26 Apr

Wordfence’s Bad False Positive for WordPress Plugin Causes Nuisance for Public and Its Developer

One of the major problems with anti-virus software for computers is that the signatures they use to detect malicious code can falsely detect non-malicious code as being the malicious code they are supposed to be identifying. In more serious cases that can cause critical operating system files to be removed and the computer to no longer be functional.

Security products for websites, instead of learning from the mistakes of the computer based counterparts, have carried on this tradition, causing problems for developers of WordPress plugins. We have personal experience with that through our plugin connected with this service. On several instances we had people reporting that our plugin contained malicious files, one example is in a review of the plugin. The only in thing in the supposedly malicious files was the data on vulnerabilities like this:

$plugin_vulnerabilities["enable-google-analytics"] = array(
	"1" => array(
		"FirstVersion" => "",
		"LastVersion" => "",
		"TypeOfVulnerability" => "remote code execution (RCE)",
		"URL" => "https://wordpress.org/support/topic/how-to-report-malware-in-plugins"

As best we can tell what was causing the detection was the URLs for the various vulnerabilities, in that review one of the detections is listed at “# Regular expression match = [1337day\.com]”. There isn’t a good reason for listing a file as being malicious simply including the domain name of a website listing vulnerabilities, but that is the quality level of this type of product. Unfortunately the downside of poor quality of this type of product doesn’t fall on the people who are responsible for it, instead on innocent developers.

Wordfence’s Bad False Positives

One such producer of just this type of poor false positive is Wordfence, the WordPress security plugin/security service. In one instance in 2014 someone we had done a hack cleanup for several months before contacted us concerned that they had been hacked again after receiving an email warning from Wordfence of a “critical problem” on the website:

Wordfence found the following new issues on “[redacted]”.

Alert generated at Sunday 19th of October 2014 at 11:56:40 PM
Critical Problems:

* File contains suspected malware URL: [redacted]/public_html/wp-content/plugins/wp-super-cache/readme.txt

So what was the cause of this “critical problem”, it was link in a readme.txt file, which was completely harmless.

Right after that information in that email, was ad for their paid service, so it might be reasonable to ask if their unnecessary scaring people benefits them financially:

NOTE: You are using the free version of Wordfence. Upgrading to the paid version of Wordfence gives you
two factor authentication (sign-in via cellphone) and country blocking which are both effective methods to block attacks.
A Premium Wordfence license also includes remote scanning with each scan of your site which can detect
several additional website infections. Premium members can also schedule when website scans occur and
can scan more than once per day.

As a Premium member you also get access to our priority support system located at http://support.wordfence.com/ and can file
priority support tickets using our ticketing system.

Click here to sign-up for the Premium version of Wordfence now.

False Positives for JavaScript Minification

Fast forward to just a few days ago and Wordfence is still at it. They falsely labeled a JavaScript file in the plugin Quick Page/Post Redirect Plugin as being “suspected malware” due to the minification process used on the file, leading to a lot of people thinking their was a problem with the plugin and wanting it to be fixed. It doesn’t look like the bad signature that caused this was something that Wordfence generated, instead it looks like it was an anti-virus signature that they reused without bother to check themselves seeing as they were reports of this issue with anti-virus software several days before they seem to have started warning about it (by comparison when we warn about a vulnerability in WordPress plugin we have actually tested it, so we don’t ever falsely accuse plugin developers like this).

Identifying a file a JavaScript as being malicious just based on the minification process used doesn’t make any sense since it doesn’t indicate what the code does at all, so it couldn’t tell you it is malicious. To properly check a minified JavaScript file for malicious code you want to de-minify it and check the code, but WordFence didn’t do that.

The issue with improperly flagging minified JavaScript files as being malicious seems to be going around, ClamAV was claiming the widely used Jetpack by WordPress.com plugin contained malware due to a minified JavaScript file last week.

Leave a Reply

Your email address will not be published. Required fields are marked *