Security Plugin Testing

6 Jul 2023

Some WordPress Firewall Plugins Provide No Zero-Day Protection Without Additional Configuration

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations.

Usually, we do that testing with the plugins configured in a way that they provide the most protection. That way developers or someone else can’t claim that we have made those plugins look bad by not enabling a feature, but that can mean that our testing could overstate the protection that average user of the plugins is receiving. In some cases configuring the plugins as recommended by developer leads to significantly less protection. So we were curious to see what the results for the best performing plugins were going the opposite direction, when the plugin simply activated and no additional configuration is done. [Read more]

30 Jun 2023

NinjaFirewall and Plugin Vulnerabilities Firewall Are Only WordPress Security Plugins That Protected Against Recent Zero Day

Among the common, but inaccurate, security advice you will hear is that WordPress won’t get hacked if you take basic security measures, including keeping plugins up to date. While doing the basics is really important, the reality is that keeping plugins up to date does nothing to stop a zero-day, a vulnerability being exploited before the developer is aware of it. That is an area where a security plugin could provide additional protection. But just because they could, it doesn’t mean they will. More problematically, WordPress security plugin developers have for years claimed to provide zero-day protection when they don’t. The solution is to do testing to see which plugins really provide protection against zero-days.

Recently, a zero-day role change vulnerability in the 200,000+ install WordPress plugin Ultimate Member was spotted being exploited by the web host Tiger Technologies. That vulnerability was being exploited to create a new WordPress user and then change the user’s role to Administrator, which gives them full access to the website. [Read more]

26 Jun 2023

6G Firewall Rules in All-In-One Security (AIOS) WordPress Plugin Don’t Provide Effective Protection

In version 5 of the WordPress security plugin All-In-One Security (AIOS) an update was made to its firewall functionality, which implemented “6G firewall rules in the new PHP-based firewall.” Someone posted on the support forum for the plugin requesting to have the previous functionality restored. They made a series of claims, several of which we worth thought were checking on (emphasis theirs):

This change has affected users for whom these rules were working. [Read more]

Plugin Vulnerabilities Posted in Analysis, Security Plugin Testing, WordPress Plugin Vulnerability News 5G Firewall, 6G Firewall, All-In-One Security (AIOS) Leave a comment

16 Jun 2023

WordPress Firewall Plugins Are Barely Improving the Zero-Day Protection They Offer

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. In May of last year, we started doing a monthly run of that against other firewall plugins, so we could get a better understanding of how the WordPress security landscape is changing over time.

With over a year’s worth of results, it seemed like a good time to review how things are going. We will focus on the top four plugins, as those are the only plugins that have better results from the first test. The results for those in May of last year were not great: [Read more]

1 May 2023

Wordfence Security Returns to Third Place in May Test of WordPress Security Plugins’ Zero-Day Protection

While developing our WordPress firewall plugin, we created regression testing software to make sure that, as we updated that; we didn’t break existing protection, which is something at least one other developer hasn’t done. What we realized once we started developing that is that we could also use that to do automated testing to get a sense of how much protection other WordPress security plugins provided against zero-days, which are vulnerabilities being exploited before the developer knows about them. In May of last year, we started doing a monthly run of that against a wide range of plugins to start tracking how their protection changed over time. So far there have been a limited number of changes in the results and changes in the ranking of how much protection the plugins provide. This month we did see a change in the rankings involving the most popular plugin tested.

Up through November, the most popular security-only WordPress plugin Wordfence Security had been coming in third in terms of how much protection it offered in the tests. The next month it slipped to fourth and had remained there except in February when it dropped to fifth. This month it returned to third place. It still lags far behind our plugin and NinjaFirewall, which provided protection against 37.28% of the tests versus Wordfence security’s 21.89%. That is a stark difference, especially when you consider that NinjaFirewall only has 90,000+ installs according to WordPress stats versus Wordfence Security’s 4+ million. [Read more]

17 Mar 2023

BBQ Firewall Also Fails to Prevent SQL Injection Attack

In November, we wrote about how reviews for a WordPress security plugin were claiming that it protected against SQL injection, but testing showed it didn’t. A new review for another plugin, BBQ Firewall, which we happened across, made the same claim:

This is the plugin I install on every WordPress installation. It protects site from SQL injection attacks and doesn’t have any settings. Just install and activate, wonderful! [Read more]

13 Mar 2023

Only 25% of WordPress Security Plugins Protected Against Widely Exploited Plugin Vulnerability

In late January, an unfixed vulnerability in a WordPress plugin with 40,000+ installs started to receive widespread exploitation attempts and many websites were hacked. The hacking was in part caused by multiple WordPress security providers, including Wordfence, WPScan, and Patchstack, who all claim to have teams of experts reviewing vulnerabilities in WordPress plugins, claiming that the vulnerability had been fixed three months before that. The moderators of the WordPress Support Forum made the situation worse by deleting an early indication of the problem in the form a message complaining about a website being hacked because of the plugin.

The developer of the plugin promptly fixed the vulnerability once we advised them that it still existed. They then went further than other plugin developers usually do when a plugin has had an exploited vulnerability and got a security review done to ensure the plugin was now properly secured. [Read more]

6 Mar 2023

Here Are the 4 WordPress Security Plugins That Protected Against a Vulnerability Wordfence Failed to Protect Against Despite Having Discovered It

Last week, Wordfence disclosed the details of an authenticated persistent cross-site scripting (XSS) vulnerability they had found in a popular WordPress plugin with 3+ million installs (as well as something else that wasn’t really a vulnerability). There were some things they said in their post that are rather problematic.

One of them was that they were claiming to have responsibly disclosed the vulnerability, while also contradicting that. According to their post, the day before they notified the developer of the plugin about the vulnerability, they were already selling access to information about exploiting the vulnerability through their Wordfence Premium service. That isn’t responsible disclosure and any hacker willing to pay for the service could have started exploiting this before the developer was even notified about it. Wordfence’s paying customers would have been protected from it at the time, but others would not without having some other security in place. [Read more]

8 Feb 2023

WordPress Security Plugins Don’t Prevent Disclosure of One-Time Password Through Exploited Plugin Vulnerability

A month ago, we saw a hacker looking to exploit a vulnerability that had recently been fixed in the WordPress plugin User Verification. That vulnerability discovered by Lana Codes involved the plugin’s functionality to email a one-time password for logging in to WordPress. The problem with the functionality is that it didn’t just email the password, it also sent it back as part of the response from the request to have it emailed. So an attacker could submit the request to have that emailed for a WordPress user’s account, get the password that was only supposed to be emailed, and then log in to that account.

Trying to prevent an information disclosure issue like this would be difficult for a WordPress security plugin without being aware of the particular vulnerability, as it would have to realize that something that shouldn’t be disclosed is being disclosed, so it would be unlikely that a security plugin would provide protection. Our own firewall plugin, Plugin Vulnerabilities Firewall, doesn’t have protection against such a situation, but we are always looking to see how we might be able to expand its protection, so we were curious to see if any other plugins provided protection. [Read more]

1 Feb 2023

Wordfence Security Falls to Fifth Place in February Test of WordPress Security Plugins’ Zero-Day Protection

While developing our WordPress firewall plugin, we created regression testing software to make sure that, as we updated that; we didn’t break existing protection, which is something at least one other developer hasn’t done. What we realized once we started developing that is that we could also use that to do automated testing to get a sense of how much protection other WordPress security plugins provided against zero-days, which are vulnerabilities being exploited before the developer knows about them. In May, we started doing a monthly run of that against a wide range of plugins to start tracking how their protection changed over time. So far there haven’t been many notable changes, but this month had a significant change that follows on a change from December.

In December, the Wordfence Security plugin fell to fourth place with the Pareto Security plugin moving above it based on adding more protection. That month we also had tried to add the BitFire plugin to the testing, but the latest version of the plugin broke WordPress. By this month BitFire has gotten in to better shape, so we could include it in the testing. The result of that is that Wordfence Security has fallen yet another spot, as BitFire provided protection against 25.8% of exploit attempts versus only 20.0% for Wordfence. That also put BitFire in third place behind only our plugin and NinjaFirewall. [Read more]