Login

Tag Archives: Security Plugin Testing

4 Aug 2022

Shield Security’s Firewall Has Now Been Broken for 3 Months

When it comes to WordPress security plugins, the developers are often much better at marketing them than they are with security. Hence, these plugins are widely used despite failing to provide much, if any, protection. The developer of the Shield Security plugin markets their plugin with criticism of competing plugins’ marketing:

It’s time to stop our obsession with malware. Malware scanning is important after you’re hacked. Get a security plugin that prioritises security protection before “malware marketing”. [Read more]

7 Jul 2022

The All In One WP Security & Firewall Plugin Provides Little Firewall Protection With Recommended Settings

When we do testing of WordPress security plugins to see what protection, if any, they provide against vulnerabilities in other plugins; we try to enable any options that will cause them to provide all the protection they could possibly offer. A downside of that approach is that it doesn’t necessarily provide a good indication of how much protection they provide in the real world, as the average website might not have enabled the options that provide that protection. Testing we just did with one of the most popular WordPress security plugins, All In One WP Security & Firewall, which has 1+ million installs, highlights that. What we found was that most of the protection it can provide, not only is not enabled by default, but the developer recommends not using the option that provides that protection.

To see how our own WordPress firewall plugin is doing compared to other plugins, we do automated testing to see if they provide protection against the same threats that our firewall blocks. A benefit of that testing approach is that it is easy to test many plugins or to test a plugin with various different settings combinations. [Read more]

7 Jun 2022

Only Two WordPress Security Plugins Prevented Exploitation of Vulnerability in Security Plugin WP Cerber

Security plugins for WordPress are supposed to help protect websites from being hacked, but not only do most of them not do a good job of that, they often introduce security vulnerabilities of their own. Like most vulnerabilities in WordPress plugins, the security vulnerabilities in security plugins often are not too serious. That wasn’t the case with a vulnerability disclosed in February involving the security plugin WP Cerber, which has 200,000+ active installations according to WordPress.

The vulnerability, credited to Krzysztof Zając, allowed an attacker to cause malicious JavaScript to be loaded on one of the plugin’s admin pages. That is a type of vulnerability that hackers have been known to exploit. Troublingly, but in line with the plugin itself having such a serious vulnerability, the developer didn’t disclose in the changelog or their website that there had been a vulnerability or that it had been fixed. [Read more]

22 Dec 2021

Wordfence Security and Wordfence Premium Fail to Provide Protection Against Possibly Exploited Plugin Vulnerability

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

24 Nov 2021

Wordfence Security and Wordfence Premium Fail to Provide Protection Against Exploited Plugin Vulnerability

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

23 Nov 2021

No WordPress Security Plugin Stopped Exploitation of Vulnerability That Disables Them

Last week, GoDaddy’s web security subsidiary Sucuri released a strange post about some WordPress websites being hacked. The post discussed a situation involving what they confusingly described as both “bogus” and “legitimate” WordPress plugin. The plugin, Directorist, had multiple security vulnerabilities fixed the day before that post was released, which might explain the hacking being mentioned in the post. Though, Sucuri was attributing it to compromised login credentials, despite their post indicating they hadn’t done basic checking that should have been done before making that attribution.

While reviewing the changes being made to the plugin, we noticed that among the vulnerabilities fixed in that new version, 7.0.6.1, were ones that would have allowed an attacker logged in to WordPress to deactivate or delete arbitrary plugins. [Read more]

10 Nov 2021

Wordfence Premium Fails to Protect Against Another “Critical” Privilege Escalation Vulnerability

On Monday we noted finding that the Wordfence Security plugin and the Wordfence Premium service failed to provide protection against a “critical” privilege escalation vulnerability, running contrary to Wordfence’s marketing.

In response to that, someone on Reddit said this of Wordfence: [Read more]