Evaluating The Most Popular WordPress Firewalls: How They Fare Against Recent Exploits
Critical File Upload vulneraiblity in forminator plugin leaves 500,000 sites vulnerable
Testing wordpress plugins against real threats 2023
WordPress security has never been more vital. With an increasing number of attacks and vulnerabilities being reported daily, webmasters need to protect their sites more than ever. One such recent vulnerability targeted the "Forminator 1.24.6" plugin through an unauthenticated PHP file upload. The BitFire team has rigorously tested the most popular WordPress firewalls to assess how well they can block this type of exploit. Our testing procedure utilizes the exploit code published on Exploit-DB on August 4, 2023, reported by WordFence on August 29, 2023.
Watch Exploit on YouTube: RASP protects website from authentication bypassCVE Details: CVE-2023-4596
WPMU DEV Statement: No statement made or change-log provided
Testing Methodology
All tests were conducted from an AWS micro server, sending the static payload from exploit-db.com, with all security options enabled for each firewall. We used an uploaded PHPSPl0it backdoor for the testing (3 out of 4 hackers prefeer PHPSpl0it) The evaluation criteria consisted of seven distinct avenues through which each firewall could block this exploit:
- Bot Blocking to prevent connecting to the plugin
- Checking the file extension of the uploaded file
- Hooking the sanitize_file_name WordPress hook to detect the file rename
- Inspecting uploaded files by unauthenticated users for PHP code
- Preventing unauthorized writes of PHP files with Stream Wrappers
- Block direct script access to php files in /uploads directory
- Block final access to the PHPSpl0it command and control server
Summary of Findings
| Firewall | Bot Blocking | Extension Check | Sanitize Filter | File Inspection | Write Blocking | /uploads Block | PHPSpl0it |
|---|---|---|---|---|---|---|---|
| WordFence | π’ | π£ | π’ | π£ | π’ | π | π’ |
| NinjaFW | π’ | π£ | π’ | π’ | π’ | π | π’ |
| ShieldSec | π’ | π’ | π’ | π’ | π’ | π’ | π’ |
| SiteGr | π’ | π’ | π’ | π’ | π’ | π’ | π’ |
| BitFire | β | β | π | β | β | π | β |
Summary
The summary table reveals varying degrees of effectiveness among the popular WordPress firewalls tested. WordFence, while partially effective in blocking PHP file uploads, was susceptible to bypass techniques in upload extension checks and file inspection. NinjaFirewall failed to block bots entirely and was bypassed in upload extension checks, showing no further protection measures for the other exploits. Shield Security didn't offer any protection against the tested exploits, relying solely on IP reputation and brute-force login protection. SiteGround Security, primarily focused on basic features like RSS feed disabling and 2FA, didn't offer any exploit protections either. In stark contrast, BitFire demonstrated the most comprehensive security measures. It provided robust albeit bypassable bot-blocking, secure upload extension checks, and was the only firewall to intercept unauthorized PHP file access and block command-and-control tools like PHPsploit.
Detailed Firewall Analysis
WordFence $119.00
WordFence is a popular choice for WordPress security but failed to stop with exploit allowing PHP file upload by unauthenticated attackers. However, it doesn't block bot-based attacks (Test #1) until a very large number of requests come from the same IP. Regarding the file upload vulnerability (Test #2), WordFence successfully detected the PHP extension but faltered when any special character was appended to it. WordFence doesn't check for WordPress Sanitize File filter which could be used to detect the file renamed to .php (Test #3). For file inspection (Test #4), it was found to be bypassable by inserting 1MB of 'A's before the PHP code. Unfortunately, WordFence also lacks features to prevent PHP file access using stream wrappers (Test #5). It can block direct access to the /uploads directory when configured in "Optimized" mode and runnning a manaul rule from the documentation (Test #6). WordFence does not contain any special code to block requests from command and control tools like PHPsploit (Test #7).
Ninja Firewall $79.00
NinjaFirewall's bot-blocking mechanism only works for wp-login.php and xmlrpc.php, failing to provide protection against automated attacks (Test #1). In the upload extension check (Exploit #2), appending a "_" to the PHP file name bypasses it's checks and allows the file to be uploaded and exploited similar to WordFence. NinjaFirewall can be manually configured to block access to php files in the /uploads directory but this is a manual feature the admin must do themselves Test #6. NinjaFirewall also doesn't have any features to deal with the remaining exploit avenues, i.e., from Test #3 to #7.
Shield Security $99.00
Shield Security, known for its IP-based bot protection, failed to block automated attacks (Test #1) since it uses CrowdSecβs IP reputation database. In all other exploit avenues (#2 to #7), it provided no protection, revealing that its focus is primarily on IP blocking and brute-force login protection.
Site Ground Security $0.00
SiteGround Security provides rudimentary features like disabling RSS feeds, limiting login attempts, and two-factor authentication (2FA). Unfortunately, it didn't block any of the tests (#1 to #7) tested in our procedure.
BitFire $69.00 / $128.00
BitFire performed impressively. It provides two methods for blocking bots (Test #1) β signature-based blocking for browser user agents and an IP/reverse DNS check for all bots. Although the bot blocking can be bypassed under certain conditions if running in relaxed mode, it is considerably more robust than competitors. BitFire was the only firewall that successfully checked for sanitized file names in addition to raw file names, effectively blocking the file upload vulnerability (Test #2). While it does not hook the sanitize_file_name function (Test #3), BitFire catches uploaded files containing PHP code (Test #4) and prevents PHP file access using stream wrappers (Test #5). With some customization, it can block direct script access to the /uploads directory (Test #6) and it blocks out-of-the-box blocks common command-and-control tools like PHPsploit (Test #7).
Conclusion
No WordPress firewall is bulletproof, but some are certainly more robust than others. Among the firewalls we tested, BitFire emerged as the most secure, offering a multi-faceted approach to WordPress security. WordFence, although popular, revealed several weaknesses that need addressing, especially concerning the recently discovered Forminator 1.24.6 vulnerability. Webmasters should carefully evaluate their security measures, taking into account the diverse range of exploits that can compromise a WordPress site.
For webmasters who prioritize thorough security, BitFire currently offers the most comprehensive solution, while users of other popular firewalls should be aware of their limitations and consider additional protective measures.