via pluginvulnerabilities.com => original post link
One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. In May of last year, we started doing a monthly run of that against other firewall plugins, so we could get a better understanding of how the WordPress security landscape is changing over time.
This month we added a new plugin to our test set. The name of the plugin is Anti-Hacker. It’s been available on the WordPress Plugin Directory since June, but we only ran across it now. Not much of anyone else seems to have run across it either, as it only has 10+ installs. The marketing makes plenty of impressive claims, but provides no evidence to back them up. The developer claims it provides protection against “XSS, SQL Injection, PHP Injection, CMD Injection and Transversal Directory” vulnerabilities. The problem we found when we went to add it to our testing system is that it isn’t possible to enable that protection, as the settings checkbox for it is disabled: [Read more]