Tag Archives: All-In-One Security (AIOS)

25 Apr 2025

Developers of Popular WordPress Security Plugins Make False Claim About Who Created Another Popular Plugin

Recently there was a change made with the WordPress Plugin Directory that should shed more light on who is actually behind WordPress plugins. There are problems with that, which led us to noticing a clearly wrong claim made about who is the creator of a WordPress plugin with 300,000 installs.

With the even more popular Really Simple Security plugin, which has 4+ million installs, the plugin is listed on the plugin directory as being by Really Simple Plugins: [Read more]

7 Feb 2024

Nearly 10 Year Old Vulnerability Fixed in WordPress Security Plugin All-In-One Security (AIOS)

The changelog for the latest version of the 1+ million install WordPress security plugin All-In-One Security (AIOS) is:

SECURITY: Added nonce checks to various list table actions to prevent a CSRF vulnerability. Thanks to dhakal_ananda for disclosing this defect. This would allow an attacker who persuaded a logged-in administrator to visit a specially crafted link to perform actions on the 404 event records. [Read more]

25 Jan 2024

All-In-One Security (AIOS) Firewall Review: It Doesn’t Deliver Great Results

In 2022, the WordPress security plugin All In One WP Security & Firewall was rebranded as All-In-One Security (AIOS). The removal of emphasis on a firewall is probably fitting, as the plugin’s firewall capability is rather limited and the developers don’t seem to have a good grasp of it.

The plugin has long shipped with two firewalls not developed by the developers of the plugin. Called 5G and 6G, these two firewalls are outdated versions of the nG firewall. While the plugin recommends using 6G, in our testing we have found 5G provides more protection than 6G. And 6G only provides a subset of the protection of 5G. Without additional configuration, the plugin provides no firewall protection. [Read more]

5 Jan 2024

Confusion Over Proper Usage of esc_url_raw() Includes Developers of 1+ and 5+ Million Install WordPress Security Plugins

While working on a security review of a WordPress plugin, we ran across miss-usage of a WordPress security function, esc_url_raw(). While looking to see if this was a wider issue, we found that a 5+ million install security plugin is among those improperly using it, as well as another 1+ million install security plugin, and two 1+ million install plugins from the security reviewer on the team running the WordPress’s plugin directory.

The documentation for esc_url_raw() explains that it “Sanitizes a URL for database or redirect usage.” Then further explains that: [Read more]

5 Jan 2024

All-In-One Security (AIOS) vs Wordfence Security

When it comes to the developers of WordPress security plugins, they shouldn’t be creating the insecurity they are supposed to be protecting against. That unfortunately is true of the current and former developers of the very popular All-In-One Security (AIOS) plugin. It has been such an issue with the new developer that we released an advisory warning against using their plugins until and unless they could show they have gotten a handle on security. So when it comes to the question of using All-In-One Security (AIOS) or Wordfence Security, our advice would be to not use All-In-One Security (AIOS). But let’s say you still want to consider it. Then the most important thing to know about WordPress firewall plugins is the amount of protection they offer against real threats, which we are somehow the only ones that do testing that would measure that.

Since 2021, we have done 16 tests of a large group of WordPress security plugins to see if they would protect against real vulnerabilities that had existed in other plugins. In those tests, All-In-One Security (AIOS) provided protection in only two of the tests. Wordfence Security did somewhat better, providing protection in six. [Read more]

2 Jan 2024

Five WordPress Security Plugins Prevented Exploitation of Serious Vulnerability in Another Security Plugin

One of the things that should have long ago raised a lot of alarm about the state of the WordPress security industry is how often security plugins are found to contain vulnerabilities. Instead, it has been treated as evidence that it is normal for plugins to be insecure, not that there is something very wrong with security providers. That is quite unfortunate because it means that the good providers are not getting the support they deserve and security is suffering for it.

In June 2022, we did a large-scale test to see if WordPress security plugins would have stopped a vulnerability of a type, persistent cross-site scripting (XSS), that hackers are known to widely exploit, which was found in the security plugin WP Cerber Security. The results were not good. Only two of 31 plugins provided protection against the vulnerability itself. Last year, another vulnerability of that type was disclosed in the plugin. So we were curious to see how many plugins protected against that one. [Read more]

10 Jul 2023

WordPress All-In-One Security (AIOS) Plugin Has Been Logging User Passwords for Nearly Two Months

We recommend against using all-in-one WordPress security plugins for a number of reasons. One of them is that they likely include a lot of functionality that you don’t need, which, among other issues, can create additional security risk when you are trying to reduce it. Another is that a plugin focused on one thing should, theoretically at least, do a better job at providing the needed functionality. All-in-one plugins are rather popular, despite those concerns. The All-In-One Security (AIOS) plugin has 1+ million installs. That popularity is despite the previous and current developers having a pretty bad track record with security across the plugins they developing, including this plugin. That makes a security issue in the latest version of the plugin not all that surprising.

On June 23, a user of the plugin created a support forum topic with this concerning headline, “Cleartext passwords written to aiowps_audit_log“. They would appear to not be aware of the plugin’s poor track record, as their message started this way: [Read more]

6 Jul 2023

Some WordPress Firewall Plugins Provide No Zero-Day Protection Without Additional Configuration

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations.

Usually, we do that testing with the plugins configured in a way that they provide the most protection. That way developers or someone else can’t claim that we have made those plugins look bad by not enabling a feature, but that can mean that our testing could overstate the protection that average user of the plugins is receiving. In some cases configuring the plugins as recommended by developer leads to significantly less protection. So we were curious to see what the results for the best performing plugins were going the opposite direction, when the plugin simply activated and no additional configuration is done. [Read more]

30 Jun 2023

NinjaFirewall and Plugin Vulnerabilities Firewall Are Only WordPress Security Plugins That Protected Against Recent Zero Day

Among the common, but inaccurate, security advice you will hear is that WordPress won’t get hacked if you take basic security measures, including keeping plugins up to date. While doing the basics is really important, the reality is that keeping plugins up to date does nothing to stop a zero-day, a vulnerability being exploited before the developer is aware of it. That is an area where a security plugin could provide additional protection. But just because they could, it doesn’t mean they will. More problematically, WordPress security plugin developers have for years claimed to provide zero-day protection when they don’t. The solution is to do testing to see which plugins really provide protection against zero-days.

Recently, a zero-day role change vulnerability in the 200,000+ install WordPress plugin Ultimate Member was spotted being exploited by the web host Tiger Technologies. That vulnerability was being exploited to create a new WordPress user and then change the user’s role to Administrator, which gives them full access to the website. [Read more]

26 Jun 2023

6G Firewall Rules in All-In-One Security (AIOS) WordPress Plugin Don’t Provide Effective Protection

In version 5 of the WordPress security plugin All-In-One Security (AIOS) an update was made to its firewall functionality, which implemented “6G firewall rules in the new PHP-based firewall.” Someone posted on the support forum for the plugin requesting to have the previous functionality restored. They made a series of claims, several of which we worth thought were checking on (emphasis theirs):

This change has affected users for whom these rules were working. [Read more]

Plugin Vulnerabilities Posted in Analysis, Security Plugin Testing, WordPress Plugin Vulnerability News 5G Firewall, 6G Firewall, All-In-One Security (AIOS) Leave a comment

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.