result: Failed to prevent exploitation.

SecuPress Free

Result: Failed to prevent exploitation.

Security by CleanTalk

Result: Failed to prevent exploitation.

Security Ninja

Result: Failed to prevent exploitation.

Security Optimizer

Result: Failed to prevent exploitation.

Shield Security

Result: Failed to prevent exploitation.

SiteGuard WP Plugin

Result: Failed to prevent exploitation.

Solid Security

Result: Failed to prevent exploitation.

Sucuri Security

Result: Failed to prevent exploitation.

Titan Anti-spam & Security

Result: Failed to prevent exploitation.

Web Application Firewall

Result: Prevented exploitation.

Wordfence Security

Result: Prevented exploitation.

WP Cerber Security, Anti-spam & Malware Scan

Result: Failed to prevent exploitation.

WP Hardening

Result: Failed to prevent exploitation.

WP Hide & Security Enhancer

Result: Failed to prevent exploitation.

No related posts.

Plugin Security Scorecard Grade for All-In-One Security (AIOS)

Checked on June 12, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for BBQ Firewall

Checked on June 17, 2025
D+

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for BulletProof Security

Checked on October 21, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Clearfy

Checked on August 20, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Defender

Checked on November 20, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Jetpack

Checked on November 24, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for MalCare Security

Checked on November 7, 2024
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for NinjaFirewall

Checked on June 12, 2025
D

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Patchstack

Checked on October 9, 2025
D

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Security Ninja

Checked on July 12, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Security Optimizer

Checked on April 3, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Shield Security

Checked on September 19, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Solid Security

Checked on June 14, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Sucuri Security

Checked on June 14, 2025
D+

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Titan Anti-spam & Security

Checked on June 20, 2025
F

See issues causing the plugin to get less than A+ grade

Plugin Security Scorecard Grade for Wordfence Security

Checked on June 12, 2025
F

See issues causing the plugin to get less than A+ grade

Leave a Reply

Your email address will not be published.