Login

Tag Archives: Security Plugin Testing

8 Nov 2021

Wordfence Security and Wordfence Premium Fail to Provide Protection Against “Critical” Vulnerability

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

27 Oct 2021

BBQ Firewall Doesn’t Provide Better Performance in Exchange for Poor Protection

About a month ago we discussed why the WordPress security plugin BBQ Firewall wasn’t, as claimed by the developer, a “strong firewall” and In the most recent run of our automated testing of WordPress firewall plugins, we found that it only provides protection against 5 percent of the items tested. So you are not getting much protection from the plugin, but what led us to taking a closer look at the plugin last month was someone mentioning they used it because it is “fast and lightweight”, which is a claim that the developer also makes:

Lightweight, fast and flexible [Read more]

26 Oct 2021

Wordfence Security Fails To Protect Against Exploitation of Vulnerability Through PHP Input Stream

On September 23, exploit code for an arbitrary file upload vulnerability in the WordPress plugin 3DPrint Lite was released. That is a type of vulnerability that is highly likely to be exploited. As part of reviewing that to see if there was indeed a vulnerability that we should add to the data set for our service, we found a notable element of the underlying code that caused that. There were two ways that the file being uploaded could be sent with the request. With only one of them did we have protection against common exploitation with our then upcoming WordPress firewall plugin, Plugin Vulnerabilities Firewall. We then updated our plugin to protect against that, it turns out that the Wordfence Security plugin hasn’t been.

The vulnerable code in the plugin is in the function p3dlite_handle_upload(), which was made accessible through WordPress’ AJAX functionality to those logged in to WordPress as well as those not logged in: [Read more]

26 Oct 2021

Wordfence Security More Than Doubles Peak Memory Usage Over WordPress By Itself

A recent review of the Wordfence Security plugin noted it slowed down server response time. That shouldn’t be a controversial claim, as any WordPress firewall plugin will necessarily slow down server response times due to them causing more code to load and run when a page is not served from caching before WordPress runs. The response from a Wordfence employee didn’t acknowledge that, instead claiming there must be a problem on the reviewer’s end:

You mentioned testing on 3 different servers, but I am curious about what sort of servers they are. If you’re seeing any sort of issues, we would like to take a look at what might be causing the problems in our support forum, which I had provided to you already. [Read more]

5 Oct 2021

WordPress Security Plugins Failed to Protect Against Arbitrary File Upload Vulnerability Using Raw POST Data

On September 23, exploit code for an arbitrary file upload vulnerability in the WordPress plugin 3DPrint Lite was disclosed. With that type of vulnerability, the question isn’t whether it will be exploited, but how long until it happens. By the next day, we were already seeing what looked to be hackers probing for usage of the plugin.

In looking over the vulnerable code, we noticed that there were two ways the data for the file being uploaded to be sent with exploit attempt. One of those ways was with a file sent with exploit attempt and the other by sending raw POST data that can be read in PHP from php://input: [Read more]

27 Sep 2021

WordPress Security Plugins Failed to Protect Against Vulnerability When Using Gutenberg Editor

In WordPress 5.0, which was released in December 2018, a new editor was introduced, known as the block editor or Gutenberg. In our latest test of WordPress security plugins to see if they can protect against vulnerabilities, we found no plugins provided protection against a vulnerability when exploited through that editor. Further testing confirmed that two of the plugins that would likely provide protection against that type of vulnerability did when using the Classic editor. The other plugins that would likely to provide protection didn’t provide protection even with Classic editor, but further testing confirmed that it also fails to provide the same protection with the Gutenberg editor that it would provide when using the Classic editor.

The type of vulnerability used in the test is being found in WordPress plugins quite often recently. It is an authenticated persistent cross-site scripting (XSS) vulnerability caused by a lack of proper security handling of shortcode attributes. That would allow an attacker to cause arbitrary JavaScript code to run on frontend pages of the website. These are not a serious issue, since the attacker would need be able to generate content that includes a shortcode, which would normally require access to a WordPress account that can create a post. Making those of more a concern though is that we have been finding recently that developers are failing in attempts to fix those, as we found, for example, with a plugin with 200,000+ installs. [Read more]

20 Sep 2021

Wordfence Security Performance Penalty Continues to be Much Higher Than Other WordPress Firewall Plugins

As part of developing our upcoming WordPress firewall plugin, we have tested out WordPress security plugins against real vulnerabilities in other plugins to see what, if any, protection they offer. The results so far have been bad, but not surprising based on previous testing we did in 2016, as back then and now we found that most plugins provided no protection. In the testing now, only 2 plugins, in addition to ours, have provided much protection. Those being NinjaFirewall and Wordfence Security.

Having the capability to protect against vulnerabilities is the most important aspect for a firewall plugin, but it isn’t the only one. With one of the other plugins, Wordfence Security, it isn’t hard to find claims that it creates performance problems. We did a previous round of testing about a month ago and found that those claims seemed to be justified as it not only causes considerable slowdown, but much higher slowdown than our plugin and NinjaFirewall. [Read more]

17 Aug 2021

NinjaFirewall Only WordPress Security Plugin to Provide Any Protection Against Exploitation of Unfixed Privilege Escalation Vulnerability

On July 22 a new version of the WordPress plugin uListing was released with a very concerning changelog entry:

  • fixed: Unauthenticated Privilege Escalation for Registration

In looking into that, we found that what that referred to involved restoring a security check that had been removed in an earlier version. That a security check existed and then was removed is a bad sign for the security of the plugin, but it gets worse. While looking into that, we found that the change only addressed part of the privilege escalation issue in the plugin and new version of the plugin didn’t otherwise address the other part. We contacted the developer the same day, asking how we could report that to them. They only got back to us on Friday, though hopefully that can be resolved soon. [Read more]

16 Aug 2021

Wordfence Security Performance Penalty Much Higher Than Other WordPress Firewall Plugins

As part of developing our upcoming WordPress firewall plugin, we have tested out WordPress security plugins against real vulnerabilities in other plugins to see what, if any, protection they offer. The results so far have been bad, but not surprising based on previous testing we did in 2016, as back then and now we found that most plugins provided no protection. In the testing now, only 2 plugins, in addition to ours, have provided much protection. Those being NinjaFirewall and Wordfence Security.

Having the capability to protect against vulnerabilities is the most important aspect for a firewall plugin, but it isn’t the only one. With one of the other plugins, Wordfence Security, it isn’t hard to find claims that it creates performance problems. Take this recent topic in the plugins’ support forum on wordpress.org: [Read more]

13 Aug 2021

Only Two WordPress Security Plugins Prevented Enabling User Registration Through Unfixed Option Update Vulnerability

As part of developing our upcoming firewall plugin for WordPress, we have implemented a feature to limit a hacker’s ability to exploit option update vulnerabilities. That is a type of vulnerability that allows a hacker to change arbitrary WordPress settings (options). This is a capability that has existed in the plugin NinjaFirewall for some time. Unfortunately, as we confirmed a couple of years ago, the developer overstated what was possible with it, claiming that it protected against the type of vulnerability, without qualification, when that wasn’t true. In reality, we found that it provided some protection, but not only was it limited in scope, it turned out the protection was easy to bypass by changing the option for the plugin’s settings, due possibly to protection not being fully thought through or due to offensive testing having not been done.

To make our feature as useful as possible, as many options that might be of interest to mass hackers as possible should be restricted being changed if the request to change them is not coming from a user with the manage_options capability. Finding out what existing security plugins were providing this type of protection would be helpful in doing that. Through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities, we spotted an authenticated variant of that type of vulnerability in a plugin in May. That vulnerability still hasn’t been fixed as version 1.8.2.6, which was released yesterday. [Read more]