We help to keep your website protected from security vulnerabilities in WordPress plugins.
The current state of WordPress plugin security unfortunately is not good (and hasn’t been for the years we have been monitoring them). For example, recently we have been spotting, on at least a weekly basis, a vulnerability in the current version of a plugin that looks to be being exploited already, through our monitoring of hacking attempts on our websites and third party data.
What has surprised us about finding those vulnerabilities is that despite plugin vulnerabilities being a major source of WordPress website being hacked, services that claim that protect your WordPress websites do not even seem to be aware of these vulnerabilities. From their marketing materials you wouldn’t know that, take Wordfence for example, with their paid service they claim to provide “Protection from the latest threats” through their “unmatched access to information about how hackers compromise sites”, but we found they are not catching these vulnerabilities. It isn’t even a situation where we are just faster, in one recent case we found a vulnerability that hackers look to have been aware of for more than a year and yet no else seems to have noticed the vulnerability. A week and half after we notified the developer of that vulnerability it was finally fixed.
In another case we found that a security plugin had a vulnerability that looks to have been exploited for at least five months without anyone noticing it. That isn’t by any means the only security vulnerability found in a security plugin, which is probably a good indication of the level of security they are really providing.
To make the situation worse the people behind WordPress are aware vulnerabilities in the current version of Plugins that have been available in their Plugin Directory but refuse to warn the public about them.
Another major problem is that in many cases when there has been an attempt to fix a vulnerability no one bothers to do proper testing to make sure it has actually been fixed, leading to the vulnerabilities remaining in the plugins (in some cases for years).
With our service we provide you access to what we think is the best plugin vulnerability data out there. Our data comes from the aforementioned monitoring of hacking attempts, checking plugins for additional vulnerabilities, and monitoring numerous sources of public disclosures of plugin vulnerabilities. We test out each vulnerability to determine whether it has been fixed and to determine what version are vulnerable, so if a vulnerability is found in the version of a plugin you are using you get an email alert warning you about it. That way you can take quick action to limit your exposure, if you need help in deciding how to deal with that we are always available to assist in that. In some cases a small workaround can be crafted to allow you continue to use the plugin while a fuller fix is being developed.
With vulnerabilities that haven’t been fixed when we come across them we try to work with the developers and the Plugin Directory to get them fixed, which limits the exposure of you and everyone else using the plugins have to the vulnerability.
To make better decisions on what plugins you use, you can see historical data on what vulnerabilities have been in past versions of the plugins you use or plan to use. You also have access in WordPress to our advisories for WordPress plugin developers who have shown a lack of concern for security.
To improve the security of WordPress plugins we are also do our own checks of plugins for additional vulnerabilities and have a bug bounty program to try to make sure more serious vulnerabilities are being found.