Login

Security Plugin Testing

30 Apr 2024

One of the Best Performing WordPress Firewall Plugins is No More

The results of our testing to see how much of the protection our WordPress firewall plugin provides that other WordPress security plugins also offer shows how little connection there is between the popularity of WordPress security plugins and security they offer. A good example of that is the plugin Web Application Firewall, which as of last month provided the 7th most protection, but had only 300+ installs. By comparison, other plugins with hundreds of thousands or millions installs fail to provide any protection, even when marketed as if they do provide robust protection. In the case of one such plugin, WordPress allows them to market it as if the plugin contains a firewall despite not having one (while the developer sponsors one of the heads of the team running the WordPress’ plugin directory).

In this month’s testing, Web Application Firewall failed to provide any protection. That stood out in our reviewing the results of the testing. The changes made to the plugin since last month didn’t seem to provide a reasonable explanation for that, as the changelog suggested only vulnerabilities had been fixed: [Read more]

9 Jan 2024

Five Years In, Wordfence Security Still Doesn’t Provide Protection When Using WordPress Block Editor

In December 2018, WordPress 5.0 was released, which introduced a new default editor, the blocks editor (also known as Gutenberg). You would think that the developer of the most popular security only plugin, Wordfence Security, would have quickly made sure that they offered protection when using that, but that turned out not to be the case. In a test we did in September 2021, we found that wasn’t the case. It was also an issue at the time, with the best free option for protection, NinjaFirewall. And was also the case with our then in-development, Plugin Vulnerabilities Firewall. A recently fixed vulnerability in a popular plugin, Spectra, led to us revisiting this and finding that things haven’t changed for Wordfence Security, but have for the other two plugins.

On Sunday, a new firewall rule was added to the free data for the Wordfence Security plugin. Here is that rule: [Read more]

2 Jan 2024

Five WordPress Security Plugins Prevented Exploitation of Serious Vulnerability in Another Security Plugin

One of the things that should have long ago raised a lot of alarm about the state of the WordPress security industry is how often security plugins are found to contain vulnerabilities. Instead, it has been treated as evidence that it is normal for plugins to be insecure, not that there is something very wrong with security providers. That is quite unfortunate because it means that the good providers are not getting the support they deserve and security is suffering for it.

In June 2022, we did a large-scale test to see if WordPress security plugins would have stopped a vulnerability of a type, persistent cross-site scripting (XSS), that hackers are known to widely exploit, which was found in the security plugin WP Cerber Security. The results were not good. Only two of 31 plugins provided protection against the vulnerability itself. Last year, another vulnerability of that type was disclosed in the plugin. So we were curious to see how many plugins protected against that one. [Read more]

12 Dec 2023

How WordPress Firewall Plugins Could Have Stopped Recently Fixed Vulnerability in Elementor

Last week, we took a look at the first and second attempt to fix an authenticated arbitrary file upload vulnerability in the 5+ million install WordPress plugin Elementor. With a situation like that, one of the questions for security providers is did their security solutions protect against the issue before it was fixed. With our own Plugin Vulnerabilities Firewall plugin, we found that it did because exploitation of the vulnerability involved directory traversal. As we found recently, while looking into another vulnerability that could be stopped the same way, only two other security plugins could stop it that way. More could have if their protection was more robust, as eight plugins had detection for that issue, but only three detected it in POST data, which was where this was with the payload for the Elementor vulnerability.

Another method to detect this would be to detect PHP code being included in the data to be saved to the file. There are a couple of issue with doing that. First, the data is base64 encoded, so you would have to decode it and then check for something that tells you it is PHP code. Second, the data was part of JSON formatted data, so you need to deal with that as well. [Read more]

4 Dec 2023

Disabled Protection in WordPress Firewall Plugin With Only 10+ Installs Provides 5th Best Zero-Day Protection

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. In May of last year, we started doing a monthly run of that against other firewall plugins, so we could get a better understanding of how the WordPress security landscape is changing over time.

This month we added a new plugin to our test set. The name of the plugin is Anti-Hacker. It’s been available on the WordPress Plugin Directory since June, but we only ran across it now. Not much of anyone else seems to have run across it either, as it only has 10+ installs. The marketing makes plenty of impressive claims, but provides no evidence to back them up. The developer claims it provides protection against “XSS, SQL Injection, PHP Injection, CMD Injection and Transversal Directory” vulnerabilities. The problem we found when we went to add it to our testing system is that it isn’t possible to enable that protection, as the settings checkbox for it is disabled: [Read more]

16 Nov 2023

Combining WordPress Security Plugins Doesn’t Provide Better Protection Than One Better Plugin

It isn’t uncommon to see people asking the developers of WordPress security plugins if they can be used alongside another security plugin. That often seems like an odd question, as the two plugins being asked about are all-in-one security plugins that both claim to provide all the protection you need. If someone doesn’t trust the developer of either to deliver what they promise, why would they trust that combining two of them would deliver that? The results of testing we do provides evidence that this isn’t the approach to get the best security or even any security.

Across testing we do of security plugins to see if they could provide protection against vulnerabilities in other plugins, many of the plugins provide no protection. Combining multiple plugins that provide no protection, won’t produce a better result. But what if you combine plugins that do provide protection? [Read more]

6 Nov 2023

Latest WordPress Plugin to Include Firewall Provides Almost No Protection Against Zero-Days

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. In May of last year, we started doing a monthly run of that against other firewall plugins, so we could get a better understanding of how the WordPress security landscape is changing over time.

This month we added a new plugin to our test set. The name of the plugin is Advanced Google reCAPTCHA, which doesn’t sound like it should be a relevant plugin to such testing. But as is often the case with WordPress plugins, developers add features that seem unrelated to the main purpose of the plugin. In this case, firewall functionality was added to the plugin, despite the developer already providing another plugin, Security Ninja, which is supposed to have a firewall (but doesn’t have one). [Read more]

16 Oct 2023

3 WordPress Firewall Plugins Stop Recent Widely Exploit Vulnerability in tagDiv Composer Plugin

Last week there were a spate of largely unhelpful new stories run about websites getting hacked through an already fixed vulnerability in a WordPress plugin not available through the WordPress Plugin Directory, tagDiv Composer. There is a lot that could be discussed with that, but one element stands out to us. It looked like exploitation of the vulnerability should be easily stopped by WordPress security plugins with a firewall. We say that based on our own experience developing such a firewall plugin. That runs counter to something said by Dan Goodin, who inexplicable continues to be employed by Ars Technica, despite repeatedly getting things wrong in his stories. He wrote this:

The malicious injection uses obfuscated code to make it hard to detect. It can be found in the database used by WordPress sites, specifically in the “td_live_css_local_storage” option of the wp_options table. [Read more]

10 Oct 2023

Wordfence Security Increases Protection in October Test of WordPress Security Plugins’ Zero-Day Protection

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. In May of last year, we started doing a monthly run of that against other firewall plugins, so we could get a better understanding of how the WordPress security landscape is changing over time.

This month saw one change, the Wordfence Security plugin increased its protection from 20.90% of the tests to 23.16%. That is notable, as after a year of testing, we had barely seen improvements among the plugins tested. [Read more]

30 Aug 2023

NinjaFirewall Joins Plugin Vulnerabilities Firewall in Providing Protection Against WordPress User Deletion Vulnerabilities

One of the ways we measure how much protection that WordPress security plugins provide against the real threat of vulnerabilities in other WordPress plugins, is to run software we have designed to make sure that our own firewall plugin’s protection isn’t broken when we make changes, against other plugins. We do a monthly run of that and log the results, so that we can monitor changes in the results of the other plugins. The most notable aspect of that is how little change happens from month to month. Unfortunately, competing firewall plugins are not receiving almost any updates to improve the protection they offer to get closer to offering protection already include with our firewall plugin. That means that millions of websites relying on them are not getting a lot of the protection they could have.

Back in June, we added protection against vulnerabilities that allow deleting arbitrary WordPress users. At the time, we noted that we found that no other firewall plugin already had that protection. If they already had similar protection against other WordPress data being deleted, then implementing it shouldn’t have been hard. [Read more]