Like the developers of lots of WordPress security plugins, the developer of Hide My WP Ghost makes a lot of impressive sounding claims about their plugin and the protection it offers. The actual results, like those of most of those other plugins, are rather poor. Figuring that out, though, is difficult, as many others will tell you that these plugins provide much more protection than they do. Or as we noted with this plugin last year, claim that it offers protection that it doesn’t offer.

In the case of Hide My WP Ghost, the developer seems to lack much understanding of security. For example, they claim it has blocked 8,000,000 brute force attempts, despite that type of attack not happening. They are confusing it with a different type of attack and not recommending the proper solution for it. That lack of security understanding likely led to them implementing a third-party firewall, the 7G firewall, in their plugin that provides very limited protection.

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. In the latest run of that, Hide My WP Ghost only provided protection against 8.5% of the tests.

The results are not surprising considering the source of their firewall and that the firewall relies on rewrite rules, which means it can only provide simple and limited protection. Our own Plugin Vulnerabilities Firewall is tightly integrated in to WordPress, which allows it to provide robust protection against a much wider range of vulnerabilities. We also do extensive testing to make sure that it provides that robust protection.