via pluginvulnerabilities.com => original post link
One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations.
Usually, we do that testing with the plugins configured in a way that they provide the most protection. That way developers or someone else can’t claim that we have made those plugins look bad by not enabling a feature, but that can mean that our testing could overstate the protection that average user of the plugins is receiving. In some cases configuring the plugins as recommended by developer leads to significantly less protection. So we were curious to see what the results for the best performing plugins were going the opposite direction, when the plugin simply activated and no additional configuration is done. [Read more]