21 Mar

The Security and Vulnerability Shield Plugin Isn’t Getting New Vulnerability Data

As we look at how we can improve our service, one of things we are doing is comparing our service to other available options that provide a similar functionality. One such option is a WordPress plugin named Security and Vulnerability Shield. Looking at the information on its Plugin Directory page certainly makes it sound impressive, they claim to monitor numerous sources to collect their vulnerability data (emphasis theirs):

No need to monitor 20 websites and receive 100+ emails (from groups and newsletters) so that you can keep up to date with the latest vulnerabilities in WordPress and its related plugins… our team will do that for you!

They also claim they spend “tons of hours” collecting the data:

please remember that this is a free plugin and despite that it costs us tons of hours (of processing emails, data, reviewing plugins, exploits/vulnerabilities, developing and maintaining this plugin) we will try to always have a free version that helps the WordPress community to protect their sites.

You would certainly have to spend a lot of time to have launched the plugin with data on “3000+ known vulnerabilities and exploits”, as they claimed to have done.

Whomever is behind this also sounds impressive as they claim to have tested the plugin “on private client installations of more then 200 WordPress sites”.

Who Is The Developer?

But looking at the website of the developer, SiteCops, things start to seem less impressive. Currently their website just contains the word “home” as can been seen in this screenshot:

sitecops-homepage

 

Looking at archive.org’s records shows that the website has been that way since at least January and they don’t have any records of actually content being on the website in recent years.

If you are spending all this time of the service, you would think that your website would have some basic details at least.

We then went looking for any other information available the developer. Their domain name’s whois information just list a company that hides the true registrant. A Google search didn’t pull up anything on them.

Along with several things we noticed after that, we started to wonder if the developer was really doing the work they claimed or possibly taking data from someone else and claiming it as their own. We did some basic checking on that, but we couldn’t get very far in determining if that was case, due to the limited amount of information they provide about vulnerabilities. They don’t list the type of vulnerability or provide the web address with details the vulnerability, which would likely allow fingerprinting the actual source if it was copied from somewhere else. The limited nature of the vulnerability data also makes the service’s value limited, since the impact of a vulnerability varies widely from one vulnerability type to another.

No Data on Recent Vulnerabilities

The next thing we wanted to see is how the service stacked up to our service in terms of adding new vulnerabilities. Since their website doesn’t have any information on recently added vulnerabilities we thought a good starting point was to see how many of the new vulnerabilities we had added to our data in the last month were included in their service. It turned out that they had none of them. You can see in this screenshot they don’t report vulnerabilities in any of the plugins, despite all of them containing vulnerabilities in the installed versions (excluding the Security and Vulnerability Shield plugin):

security-and-vulnerability-shield-results

By comparison you can see we have at least one vulnerability listed for each of the plugins (excluding our own plugin):

plugin-vulnerabilities-results

So if you are looking to be warned about vulnerabilities in WordPress plugins, this plugin doesn’t seem to be a good option at this point.