The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:
Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]
While developing our WordPress firewall plugin, we created regression testing software to make sure that, as we updated that; we didn’t break existing protection, which is something at least one other developer hasn’t done. What we realized once we started developing that is that we could also use that to do automated testing to get a sense of how much protection other WordPress security plugins provided against zero-days, which are vulnerabilities being exploited before the developer knows about them. In May, we started doing a monthly run of that against a wide range of plugins to start tracking how their protection changed over time. So far there haven’t been many notable changes, but this month had a significant change.
Up until this month, the results have been that our plugin has provided the most protection, followed by NinjaFirewall providing protection in about a third of the exploit tests, and Wordfence Security coming third with protection for a fifth of the exploit tests. That seems like a good indication of the poor state of WordPress security plugins and a lack of understanding of how much protection they provide, as NinjaFirewall only has 80,000+ installs, while Wordfence security has 4,000,000+ installs. [Read more]
One of the impediments to better security for WordPress websites (and security in general) is that people are not taking basic security measures and instead relying on security solutions that fail to provide the protection that those basic security measures would. Recently someone posted on the support forum for the plugin PDF.js Viewer, mentioning they were getting this message, which is from the Wordfence Security plugin, on their website:
Plugin Name: PDFjs Viewer
Current Plugin Version: 1.3
Details: To protect your site from this vulnerability, the safest option is to deactivate and completely remove “PDFjs Viewer” until a patched version is available. Get more information. [Read more]
One of the ways we measure how much protection that WordPress security plugins provide against the real threat of vulnerabilities in other WordPress plugins, is to run software we have designed to make sure that our own firewall plugin’s protection isn’t broken when we make changes, against other plugins. Since May we have been doing a monthly run of that and logging the results, so that we can monitor changes in the results of the other plugins.
Until this month, there have been only two changes. One was that the amount of protection changed for plugins when we added tests for more exploit attempt variants, with most plugins not providing protection against the new tests. The other was that we detected that Shield Security’s protection became entirely broken. That first occurred in the June test and hasn’t been fixed yet. [Read more]
When it comes to WordPress security plugins, the developers are often much better at marketing them than they are with security. Hence, these plugins are widely used despite failing to provide much, if any, protection. The developer of the Shield Security plugin markets their plugin with criticism of competing plugins’ marketing:
It’s time to stop our obsession with malware. Malware scanning is important after you’re hacked. Get a security plugin that prioritises security protection before “malware marketing”. [Read more]
When we do testing of WordPress security plugins to see what protection, if any, they provide against vulnerabilities in other plugins; we try to enable any options that will cause them to provide all the protection they could possibly offer. A downside of that approach is that it doesn’t necessarily provide a good indication of how much protection they provide in the real world, as the average website might not have enabled the options that provide that protection. Testing we just did with one of the most popular WordPress security plugins, All In One WP Security & Firewall, which has 1+ million installs, highlights that. What we found was that most of the protection it can provide, not only is not enabled by default, but the developer recommends not using the option that provides that protection.
To see how our own WordPress firewall plugin is doing compared to other plugins, we do automated testing to see if they provide protection against the same threats that our firewall blocks. A benefit of that testing approach is that it is easy to test many plugins or to test a plugin with various different settings combinations. [Read more]
One of the most recent reviews for the BBQ firewall plugin for WordPress is titled “Not a real firewall..” and the author makes this claim:
I had the PRO version and it doesn’t stop the real hacks. [Read more]