Back in November we discussed the belief of a developer of a WordPress security plugin with 500,000+ active installs, that it was normal for security plugins to themselves be insecure. While that was fairly incredible to hear, we have just across a belief from the developer of another security plugin, with 100,000+, which we think that tops that.
The developer of the plugin BulletProof Security stated that “it is outside of the scope or intended purpose for any security plugins” to protect against vulnerabilities that exist in other plugins (and based on their explanation of why, it would seem other similar vulnerabilities as well). When you consider that vulnerabilities in plugins are a leading source of WordPress websites being hacked (exploitation of vulnerabilities in WordPress itself being few and far between), that means that relying on this plugin to protect a website will leave it fairly vulnerable to a real threat. The description of the plugin doesn’t make any mention of this intended limitation, which seems like it should be something that is prominently warned about.
Let’s take a step back from that statement, because in how that came about, what is provided is a good example of poor state of the security information surrounding WordPress.
One of things we do to keep track of vulnerabilities in WordPress plugins is to monitor the wordpress.org Support Forum for threads related to those. In doing that we run into a lot of other security threads and occasional we will add our input.
In a thread from someone asking about the security of WordPress, someone suggested using a couple of security plugins:
The terms “secure” and “security” mean different things to different people, and the fact that WordPress is well-written in relation to “security” — no major flaws or vulnerabilities to be exploited — does not mean your self-hosted site is secured by WordPress. I use BulletProof Security to “harden WordPress” and much more…
…and I also have the stand-alone version of NinjaFirewall out in front of everything at my hosting account:
There are various other options, of course, but just do not let the idea that WordPress is “secure” lead you to believe WordPress covers your needs related to site security.
We responded explaining that through our testing of them, those two plugins and all the others tested have provided very little to no protection against the exploitation of vulnerabilities in other plugins:
It’s worth noting here that security plugins don’t necessarily provide much, if any, protection against vulnerabilities. We have done fourtestsofthem to see if they could protect against exploitation of real vulnerabilities that existed in other plugins. In only one instance did one, NinjaFirewall (WP Edition), provide protection that wasn’t easily bypassed and that came with the tradeoff that Editor-level and below users could not upload media through WordPress anymore. BulletProof Security provided no protection in any of the tests.
The developer of BulletProof Security responded, but apparently confused us with the developer of NinjaFirewall (WP Edition):
Uh well your opinion is biased. So you should state something to that effect. Also your tests do not include all/every possible BulletProof Security code that is available and the test parmeters seemed skewed in favor of your plugin. Nothing personal, I don’t blame you for using this tactic – just noting facts.
Before we figured that they were confusing us with another company, we were confused about the claims that our testing was skewed.
They then responded again:
Oops. I misread the article. This is not an obvious sales pitch article and link. I reread the article and it is completely unfounded and frankly ridiculous because the test parameters are not any sort of valid security test parameters. I could make up stuff too, but why bother. 😉
Obviously whoever posted that junk does not know anything about website security at all.
Again somehow the testing wasn’t valid (and we don’t know “anything about website security at all”).
Yet another response:
Normally I would just ignore ridiculous junk like this, but in reality this is a disservice to average folks. Why? Because that information is misleading either intentionally or unintentionally due to an unqualified person reporting some junk that just makes people worried about nothing.
This time they called the testing “ridiculous junk”, but still not citing anything that specifically that was wrong with it. The only person at this point that seemed to be misleading people was the developer of BulletProof Security, but the average person would have a hard to knowing that. That is ongoing problem with WordPress security information, as even many of the biggest names don’t understand the basics, but claim and feel otherwise, leading to false information to be spread widely.
After we posted a response they claimed that the testing was “not valid information”:
Oops again. Guess I should have checked WhoIs first. I see that this is your website. Sorry about negating your article, but unfortunately it is not valid information.
But again there wasn’t any specific issue they were pointing to and we were still not sure what they might be referring to.
When they final got to some detail on what was wrong with the testing, it didn’t make sense:
What I question is your test parameters themselves. They seem too general/broad and not realistic. Security plugins are not supposed to block anything that appears to be normal functionality in another WordPress plugin, otherwise security plugins would end up breaking most WordPress plugins normal functionality. So your test parameters need to factor in a realistic attack vector that excludes any normal functionality in any other plugins. There a lot of other things that you also have to factor into the test environment equation that I will not go into. In a nutshell, your test parameters and environment are simply not realistic.
As we responded, what they are really saying is that it is not realistic to test security plugins against real vulnerabilities (including one that looks to have been widely exploited at the time we did the testing):
You are proving our earlier point, as it is hard to distinguish between a request legitimately accessing functionality and exploitation of a vulnerability. Many, maybe most vulnerabilities, involve legitimate functionality being used by someone that shouldn’t have access to it or in a way that it wasn’t intended. The end results is that it would be very hard for security plugins to provide much, if any, protection against vulnerabilities.
Before we had left that response they had left another, which seems like an endorsement of our plugin/service since we actually warn about security vulnerabilities in plugins:
I’ll just use this one test example that you did:
For each of the tested plugin we set up a fresh install of WordPress 4.7, installed the version 2.0 of Delete All Comments, and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping exploitation of the vulnerability.
The problem here is that the Delete All Comments plugin has a coding mistake/security vulnerability. Most if not all WP security plugins will not interfere with the normal functionality of another WP plugin for the reason I stated above. So basically the basis of this test is no good. What of course is the only solution is the Delete All Comments plugin would need to fix the bug.
If security plugins are not intended to protect against vulnerabilities, that means they are not doing much to protect you against real threats (security plugins can’t protect against lots of other things, since those involve an attacker having access at a lower level than the plugins run).
Humorously they then were offering to provide us further explanation of why security plugins shouldn’t protect against vulnerabilities:
Yep, I understand where you are coming from, but unfortunately it is outside of the scope or intended purpose for any security plugins. If you would like further explanation then you can contact us here: https://www.ait-pro.com/contact/