NinjaFirewall and Wordfence Security’s XSS Protection Still Have Publicly Known Bypass Five Years Later
As part of the development of our upcoming firewall plugin for WordPress, we are doing new tests of security plugins to see if they can prevent exploitation of vulnerabilities in WordPress plugins to help us improve on existing firewall plugins’ protections. We are also going back over the results of the similar tests we did back in 2016.
In one of those tests, involving a persistent cross-site scripting (XSS) vulnerability, we found that only two of the plugins we tested, NinjaFirewall and Wordfence Security, provided any protection. What we also found was that it was incredibly easy to bypass the protection they provided. All it took to bypass them was adding a single backslash in the right location and their protection was defeated. That wasn’t a great indication of the quality of those plugins.
Five years later, you might reasonably expect that the situation had improved. That is especially true, with Wordfence Security, since we had publicly noted that result to the developer. Though maybe not, considering this was part of their response to that:
Lots of generalizations in the above post. If you have any other specific issues/exploits/bypasses that are current, I’d love to hear about them. As you can see, the team responds very quickly.
There were not generalities, but results of specific tests, and the bypass was current then, but that person and the company they created seem to be okay with blatantly lying to people (which isn’t something you should be able to say about a company with a security plugin used on 4+ million websites).
As part of working on our protection against cross-site scripting (XSS) we wanted to make sure we didn’t have the same issue. While we were doing that, we checked to see if this was still an issue with those two plugins, and what we found was that neither NinjaFirewall nor Wordfence Security has addressed the bypass. We addressed that relatively simply, and it seems much easier to address than other parts of the XSS protection we are still working on.
That really isn’t a great sign of the security industry surrounding WordPress, but it does show there is room for a new firewall plugin that is created by a company that is continually looking to provide better results.
Plugin Security Scorecard Grade for NinjaFirewall
Checked on June 12, 2025See issues causing the plugin to get less than A+ grade