Shield Security Firewall Review: It’s Been Broken For a Year and a Half
The developer of the WordPress security plugin Shield Security has long made strange claims about their plugin and how it compares to other plugins. Currently, they market it in part with this claim:
Shield is the only security plugin for WordPress that prioritises protection and intrusion prevention before repair. With Shield Security, your site will immediately to block visitors as they probe your site looking for vulnerabilities, and before they can do damage.
There are lots of WordPress security plugins that don’t include any repair capability, while they do include protection capability, so it would appear the developer either isn’t aware of what other options are out there or is for some reason telling a rather obvious untruth.
But what about protection that the plugin offers? Shield Security has a firewall, but it’s been broken and providing no protection since May 2022.
When Shield Security did provide protection, it provided very little protection. We developed automated testing software to make sure that changes made to our Plugin Vulnerabilities Firewall didn’t break existing protection. When we started working on that, we realized we could also run it against other WordPress firewall plugins to compare how much protection they provide. Before the Shield Security’s firewall got broken, it only protected against 3.9% of the tests.
Extensive testing is critical to provide robust firewall protection. It’s why our own firewall plugin is able to provide so much protection against zero-days, which are vulnerabilities being exploited before even the developer knows about them. The developer of Shield Security must not be doing that testing, since they still haven’t noticed that the firewall is broken.