Earlier this week, it was disclosed that a fairly serious vulnerability had been fixed in the commercial WordPress plugin Elementor Pro. As described by the discoverer, NinTechNet, the developer failed to implement basic security in the code, leading to the vulnerability. That included failing to do a capabilities check with an AJAX accessible function to limit who could access it. That shouldn’t be all that surprising based on what we noted a year ago with the related free 5+ million install Elementor plugin. At the time, we ran across a serious vulnerability in the plugin after we saw what appeared to be hacker probing for the plugin. We noted this at the time:

What we immediately found was that plugin isn’t handling basic security right, as we found many functionalities where capabilities checks were missing where they shouldn’t.

We also wrote this:

Based on just what we saw in our very limited checking, we would recommend not using this plugin until it has had a thorough security review and all issues are addressed.

Earlier today, we had someone contact us who apparently had been hacked by the vulnerability in Elementor Pro yesterday. They were asking if our firewall plugin would protect against exploitation in this type of situation, unlike using a service that warns about vulnerabilities in WordPress plugins. While the answer is that our firewall plugin likely would protect against common exploitation of the vulnerability (though we don’t have a copy of a vulnerable version to confirm that), that isn’t the right way to protect against a situation like this.

In this situation, the best solution to prevent exploitation was to keep the plugins on the website up to date. As the vulnerability was supposed to be have been fixed over a week before the website was hacked:

The vulnerability was discovered and reported to the authors on March 18, 2023, and a new version 3.11.7 was released on March 22, 2023.

Being warned about vulnerable plugins would have still provided warning before a website was hacked yesterday, so while we wouldn’t recommend using that over keeping plugins up to date, it would have also provided protection here.

A more expensive solution would have been to get a security review of the plugin done, as this should have been caught by even a moderately well done review.

Protection Through a Firewall?

What about protection through a firewall plugin? There are two principle approaches to providing protection through a firewall plugin. One is writing a rule for a known vulnerability. Another is providing general protection against vulnerabilities. Both approaches have limitations.

Beyond having to know about a vulnerability to write a rule, a rule written for a vulnerability might not work or it might be easily bypassed. That was what we found years ago with another vulnerability, which discovered and exploited by hacker, that was also disclosed by NinTechNet. NinTechNet’s own firewall rule was easily bypassed. So easily, that we didn’t even try to bypass it and did. With one of the most popular WordPress security plugins, Wordfence Security, its claimed rule didn’t work at all.

With the vulnerability in Elementor Pro, firewall plugins could provide a reasonable amount of protection against that type of vulnerability, option update. But when we tested 25 plugins in 2021, only 2 of the plugins had protection against it. That is despite that protection having existed in one of them, NinjaFirewall, for years. Even if plugins have general protection, it might be easily bypassed. With NinjaFirewall, we noted an easy bypass in its option update protection in 2019, which was later resolved, but another one still exists in the plugin to this day.

A firewall plugin’s best role is to provide protection against vulnerabilities being exploited that only hackers are aware of. As short of getting a security review done of every version of a plugin you use, it can provide protection that those other security options won’t. The problem right now, is that in our testing, WordPress security plugins used on most websites fail to provide much of the protection they could in that situation.