Security Plugin Testing

One of the Best Performing WordPress Firewall Plugins Protection is No More

Posted on 30 April 2024 by

The results of our testing to see how much of the protection our WordPress firewall plugin provides that other WordPress security plugins also offer shows how little connection there is between the popularity of WordPress security plugins and security they Continue reading One of the Best Performing WordPress Firewall Plugins Protection is No More→

Five WordPress Security Plugins Prevented Exploitation of Serious Vulnerability in Another Security Plugin

Posted on 2 January 2024 by

One of the things that should have long ago raised a lot of alarm about the state of the WordPress security industry is how often security plugins are found to contain vulnerabilities. Instead, it has been treated as evidence that Continue reading Five WordPress Security Plugins Prevented Exploitation of Serious Vulnerability in Another Security Plugin→

How WordPress Firewall Plugins Could Have Stopped Recently Fixed Vulnerability in Elementor

Posted on 12 December 2023 by

Last week, we took a look at the first and second attempt to fix an authenticated arbitrary file upload vulnerability in the 5+ million install WordPress plugin Elementor. With a situation like that, one of the questions for security providers Continue reading How WordPress Firewall Plugins Could Have Stopped Recently Fixed Vulnerability in Elementor→

Disabled Protection in WordPress Firewall Plugin With Only 10+ Installs Provides 5th Best Zero-Day Protection

Posted on 4 December 2023 by

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities Continue reading Disabled Protection in WordPress Firewall Plugin With Only 10+ Installs Provides 5th Best Zero-Day Protection→

WordPress Firewall Plugins Protect Against Vulnerability Without Rule Needed for Wordfence Security To Do That

Posted on 20 November 2023 by

Last week, we noted that the marketing for the Wordfence Security plugin was promoting its firewall as being the industry leader, despite that not being supported by them with anything whatsoever and objective testing showing that being far from the Continue reading WordPress Firewall Plugins Protect Against Vulnerability Without Rule Needed for Wordfence Security To Do That→

Combining WordPress Security Plugins Doesn’t Provide Better Protection Than One Better Plugin

Posted on 16 November 2023 by

It isn’t uncommon to see people asking the developers of WordPress security plugins if they can be used alongside another security plugin. That often seems like an odd question, as the two plugins being asked about are all-in-one security plugins Continue reading Combining WordPress Security Plugins Doesn’t Provide Better Protection Than One Better Plugin→

Latest WordPress Plugin to Include Firewall Provides Almost No Protection Against Zero-Days

Posted on 6 November 2023 by

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities Continue reading Latest WordPress Plugin to Include Firewall Provides Almost No Protection Against Zero-Days→

3 WordPress Firewall Plugins Stop Recent Widely Exploit Vulnerability in tagDiv Composer Plugin

Posted on 16 October 2023 by

Last week there were a spate of largely unhelpful new stories run about websites getting hacked through an already fixed vulnerability in a WordPress plugin not available through the WordPress Plugin Directory, tagDiv Composer. There is a lot that could Continue reading 3 WordPress Firewall Plugins Stop Recent Widely Exploit Vulnerability in tagDiv Composer Plugin→

Wordfence Security Increases Protection in October Test of WordPress Security Plugins’ Zero-Day Protection

Posted on 10 October 2023 by

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities Continue reading Wordfence Security Increases Protection in October Test of WordPress Security Plugins’ Zero-Day Protection→

NinjaFirewall Joins Plugin Vulnerabilities Firewall in Providing Protection Against WordPress User Deletion Vulnerabilities

Posted on 30 August 2023 by

One of the ways we measure how much protection that WordPress security plugins provide against the real threat of vulnerabilities in other WordPress plugins, is to run software we have designed to make sure that our own firewall plugin’s protection Continue reading NinjaFirewall Joins Plugin Vulnerabilities Firewall in Providing Protection Against WordPress User Deletion Vulnerabilities→

Some WordPress Firewall Plugins Provide No Zero-Day Protection Without Additional Configuration

Posted on 6 July 2023 by

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities Continue reading Some WordPress Firewall Plugins Provide No Zero-Day Protection Without Additional Configuration→

NinjaFirewall and Plugin Vulnerabilities Firewall Are Only WordPress Security Plugins That Protected Against Recent Zero Day

Posted on 30 June 2023 by

Among the common, but inaccurate, security advice you will hear is that WordPress won’t get hacked if you take basic security measures, including keeping plugins up to date. While doing the basics is really important, the reality is that keeping Continue reading NinjaFirewall and Plugin Vulnerabilities Firewall Are Only WordPress Security Plugins That Protected Against Recent Zero Day→

6G Firewall Rules in All-In-One Security (AIOS) WordPress Plugin Don’t Provide Effective Protection

Posted on 26 June 2023 by

In version 5 of the WordPress security plugin All-In-One Security (AIOS) an update was made to its firewall functionality, which implemented “6G firewall rules in the new PHP-based firewall.” Someone posted on the support forum for the plugin requesting to Continue reading 6G Firewall Rules in All-In-One Security (AIOS) WordPress Plugin Don’t Provide Effective Protection→

WordPress Firewall Plugins Are Barely Improving the Zero-Day Protection They Offer

Posted on 16 June 2023 by

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities Continue reading WordPress Firewall Plugins Are Barely Improving the Zero-Day Protection They Offer→

WordPress Firewall Plugins Lack Protection Against Arbitrary User Deletion Vulnerabilities

Posted on 7 June 2023 by

Last week, we ran across a vulnerability in a WordPress plugin that would allow an attacker to delete all the website’s WordPress user accounts, which would be nasty if exploited by an attacker. The ability to easily exploit the vulnerability Continue reading WordPress Firewall Plugins Lack Protection Against Arbitrary User Deletion Vulnerabilities→

Wordfence Security Returns to Third Place in May Test of WordPress Security Plugins’ Zero-Day Protection

Posted on 1 May 2023 by

While developing our WordPress firewall plugin, we created regression testing software to make sure that, as we updated that; we didn’t break existing protection, which is something at least one other developer hasn’t done. What we realized once we started Continue reading Wordfence Security Returns to Third Place in May Test of WordPress Security Plugins’ Zero-Day Protection→

BBQ Firewall Also Fails to Prevent SQL Injection Attack

Posted on 17 March 2023 by

In November, we wrote about how reviews for a WordPress security plugin were claiming that it protected against SQL injection, but testing showed it didn’t. A new review for another plugin, BBQ Firewall, which we happened across, made the same Continue reading BBQ Firewall Also Fails to Prevent SQL Injection Attack→

Only 25% of WordPress Security Plugins Protected Against Widely Exploited Plugin Vulnerability

Posted on 13 March 2023 by

In late January, an unfixed vulnerability in a WordPress plugin with 40,000+ installs started to receive widespread exploitation attempts and many websites were hacked. The hacking was in part caused by multiple WordPress security providers, including Wordfence, WPScan, and Patchstack, Continue reading Only 25% of WordPress Security Plugins Protected Against Widely Exploited Plugin Vulnerability→

Here Are the 4 WordPress Security Plugins That Protected Against a Vulnerability Wordfence Failed to Protect Against Despite Having Discovered It

Posted on 6 March 2023 by

Last week, Wordfence disclosed the details of an authenticated persistent cross-site scripting (XSS) vulnerability they had found in a popular WordPress plugin with 3+ million installs (as well as something else that wasn’t really a vulnerability). There were some things Continue reading Here Are the 4 WordPress Security Plugins That Protected Against a Vulnerability Wordfence Failed to Protect Against Despite Having Discovered It→

WordPress Security Plugins Don’t Prevent Disclosure of One-Time Password Through Exploited Plugin Vulnerability

Posted on 8 February 2023 by

A month ago, we saw a hacker looking to exploit a vulnerability that had recently been fixed in the WordPress plugin User Verification. That vulnerability discovered by Lana Codes involved the plugin’s functionality to email a one-time password for logging Continue reading WordPress Security Plugins Don’t Prevent Disclosure of One-Time Password Through Exploited Plugin Vulnerability→