Login

Tag Archives: Anti-Hacker

2 Jan 2024

Five WordPress Security Plugins Prevented Exploitation of Serious Vulnerability in Another Security Plugin

One of the things that should have long ago raised a lot of alarm about the state of the WordPress security industry is how often security plugins are found to contain vulnerabilities. Instead, it has been treated as evidence that it is normal for plugins to be insecure, not that there is something very wrong with security providers. That is quite unfortunate because it means that the good providers are not getting the support they deserve and security is suffering for it.

In June 2022, we did a large-scale test to see if WordPress security plugins would have stopped a vulnerability of a type, persistent cross-site scripting (XSS), that hackers are known to widely exploit, which was found in the security plugin WP Cerber Security. The results were not good. Only two of 31 plugins provided protection against the vulnerability itself. Last year, another vulnerability of that type was disclosed in the plugin. So we were curious to see how many plugins protected against that one. [Read more]

4 Dec 2023

Disabled Protection in WordPress Firewall Plugin With Only 10+ Installs Provides 5th Best Zero-Day Protection

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. In May of last year, we started doing a monthly run of that against other firewall plugins, so we could get a better understanding of how the WordPress security landscape is changing over time.

This month we added a new plugin to our test set. The name of the plugin is Anti-Hacker. It’s been available on the WordPress Plugin Directory since June, but we only ran across it now. Not much of anyone else seems to have run across it either, as it only has 10+ installs. The marketing makes plenty of impressive claims, but provides no evidence to back them up. The developer claims it provides protection against “XSS, SQL Injection, PHP Injection, CMD Injection and Transversal Directory” vulnerabilities. The problem we found when we went to add it to our testing system is that it isn’t possible to enable that protection, as the settings checkbox for it is disabled: [Read more]