Login

Tag Archives: Security Ninja

Plugin Security Scorecard Grade for Security Ninja

Checked on April 1, 2025
F

See issues causing the plugin to get less than A+ grade

9 Aug 2024

Freemius Still Hasn’t Resolved All the Security Issues in Their SDK Library

In a blog post last year, Freemius bizarrely criticized us for not working with them to fix vulnerabilities in their library that ships with many WordPress plugins, while linking to a post from the year before where they admitted to having been the ones refusing to work with us. The post last year revolved around them belatedly addressing a security issue that we had tried to address with them the year before. They also criticized us for publicly disclosing vulnerabilities we had discovered during a security review of a plugin using it, instead of allowing competitors to disclose them instead. (In a previous incident, they accused us of full disclosure of a vulnerability, despite us only knowing about it because it had already been exploited and fixed.) In both posts they derisively referred to those in the security industry as “trolls”. That type of behavior shouldn’t be acceptable in the WordPress community.

Unsurprisingly, considering Freemius’ abusive attitude towards the security industry and their unwillingness to take responsibility for their continued poor handling with security, they still haven’t gotten all the security issues resolved related to what we brought up with them two years ago. [Read more]

2 Jan 2024

Five WordPress Security Plugins Prevented Exploitation of Serious Vulnerability in Another Security Plugin

One of the things that should have long ago raised a lot of alarm about the state of the WordPress security industry is how often security plugins are found to contain vulnerabilities. Instead, it has been treated as evidence that it is normal for plugins to be insecure, not that there is something very wrong with security providers. That is quite unfortunate because it means that the good providers are not getting the support they deserve and security is suffering for it.

In June 2022, we did a large-scale test to see if WordPress security plugins would have stopped a vulnerability of a type, persistent cross-site scripting (XSS), that hackers are known to widely exploit, which was found in the security plugin WP Cerber Security. The results were not good. Only two of 31 plugins provided protection against the vulnerability itself. Last year, another vulnerability of that type was disclosed in the plugin. So we were curious to see how many plugins protected against that one. [Read more]

6 Nov 2023

Latest WordPress Plugin to Include Firewall Provides Almost No Protection Against Zero-Days

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. In May of last year, we started doing a monthly run of that against other firewall plugins, so we could get a better understanding of how the WordPress security landscape is changing over time.

This month we added a new plugin to our test set. The name of the plugin is Advanced Google reCAPTCHA, which doesn’t sound like it should be a relevant plugin to such testing. But as is often the case with WordPress plugins, developers add features that seem unrelated to the main purpose of the plugin. In this case, firewall functionality was added to the plugin, despite the developer already providing another plugin, Security Ninja, which is supposed to have a firewall (but doesn’t have one). [Read more]

30 Jun 2023

NinjaFirewall and Plugin Vulnerabilities Firewall Are Only WordPress Security Plugins That Protected Against Recent Zero Day

Among the common, but inaccurate, security advice you will hear is that WordPress won’t get hacked if you take basic security measures, including keeping plugins up to date. While doing the basics is really important, the reality is that keeping plugins up to date does nothing to stop a zero-day, a vulnerability being exploited before the developer is aware of it. That is an area where a security plugin could provide additional protection. But just because they could, it doesn’t mean they will. More problematically, WordPress security plugin developers have for years claimed to provide zero-day protection when they don’t. The solution is to do testing to see which plugins really provide protection against zero-days.

Recently, a zero-day role change vulnerability in the 200,000+ install WordPress plugin Ultimate Member was spotted being exploited by the web host Tiger Technologies. That vulnerability was being exploited to create a new WordPress user and then change the user’s role to Administrator, which gives them full access to the website. [Read more]

13 Mar 2023

Only 25% of WordPress Security Plugins Protected Against Widely Exploited Plugin Vulnerability

In late January, an unfixed vulnerability in a WordPress plugin with 40,000+ installs started to receive widespread exploitation attempts and many websites were hacked. The hacking was in part caused by multiple WordPress security providers, including Wordfence, WPScan, and Patchstack, who all claim to have teams of experts reviewing vulnerabilities in WordPress plugins, claiming that the vulnerability had been fixed three months before that. The moderators of the WordPress Support Forum made the situation worse by deleting an early indication of the problem in the form a message complaining about a website being hacked because of the plugin.

The developer of the plugin promptly fixed the vulnerability once we advised them that it still existed. They then went further than other plugin developers usually do when a plugin has had an exploited vulnerability and got a security review done to ensure the plugin was now properly secured. [Read more]

6 Mar 2023

Here Are the 4 WordPress Security Plugins That Protected Against a Vulnerability Wordfence Failed to Protect Against Despite Having Discovered It

Last week, Wordfence disclosed the details of an authenticated persistent cross-site scripting (XSS) vulnerability they had found in a popular WordPress plugin with 3+ million installs (as well as something else that wasn’t really a vulnerability). There were some things they said in their post that are rather problematic.

One of them was that they were claiming to have responsibly disclosed the vulnerability, while also contradicting that. According to their post, the day before they notified the developer of the plugin about the vulnerability, they were already selling access to information about exploiting the vulnerability through their Wordfence Premium service. That isn’t responsible disclosure and any hacker willing to pay for the service could have started exploiting this before the developer was even notified about it. Wordfence’s paying customers would have been protected from it at the time, but others would not without having some other security in place. [Read more]

8 Feb 2023

WordPress Security Plugins Don’t Prevent Disclosure of One-Time Password Through Exploited Plugin Vulnerability

A month ago, we saw a hacker looking to exploit a vulnerability that had recently been fixed in the WordPress plugin User Verification. That vulnerability discovered by Lana Codes involved the plugin’s functionality to email a one-time password for logging in to WordPress. The problem with the functionality is that it didn’t just email the password, it also sent it back as part of the response from the request to have it emailed. So an attacker could submit the request to have that emailed for a WordPress user’s account, get the password that was only supposed to be emailed, and then log in to that account.

Trying to prevent an information disclosure issue like this would be difficult for a WordPress security plugin without being aware of the particular vulnerability, as it would have to realize that something that shouldn’t be disclosed is being disclosed, so it would be unlikely that a security plugin would provide protection. Our own firewall plugin, Plugin Vulnerabilities Firewall, doesn’t have protection against such a situation, but we are always looking to see how we might be able to expand its protection, so we were curious to see if any other plugins provided protection. [Read more]

26 Oct 2022

Only Four WordPress Security Plugins Protected Against Exploitation of Serious Vulnerability in Plugin From WordPress

Earlier this month we spotted a serious vulnerability being introduced in to a WordPress plugin that comes directly from WordPress. It turned out that vulnerability had been introduced in to it by an employee of the company closely associated with WordPress, Automattic. The vulnerability would have allowed attackers to upload arbitrary files to the website, which is a type of vulnerability where it isn’t a question of if it would be exploited, but when. Usually a hacker would use that to upload PHP files and then from there they could do whatever else they want, as that would give them the ability to run arbitrary code on the website. That is a type of scenario WordPress security plugins could and should have a capability to protect against.

Whether WordPress security plugins actually provide protection against it is another story. While you can find lots of review of WordPress security plugins, the ones we run across don’t involve testing to see if they provide protection against real threats, making the reviews of limited value. Instead, the reviews focus on other things, meaning that developers of those plugins don’t necessarily have incentive to focus on security. When we did a test of a similar vulnerability six years ago, only three security plugins provided protection against the same scenario. [Read more]

14 Oct 2022

The “Mark Zahra” Problem That the WordPress Community Deals With

The poor treatment of WordPress plugin developers by those in control of WordPress has recently gotten attention because of an odd, largely unexplained, situation involving removing a chart showing the install growth of plugins on their WordPress Plugin Directory pages.

One of the people that was prominently featured in the discussion over that was someone named Mark Zahra. He seems like a good example of an all too common archetype in the WordPress space. That would be someone who conflates things being done that benefit their own business interests with what is in the interest of the wider WordPress community and pushes an overly positive view of the community. That overly positive view contrasts with those people’s own behavior, which is harmful to others in the community who are actually focused on the interests of the wider community. One of his tweets gives a good flavor of what that looks like in 280 characters or less: [Read more]

13 Sep 2022

Only Six WordPress Security Plugins Protected Against Exploitation of Zero-Day Vulnerability in BackupBuddy

Last week the developer of one of the most popular WordPress security plugins, iThemes Security, disclosed that another of their plugins, BackupBuddy, had recently had a zero-day vulnerability. That is a vulnerability being exploited by a hacker before the developer is aware of it. One of the implications of that is that keeping a website’s plugins up to date won’t always protect websites from being hacked through vulnerabilities in them. So this is the type of situation where a security plugin, like iThemes Security, could provide protection beyond keeping plugins up to date. If any security plugins should be able to do that, it should be iThemes Security if you believe their marketing, as they claim it is the best:

The Best WordPress Security Plugin to Secure & Protect WordPress [Read more]