Solid Security Firewall Review: It Doesn’t Contain One and Doesn’t Prevent Exploitation of Plugin Vulnerabilities
Recently, the iThemes Security plugin was rebranded as Solid Security. Alongside that came new misleading marketing about what protection it offers. Among those is the claim that “Solid Security shields your site from cyberattacks and prevents security vulnerabilities.” They also have a bolded claim that the plugin will “Reduce your WordPress website’s risk to nearly zero”. Buried in the FAQ, they are distancing themselves from such claims:
No. Solid Security is designed to help improve the security of your WordPress installation from many common attack methods, but it cannot prevent every possible attack. Nothing replaces diligence and good practice. This plugin makes it a little easier for you to apply both.
Doing security basics doesn’t require a plugin like theirs. But what would provide protection beyond the basics would be a well-developed firewall plugin. As extensive testing we have done shows, that can offer significant protection against zero-days, which are vulnerabilities being exploited before even the developer knows about them.
Solid Security, like iThemes Security before it, doesn’t contain any firewall, much less a well-developed firewall. That means that it doesn’t protect against vulnerabilities, including an exploited one in another of the other plugins from the same developer. So it doesn’t provide the protection that our Plugin Vulnerabilities Firewall does. In our testing, our plugin provides the most protection, not because we are doing the testing, but because we are doing the testing needed to implement effective protection that others don’t do.