A major source of security vulnerabilities in WordPress websites is insecure WordPress plugins. In response to that, far too many WordPress security providers push installing more plugins instead of taking steps to actually fix the insecurity of plugins. You will often see them pushing all-in-one security plugins and plugins to add two-factor authentication (2FA) despite the lack of protection they often offer and the security issues they can introduce. A prime offender in doing that is Wordfence. In the face of that leading to a serious problem recently, they didn’t change course. Instead, they used it to market themselves. Before we get in to that, we will take a step back to our warnings last year about a popular security plugin.

Back in 2017, we did a security review of a plugin named Really Simple SSL and found no issues with what checking on at that time. Last year the plugin was radically changed to move away from a focus on providing really simple SSL, to being an all-in one security plugin. Alongside that, the developer showed a clear lack of concern for security. As we wrote about in July of last year, they were falsely claiming that plugins contained vulnerabilities because they were using a known unreliable source for vulnerability data. They didn’t address that by moving to a reliable source and in January we noted a much more concerning situation, where they were falsely claiming unfixed vulnerabilities had been fixed.

Trust is an important part of security, so a security provider indifferent, at best, to whether they are telling the truth, probably isn’t going to handle security well. That is the case with that plugin, as we also found in July of last year, that they were disclosing information about known vulnerabilities in plugins currently on WordPress websites. That was a good reason to not use the plugin, but it has continued to be installed on millions of websites.

Two months ago, the plugin was rebranded to Really Simple Security. The poor handling of security continued under the new name. Version 9.0.0, which was released a week before the name change, introduced a vulnerability that allowed bypassing WordPress’ authentication system when logging in to WordPress. So an attacker could log in to any existing WordPress account, including accounts with full access through the Administrator role.

Realities of Two-Factor Authentication (2FA)

The vulnerability was in the plugin’s two-factor authentication (2FA) feature, which is supposed to make logging-in more secure. So you had a security feature that makes websites less secure. The only saving grace here is that the feature wasn’t enabled by default.

General usage of 2FA is often pushed by security providers, including Wordfence, despite the lack of need for that on many websites and the well-known problems that it can introduce. The security 2FA provides only comes in to play if a hacker wants access to a specific account and has the username/password for the account. On most WordPress websites, an attacker would only be interested in an Administrator’s account. Usernames are not consider as secret by WordPress, but passwords are. How would an attacker have an Administrator’s password? They probably wouldn’t. If they did, in plenty of instances, they can also bypass 2FA.

Security providers frequently cite brute force attacks against WordPress admin password as a reason to use 2FA. Even if 2FA were a good solution for that, those attacks are not happening. That is something that Wordfence has for year prominently mislead people about, in order to sell services.

WordPress security providers and others pushing 2FA in situations it isn’t helpful are opening up websites to situations like happened with this plugin, where websites can get hacked because of unneeded security.

For those websites that actually need 2FA, we recommend using WordPress’ own 2FA plugin instead of a third-party solution that doesn’t receive the same level of security scrutiny. One piece of that scrutiny was our recent security review of the plugin and another is its coverage through our Continuous WordPress Plugin Security Review service.

Unfortunately, Wordfence didn’t mention any of that when discussing the vulnerability. They did promote themselves using a highly inflated stat of how many websites were impacted by the vulnerability in Really Simple Security.

All-In-One Security Plugins Have a Lot of Problems

One piece of advice on reducing risk from WordPress plugins that isn’t necessarily great advice is to reduce the number of plugins used. A significant problem with that is that you can replace several plugins with one plugin, but make the website less secure because the plugin has the functionality of even more plugins than you replaced. Along those lines, an all-in-one security plugin can introduce more security risk than using several security plugins that are more limited in scope.

The hope might be that an all-in-one security plugin would be developed by someone that knows what security you actually need, but in reality many of them are developed by people that don’t seem to care about security at all. A prominent example of that was in September 2022, when the developer of the then million+ install all-in-one security plugin disclosed that they had failed to implement basic security in another of their plugins, leading to websites being hacked. Despite claiming that their security plugin is “The Best WordPress Security Plugin to Secure & Protect WordPress,” it failed to protect against the vulnerability. While even a plugin with only 200+ installs did.

In line with that, the Plugin Security Scorecard for Really Simple Security identifies that it is coded in ways that are not secure (as well as having other issues):

The same is true of Wordfence’s plugin:

That might explain why Wordfence also didn’t use this situation to recommend against using these types of plugins, despite the problems with them.