Five Years In, Wordfence Security Still Doesn’t Provide Protection When Using WordPress Block Editor
In December 2018, WordPress 5.0 was released, which introduced a new default editor, the blocks editor (also known as Gutenberg). You would think that the developer of the most popular security only plugin, Wordfence Security, would have quickly made sure that they offered protection when using that, but that turned out not to be the case. In a test we did in September 2021, we found that wasn’t the case. It was also an issue at the time, with the best free option for protection, NinjaFirewall. And was also the case with our then in-development, Plugin Vulnerabilities Firewall. A recently fixed vulnerability in a popular plugin, Spectra, led to us revisiting this and finding that things haven’t changed for Wordfence Security, but have for the other two plugins.
On Sunday, a new firewall rule was added to the free data for the Wordfence Security plugin. Here is that rule:
if (match(xssRegex, request.jsonBody['meta']['_uag_custom_page_level_css']) and currentUserCannot('unfiltered_html')):
block(id=651, category='xss', score=100, description='WAF-RULE-651', whitelist=0)
Wordfence claims their firewall rules are “obfuscated to prevent reverse engineering,” but this rule isn’t obfuscated and it wasn’t hard to reverse engineer it. That claim is one of many examples of Wordfence’s propensity for dishonesty.
That relates to a vulnerability in the plugin Spectra, which was fixed December 12. The rule was provided to any hacker willing to pay for Wordfence’s Wordfence Premium service a 30 days before it was made available in their free data, so any hacker paying had several days to exploit this before there was even a fixed version available.
The vulnerability involved the ability to put malicious JavaScript code in the Custom CSS setting added to WordPress posts by Spectra and the code would be output when the post is viewed. That is referred to as a persistent cross-site scripting (XSS) vulnerability. That was fixed by running the Custom CSS value through the function wp_kses_post().
A simple example of that being exploited would be to place the following value in the setting and alert box with the message XSS would be shown:
</style><script>alert("XSS");</script>
That vulnerability isn’t something that Wordfence should need to write a rule for, since they already offer protection against XSS. But as we found, they did need to write a rule because they still haven’t updated their firewall to handle data sent to the website from the block editor, which is sent as JSON objects. That is a different format than the previous editor. This format is also used by other plugins, so it isn’t only needed for protection against exploit attempts happening through the block editor.
Only Two Plugins Provided Protection
Using our automated testing system for testing WordPress firewall plugins, we found that only five of those plugins would generally block a request with the example payload for this vulnerability if it was sent in the format used in the previous editor, the classic editor. Those five plugins are Hide My WP, our Plugin Vulnerabilities Firewall, NinjaFirewall, Web Application Firewall, and Wordfence Security.
With the only change being to switch to the format used by the block editor, only two of those plugins still provided protection, NinjaFirewall and our Plugin Vulnerabilities Firewall.
While Wordfence claims to offer real-time protection to those paying for Wordfence Premium, the protection NinjaFirewall and our Plugin Vulnerabilities Firewall offered worked before even Wordfence knew about the vulnerability. The vulnerability was introduced in to the plugin in December 2022, so Wordfence’s real-time protection was far from that.
That the most popular security only plugin hasn’t been updated to support WordPress’ default editor five years in should be shocking, but it unfortunately isn’t surprising. As the developer is able to get away with claiming they are industry leading firewall, when test after test shows the offer less protection than the two better options, which do provide protection.
Plugin Security Scorecard Grade for NinjaFirewall
Checked on June 12, 2025See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Spectra
Checked on March 19, 2025See issues causing the plugin to get less than A+ grade