via pluginvulnerabilities.com => original post link
Among the common, but inaccurate, security advice you will hear is that WordPress won’t get hacked if you take basic security measures, including keeping plugins up to date. While doing the basics is really important, the reality is that keeping plugins up to date does nothing to stop a zero-day, a vulnerability being exploited before the developer is aware of it. That is an area where a security plugin could provide additional protection. But just because they could, it doesn’t mean they will. More problematically, WordPress security plugin developers have for years claimed to provide zero-day protection when they don’t. The solution is to do testing to see which plugins really provide protection against zero-days.
Recently, a zero-day role change vulnerability in the 200,000+ install WordPress plugin Ultimate Member was spotted being exploited by the web host Tiger Technologies. That vulnerability was being exploited to create a new WordPress user and then change the user’s role to Administrator, which gives them full access to the website. [Read more]