We recently ran across a WordPress support service that was making some extraordinary claims about their handling of security. They were not close to true, considering we were visiting their website to try to notify them that they had failed in an attempt to fix a vulnerability in a WordPress plugin they recently acquired. One thing they were touting was providing “Cloudflare’s robust firewall:”

Calling Cloudflare’s firewall robust for WordPress websites is an odd claim, if you know what we found in May 2022. What we had found is that so far that year, they had added no firewall rules for vulnerabilities in WordPress plugins. That was despite recently touting that they provide “[r]ules matching very common WordPress exploits” and plugin vulnerabilities that would meet that criteria had existed already that year.

We were curious to see if things had improved since then. Looking through all the changelog entries for their firewall rules for 2023. We found that they added one rule for a vulnerability in a WordPress plugin last year.

On November 21, they added a rule described as “WordPress:Plugin:WooCommerce – Unauthorized Administrator Access – CVE:CVE-2023-28121” While it mentions WooCommerce, the other information relates to a vulnerability that was fixed in the plugin WooCommerce Payments plugin in March. It wasn’t any secret as to how it could be exploited at the time. We walked through the vulnerability in March. There are various claims of large-scale attempts to exploit this months before November.

With a cloud-based firewall like Cloudflare, they need to write rules for many vulnerabilities that a well-developed WordPress firewall plugin could stop without a specific rule, because those firewall plugins have access to information from WordPress that allows them to more easily stop attacks without a specific rule. So Cloudflare would need rules to provide robust protection, it isn’t delivering that.

Cloudflare provided services to a recent phishing campaign against those managing WordPress websites, making a WordPress provider being involved with them problematic.

We should note that WordPress firewall plugins are often not doing a good job on this front either. For example, the developers of Wordfence Security were two months late in adding a rule for a vulnerability. It was a vulnerability that better developed WordPress firewall plugins provided protection for without needing a rule at all.