WordPress Security: most popular free plugins are useless

In their research, titled “Plugins to Detect Vulnerable Plugins: An Empirical Assessment of the Security Scanner Plugins for WordPress” Murphy et al. (2021) provide an analysis of currently available security solutions for WordPress, a widely used Content Management System (CMS) that powers websites across the Internet.

Due to the popular use of this CMS, the study raises concerns about the quality and quantity of its most commonly used free security scanner plugins.

The study reveals that most of these plugins proved to be ineffective in identifying threats and failed to provide the user with sufficient actionable information.

Ultimately, the findings of this research provide a clue to the underlying reason for WordPress being an increasingly attractive target for cyber-attacks, due to the false sense of security given to its users by current security solutions (Murphy et al., 2021).


Research Problem

The widespread use of WordPress has made this CMS a popular target for cyberattacks. While the core of WordPress itself is considered relatively secure, its vast plugin ecosystem accounts for almost all vulnerabilities found. Due to the lack of technical knowledge of a large part of its userbase, most users rely on freely available security plugins (Murphy et al., 2021). In their tests, Murphy et al. (2020) found that most of these plugins were not able to identify threats, and the majority of those that could accurately identify security threats didn’t provide the user with acceptable guidance or information on how to secure their website (Murphy et al., 2021).



Murphy et al. (2021) investigate the ability of available security plugins to effectively identify security threats and keep WordPress websites safe from a variety of cyber-attacks.

Because its userbase has shown to lack sufficient technical or cybersecurity knowledge, therefore not being able to fully understand the severity of potential consequences nor assess correctly the safety issues of their websites, and the increasing phenomenon of cyber-attacks threatening the platform, researchers wanted to see if the most commonly used security plugins to date provided an effective solution in keeping WordPress websites safe (Murphy et al., 2021).



Murphy et al. (2021) designed a method to empirically test the efficacy of the mostly used security plugins, in their free-tier capacity. They used a specific set of criteria in their choice of 11 security plugins to test, as well as another set for the 51 plugins to test against vulnerabilities.

The security scanner plugins were chosen among the most used, easy to install and free at the time of the research; the plugins to test against were chosen from a popular and public database, containing a record of plugins that had been flagged with known vulnerabilities over the last 2 years (Murphy et al., 2021).

An individual testbed, with a fresh WordPress installation, was set-up for each of the security plugins, each test using a new instance against all vulnerable plugins in the installation. In each instance, the researchers would start the security scanner and then evaluate the results of the scan, through a qualitative and quantitative assessment, based on how many vulnerable plugins the scan had identified, as well as the information provided for each identified threat (Murphy et al., 2021).



In their quantitative findings, Murphy et al. (2021) revealed that 6 out of the 11 security plugins tested completely failed to detect any of the vulnerable plugins. Furthermore, they were found to require a paid premium to even scan the WordPress plugin folder. In the remaining 5 tests, the number of successfully detected vulnerable plugins varied greatly in terms of quantity, and, at times, the scans proved to use inefficient evaluating methods (Murphy et al., 2021).

The qualitative assessment results of the 5 plugins that correctly identified vulnerabilities, varied considerably. In 4 cases out of 5 the scans didn’t provide any practical help to effectively secure the website, due to lack of in-depth information about the type of threat or an excessively generic, if not misleading, security threat explanation (Murphy et al., 2021). Only 1 security plugin seemed to “provide a valuable context for the user, allowing them to choose an appropriate course of action” (Murphy et al., 2021).



Through their research, Murphy et al. (2021) have highlighted the potential connection between the massive use of WordPress to power hundreds of millions of websites across the Web and the increased phenomenon of cyber-attacks targeting WordPress, due the lack of efficient security plugins freely available to its typical users (Murphy et al., 2021).



Murphy, D.T., Zibran, M.F., & Eishita, F.Z. (2021). Plugins to Detect Vulnerable Plugins: An Empirical Assessment of the Security Scanner Plugins for WordPress. 2021 IEEE/ACIS 19th International Conference on Software Engineering Research, Management and Applications (SERA). https://doi.org/10.1109/SERA51205.2021.9509274