NinjaFirewall is Providing Misleading Information on Vulnerable WordPress Plugins
In our testing of WordPress firewall plugins, the NinjaFirewall plugin has been the best free option. It turns out it does something else where it isn’t so good. That would be warning about vulnerable plugins.
We recently noticed the developer mentioning that it warns about vulnerable plugins. They wrote this:
In addition, it would have alerted you by email that your plugin was vulnerable.
Here is how the page they linked to described that:
Every hour (premium version) or every three hours (free version), NinjaFirewall connects to our servers, downloads the list of the latest security updates (<3 months) available and compares it to the themes and plugins installed on your blog. If one of them is in that list, you’re immediately notified and asked to update it.
No information was provided on how they source that information.
A good recent test of this information is an unfixed vulnerability we mentioned last week after a hacker looked to be targeting the plugin. The developer of the plugin, NextMove Lite, attempted, but failed to fully fix a fairly serious vulnerability, in the latest version of the plugin. If you are running the previous version of the plugin, NinjaFirewall warns that you need to update it:
The message there reads “Important: NinjaFirewall has detected that this is a security update. Don’t leave your blog at risk, make sure to update as soon as possible.”
If you are using the latest version of the plugin, you are not warned about it still being vulnerable:
Another plugin by the same developer, Finale Lite, has the same vulnerability and hasn’t even had the incomplete fix applied. NinjaFirewall isn’t warning about that:
Warning about security updates has limited usefulness, if you are not making sure the security updates have actually fixed the issue being addressed. That is because plugin developers frequently fail to fully fix vulnerabilities. Warning about those also does nothing for vulnerabilities that haven’t been fixed.
When looking for data on vulnerable plugins, it is important to make sure the data comes from a source that vets their information. Most sources don’t, as can be seen with other major providers, all claiming that vulnerability in NextMove Lite has been fixed.