Login

Tag Archives: Plugin Vulnerabilities Firewall

26 Oct 2022

Only Four WordPress Security Plugins Protected Against Exploitation of Serious Vulnerability in Plugin From WordPress

Earlier this month we spotted a serious vulnerability being introduced in to a WordPress plugin that comes directly from WordPress. It turned out that vulnerability had been introduced in to it by an employee of the company closely associated with WordPress, Automattic. The vulnerability would have allowed attackers to upload arbitrary files to the website, which is a type of vulnerability where it isn’t a question of if it would be exploited, but when. Usually a hacker would use that to upload PHP files and then from there they could do whatever else they want, as that would give them the ability to run arbitrary code on the website. That is a type of scenario WordPress security plugins could and should have a capability to protect against.

Whether WordPress security plugins actually provide protection against it is another story. While you can find lots of review of WordPress security plugins, the ones we run across don’t involve testing to see if they provide protection against real threats, making the reviews of limited value. Instead, the reviews focus on other things, meaning that developers of those plugins don’t necessarily have incentive to focus on security. When we did a test of a similar vulnerability six years ago, only three security plugins provided protection against the same scenario. [Read more]

24 Oct 2022

BBQ Firewall vs Wordfence Security

Looking at Google’s Search Console stats for our website showed that a lot of people were coming to our website searching on “BBQ Firewall vs Wordfence”, despite us not having a page comparing the two WordPress security plugins. It doesn’t look like anyone else has done a comparison, so it seems like that would be useful to provide.

The most important thing to know about WordPress firewall plugins is the amount of protection they offer against real threats, but we are somehow the only ones that do testing that would measure that. A lot of the claimed threats that WordPress security plugins claim to protect against are not really threats. What is a real threat is vulnerabilities in other plugins being exploited and that is something that firewall plugins can provide protection against. The developers of BBQ Firewall and Wordfence Security make it sound like they provide strong protection against those vulnerabilities, but in reality they don’t do a very good job. [Read more]

13 Sep 2022

Only Six WordPress Security Plugins Protected Against Exploitation of Zero-Day Vulnerability in BackupBuddy

Last week the developer of one of the most popular WordPress security plugins, iThemes Security, disclosed that another of their plugins, BackupBuddy, had recently had a zero-day vulnerability. That is a vulnerability being exploited by a hacker before the developer is aware of it. One of the implications of that is that keeping a website’s plugins up to date won’t always protect websites from being hacked through vulnerabilities in them. So this is the type of situation where a security plugin, like iThemes Security, could provide protection beyond keeping plugins up to date. If any security plugins should be able to do that, it should be iThemes Security if you believe their marketing, as they claim it is the best:

The Best WordPress Security Plugin to Secure & Protect WordPress [Read more]

7 Jun 2022

Only Two WordPress Security Plugins Prevented Exploitation of Vulnerability in Security Plugin WP Cerber

Security plugins for WordPress are supposed to help protect websites from being hacked, but not only do most of them not do a good job of that, they often introduce security vulnerabilities of their own. Like most vulnerabilities in WordPress plugins, the security vulnerabilities in security plugins often are not too serious. That wasn’t the case with a vulnerability disclosed in February involving the security plugin WP Cerber, which has 200,000+ active installations according to WordPress.

The vulnerability, credited to Krzysztof Zając, allowed an attacker to cause malicious JavaScript to be loaded on one of the plugin’s admin pages. That is a type of vulnerability that hackers have been known to exploit. Troublingly, but in line with the plugin itself having such a serious vulnerability, the developer didn’t disclose in the changelog or their website that there had been a vulnerability or that it had been fixed. [Read more]

2 Dec 2021

Hackers Won’t be Blocked From Trying to Upload This to Your WordPress Website by Other Firewall Plugins

Two months ago we did testing that showed that WordPress security plugins didn’t protect against exploitation of vulnerabilities that involved sending user input containing PHP code as raw POST data that would be read in PHP from php://input:. At the time, we improved our new Plugin Vulnerabilities Firewall to address that type of exploit. Based on the results of our automated testing, none of the other firewall plugins for WordPress have followed our lead and added protection against this in the subsequent two months.

Today our firewall stopped multiple attempts to exploit this type of issue on our website. These attempts would have failed anyway, since the attempts involved trying to exploit software not on our website, but the attempts and the firewall’s logging gave us a chance to see what the hacker was trying to do. [Read more]

24 Nov 2021

Wordfence Security and Wordfence Premium Fail to Provide Protection Against Exploited Plugin Vulnerability

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

23 Nov 2021

No WordPress Security Plugin Stopped Exploitation of Vulnerability That Disables Them

Last week, GoDaddy’s web security subsidiary Sucuri released a strange post about some WordPress websites being hacked. The post discussed a situation involving what they confusingly described as both “bogus” and “legitimate” WordPress plugin. The plugin, Directorist, had multiple security vulnerabilities fixed the day before that post was released, which might explain the hacking being mentioned in the post. Though, Sucuri was attributing it to compromised login credentials, despite their post indicating they hadn’t done basic checking that should have been done before making that attribution.

While reviewing the changes being made to the plugin, we noticed that among the vulnerabilities fixed in that new version, 7.0.6.1, were ones that would have allowed an attacker logged in to WordPress to deactivate or delete arbitrary plugins. [Read more]

10 Nov 2021

Wordfence Premium Fails to Protect Against Another “Critical” Privilege Escalation Vulnerability

On Monday we noted finding that the Wordfence Security plugin and the Wordfence Premium service failed to provide protection against a “critical” privilege escalation vulnerability, running contrary to Wordfence’s marketing.

In response to that, someone on Reddit said this of Wordfence: [Read more]

8 Nov 2021

Wordfence Security and Wordfence Premium Fail to Provide Protection Against “Critical” Vulnerability

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

27 Oct 2021

BBQ Firewall Doesn’t Provide Better Performance in Exchange for Poor Protection

About a month ago we discussed why the WordPress security plugin BBQ Firewall wasn’t, as claimed by the developer, a “strong firewall” and In the most recent run of our automated testing of WordPress firewall plugins, we found that it only provides protection against 5 percent of the items tested. So you are not getting much protection from the plugin, but what led us to taking a closer look at the plugin last month was someone mentioning they used it because it is “fast and lightweight”, which is a claim that the developer also makes:

Lightweight, fast and flexible [Read more]