Security Plugin Testing

7 Jun 2022

Only Two WordPress Security Plugins Prevented Exploitation of Vulnerability in Security Plugin WP Cerber

Security plugins for WordPress are supposed to help protect websites from being hacked, but not only do most of them not do a good job of that, they often introduce security vulnerabilities of their own. Like most vulnerabilities in WordPress plugins, the security vulnerabilities in security plugins often are not too serious. That wasn’t the case with a vulnerability disclosed in February involving the security plugin WP Cerber, which has 200,000+ active installations according to WordPress.

The vulnerability, credited to Krzysztof Zając, allowed an attacker to cause malicious JavaScript to be loaded on one of the plugin’s admin pages. That is a type of vulnerability that hackers have been known to exploit. Troublingly, but in line with the plugin itself having such a serious vulnerability, the developer didn’t disclose in the changelog or their website that there had been a vulnerability or that it had been fixed. [Read more]

23 May 2022

Wordfence Security and Wordfence Premium Fail to Provide Protection Against Vulnerability in Targeted Plugin

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

8 Apr 2022

Wordfence Security and Wordfence Premium Fail to Provide Protection Against Backdoored WordPress Plugin

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

22 Dec 2021

Wordfence Security and Wordfence Premium Fail to Provide Protection Against Possibly Exploited Plugin Vulnerability

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

24 Nov 2021

Wordfence Security and Wordfence Premium Fail to Provide Protection Against Exploited Plugin Vulnerability

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

23 Nov 2021

No WordPress Security Plugin Stopped Exploitation of Vulnerability That Disables Them

Last week, GoDaddy’s web security subsidiary Sucuri released a strange post about some WordPress websites being hacked. The post discussed a situation involving what they confusingly described as both “bogus” and “legitimate” WordPress plugin. The plugin, Directorist, had multiple security vulnerabilities fixed the day before that post was released, which might explain the hacking being mentioned in the post. Though, Sucuri was attributing it to compromised login credentials, despite their post indicating they hadn’t done basic checking that should have been done before making that attribution.

While reviewing the changes being made to the plugin, we noticed that among the vulnerabilities fixed in that new version, 7.0.6.1, were ones that would have allowed an attacker logged in to WordPress to deactivate or delete arbitrary plugins. [Read more]

10 Nov 2021

Wordfence Premium Fails to Protect Against Another “Critical” Privilege Escalation Vulnerability

On Monday we noted finding that the Wordfence Security plugin and the Wordfence Premium service failed to provide protection against a “critical” privilege escalation vulnerability, running contrary to Wordfence’s marketing.

In response to that, someone on Reddit said this of Wordfence: [Read more]

8 Nov 2021

Wordfence Security and Wordfence Premium Fail to Provide Protection Against “Critical” Vulnerability

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

27 Oct 2021

BBQ Firewall Doesn’t Provide Better Performance in Exchange for Poor Protection

About a month ago we discussed why the WordPress security plugin BBQ Firewall wasn’t, as claimed by the developer, a “strong firewall” and In the most recent run of our automated testing of WordPress firewall plugins, we found that it only provides protection against 5 percent of the items tested. So you are not getting much protection from the plugin, but what led us to taking a closer look at the plugin last month was someone mentioning they used it because it is “fast and lightweight”, which is a claim that the developer also makes:

Lightweight, fast and flexible [Read more]

26 Oct 2021

Wordfence Security Fails To Protect Against Exploitation of Vulnerability Through PHP Input Stream

On September 23, exploit code for an arbitrary file upload vulnerability in the WordPress plugin 3DPrint Lite was released. That is a type of vulnerability that is highly likely to be exploited. As part of reviewing that to see if there was indeed a vulnerability that we should add to the data set for our service, we found a notable element of the underlying code that caused that. There were two ways that the file being uploaded could be sent with the request. With only one of them did we have protection against common exploitation with our then upcoming WordPress firewall plugin, Plugin Vulnerabilities Firewall. We then updated our plugin to protect against that, it turns out that the Wordfence Security plugin hasn’t been.

The vulnerable code in the plugin is in the function p3dlite_handle_upload(), which was made accessible through WordPress’ AJAX functionality to those logged in to WordPress as well as those not logged in: [Read more]