Login

Tag Archives: Solid Security

Plugin Security Scorecard Grade for Solid Security

Checked on June 14, 2025
F

See issues causing the plugin to get less than A+ grade

10 Sep 2024

Positive Reviews of WordPress Security Plugin Are Contradicted by Falling Install Count

In June of last year, the WordPress security plugin Solid Security had 1+ million active installations according to data on the WordPress website. Currently, the install count is down to 800,000+ installs. That is a pretty dramatic drop in the install count of the plugin in 15 months. If the bolded claim at the top of the plugin’s description on the WordPress Plugin Directory, “Reduce your WordPress website’s risk to nearly zero with Solid Security”, was true, that drop would be hard to believe. That claim isn’t true.

With the install count dropping so dramatically, you might reasonably expect that there to be plenty of negative reviews of the plugin as well. That isn’t the case. Here are 30 most recent reviews: [Read more]

27 Aug 2024

Wordfence Security and Solid Security Developers Not Supporting Standard to Avoid Security Problem They Confronted

In a recent post on the WordPress security provider Wordfence’s blog, they were claiming their “mission is to Secure the Web.” If you understand their business model this rings hollows, as what they offer is built around trying to address the after affects of not securing the web. That very blog post also disputes that, as they confronted a well-known problem with better securing plugins and simply ignored the problem. They are not alone, as the situation detailed in the blog post also directly involves another security provider, StellarWP. StellarWP is the developer of Solid Security.

The blog post discusses a situation where Wordfence bought a vulnerability in another plugin from StellarWP, GiveWP. Twice in the post, they note that they failed to successfully communicate with StellarWP about that. First, they wrote this: [Read more]

22 Jul 2024

WordPress Plugin Directory is Allowing Completely Unsupported Extraordinary Claims of Security Plugin Efficacy

For those looking to improve the security of WordPress websites, security plugins are often thought of as an important part of the solution. Just look at the install count of security plugins. What our testing over the years has found is that very popular plugins often fail to provide much protection, if any. That is corroborated by the many complaints by those using those plugins that they failed to provide the promoted protection and websites got hacked. At the same time, there are much less popular plugins that are offering significantly more protection. What seems to be an obvious part of the explanation for this mismatch is that in the WordPress plugin directory, WordPress is allowing developers to make extraordinary claims of efficacy without even putting forward any supporting evidence for the claims. In other fields, this type of thing wouldn’t be allowed, because of the negative impact it has.

Take a plugin named Bad Bot Blocker. Here is the first paragraph of the description on the plugin directory (with our own emphasis): [Read more]

5 Jan 2024

YouTuber Falsely Claims You Can Easily Prevent WordPress Websites From Getting Hacked With Solid Security

When looking for security advice on WordPress websites, one of the problems you face is the number of affiliate marketers posing as your friend. One recent example we ran across of this involved a YouTuber, WPress Doctor. They released a 30 minute video that starts with the claim that “You can easily prevent your WordPress website from getting hacked.” A 30 minute video doesn’t exactly scream easy. Shortly after that they claim, if you watch the video you can make sure “your website is fully secured and you don’t have to worry again about hackers, ever again.” Easily preventing WordPress websites from getting hacked and being fully secure/never having to worry about hackers is not possible. There are some easy steps that can prevent a lot of hacks, but they won’t prevent all hacks, and even harder to do things won’t prevent all the hacks either.

What stood out more is that they were claiming that you can easily do that using the Solid Security plugin. As we noted in November, that is a plugin mainly focused on a non-existent threat. If you watch through the whole video, as we did, the host never shows the plugin actually stopping any hacks. Just this week, we released the results of our latest test to see if security plugins would protect against a vulnerability in another plugin, a major source of hacks. This time it involved a vulnerability of a type that hackers are known to exploit in of all things a security plugin. Five security plugins stopped the hack. Solid Security didn’t. In fact, it has never stopped an attack in our testing. That isn’t surprising since it doesn’t contain the capability to do that. [Read more]

2 Jan 2024

Five WordPress Security Plugins Prevented Exploitation of Serious Vulnerability in Another Security Plugin

One of the things that should have long ago raised a lot of alarm about the state of the WordPress security industry is how often security plugins are found to contain vulnerabilities. Instead, it has been treated as evidence that it is normal for plugins to be insecure, not that there is something very wrong with security providers. That is quite unfortunate because it means that the good providers are not getting the support they deserve and security is suffering for it.

In June 2022, we did a large-scale test to see if WordPress security plugins would have stopped a vulnerability of a type, persistent cross-site scripting (XSS), that hackers are known to widely exploit, which was found in the security plugin WP Cerber Security. The results were not good. Only two of 31 plugins provided protection against the vulnerability itself. Last year, another vulnerability of that type was disclosed in the plugin. So we were curious to see how many plugins protected against that one. [Read more]

1 Dec 2023

Developer of Solid Security Thinks That Their Plugin Shouldn’t Be Easier to Secure Than Chrome Web Browser

This week we have covered plenty of questionable behavior by the developer of the 900,000+ install WordPress security plugin Solid Security. From focusing their plugin on a non-existent threat to responding to the plugin failing to prevent an infection by saying that plugin is focused on preventing infection, not detecting them. As part of that response, was another strange idea. The developer responded to a complaint of a security issue in the plugin, by writing this: “While that’s never ideal I believe the speed at which we resolved it is important context to this conversation. Even Chrome experiences security vulnerabilities, but it’s always about the response to these things.”

It’s hard to believe that the developer of a security plugin wouldn’t understand that the complexity of securing a web browser is in no way comparable to a security plugin. It would seem the developer doesn’t have a basic grasp of security. [Read more]

30 Nov 2023

Solid Security vs Wordfence Security

The most important thing to know about WordPress firewall plugins is the amount of protection they offer against real threats, but we are somehow the only ones that do testing that would measure that. A lot of the claimed threats that WordPress security plugins claim to protect against are not really threats. What is a real threat is vulnerabilities in other plugins being exploited and that is something that firewall plugins can provide protection against. The developers of Solid Security and Wordfence Security make it sound like they provide strong protection against those vulnerabilities, but in reality, they don’t do a very good job or provide no protection whatsoever.

Recently, the iThemes Security plugin was rebranded as Solid Security. Alongside that came new misleading marketing about what protection it offers. Among those is the claim that “Solid Security shields your site from cyberattacks and prevents security vulnerabilities.” They also have a bolded claim that the plugin will “Reduce your WordPress website’s risk to nearly zero”. [Read more]

29 Nov 2023

Solid Security Firewall Review: It Doesn’t Contain One and Doesn’t Prevent Exploitation of Plugin Vulnerabilities

Recently, the iThemes Security plugin was rebranded as Solid Security. Alongside that came new misleading marketing about what protection it offers. Among those is the claim that “Solid Security shields your site from cyberattacks and prevents security vulnerabilities.” They also have a bolded claim that the plugin will “Reduce your WordPress website’s risk to nearly zero”. Buried in the FAQ, they are distancing themselves from such claims:

No. Solid Security is designed to help improve the security of your WordPress installation from many common attack methods, but it cannot prevent every possible attack. Nothing replaces diligence and good practice. This plugin makes it a little easier for you to apply both. [Read more]

28 Nov 2023

900,000+ Install WordPress Security Plugin Solid Security Focused on Non-Existent Threat

Recently the less popular than it used to be, but still used on at least 900,000 websites, WordPress security plugin iThemes Security was rebranded as Solid Security. Alongside that came new marketing for the plugin. The previous marketing was not at all honest about what the plugin actually accomplished. The new marketing suggests the plugin is focused on protecting against a non-existent threat to WordPress websites.

In the plugin’s header image on the WordPress Plugin Directory, the developer now emphasizes protection against two things by the plugin, brute force attacks and the related user login security (the third only exists in a commercial version and appears to not be an accurate description of what is offered either): [Read more]

26 Sep 2023

Sucuri Security and Solid Security Plugins Won’t Stop Websites From Being Hacked

While looking into some information for a post we were preparing recently, we ran across a promoted testimonial for a security provider named MalCare, coming from the person behind WPCrafter, which is marketed as WordPress tutorials for non-techies. The testimonial begins:

I had been running iThemes, WordFence & Sucuri, but they kept getting hacked. [Read more]