Login

Tag Archives: Hide My WP Ghost

4 Dec 2023

Hide My WP Ghost Firewall Review: It Provides Very Limited Protection

Like the developers of lots of WordPress security plugins, the developer of Hide My WP Ghost makes a lot of impressive sounding claims about their plugin and the protection it offers. The actual results, like those of most of those other plugins, are rather poor. Figuring that out, though, is difficult, as many others will tell you that these plugins provide much more protection than they do. Or as we noted with this plugin last year, claim that it offers protection that it doesn’t offer.

In the case of Hide My WP Ghost, the developer seems to lack much understanding of security. For example, they claim it has blocked 8,000,000 brute force attempts, despite that type of attack not happening. They are confusing it with a different type of attack and not recommending the proper solution for it. That lack of security understanding likely led to them implementing a third-party firewall, the 7G firewall, in their plugin that provides very limited protection. [Read more]

7 Jun 2023

WordPress Firewall Plugins Lack Protection Against Arbitrary User Deletion Vulnerabilities

Last week, we ran across a vulnerability in a WordPress plugin that would allow an attacker to delete all the website’s WordPress user accounts, which would be nasty if exploited by an attacker. The ability to easily exploit the vulnerability involves, in part, a known bypass of WooCommerce’s security that hasn’t been addressed. The developer of WooCommerce, Automattic, has told us they are “aware of this and working on a fix to mitigate this issue”, though no timeline has been put forward for that (or clear information on how long they have been aware of that).

A way to help prevent this type of vulnerability from being exploited would be to use a WordPress firewall plugin that protects against non-Administrators being able to delete arbitrary WordPress users through a vulnerability like that. That is something we implemented in our own firewall plugin after running across the vulnerability. As part of adding that protection, we updated our regression testing software to make sure that the protection continues to work as we make additional changes to the plugin (the developer of one security plugin doesn’t appear to do that type of regression testing at all). [Read more]

7 Nov 2022

Hide My WP Ghost Fails to Prevent SQL Injection Attack

One reality when it comes to WordPress security plugins is that if a developer claims their plugin will provide some sort of protection, people will repeat the claim without actually knowing if it is true.

That came up recently in our monitoring of the WordPress’ support forum for topics about vulnerabilities in plugins, with the plugin Hide My WP Ghost. Two recent reviews for the plugin, which came during a marketing promotion for it, claimed that it protects against SQL injection (emphasis ours): [Read more]