01 Jun

How Wordfence Makes A Minor WordPress Plugin Vulnerability Sound Much More Serious

While there are many problems when it comes to website security, unfortunately we often find that security companies still feel the need to embellish minor security issues to make them in to much more than they are. This makes it harder to properly address security issues because the public doesn’t have the proper perspective as to the threats out there. It also leads to overhyped news article, since many security journalist simple repeat the claims of security companies without doing any verification.

To show that at work, lets look at something from a recent post from Wordfence. They disclosed that the plugin Caledera Form had a vulnerability that allowed “an attacker to gain access to potentially sensitive data that has been captured by a Caldera Form.”  No details were provided as to what the attacker would need to do that, which is really important. If they had, it would be clear that this isn’t a threat for most websites using the plugin.

That is due to the fact that vulnerability was only accessible with a WordPress account on the website. Since most WordPress websites are run by one person or only by trusted people, the chance of one of them trying to exploit the vulnerability is minimal. It only really comes in to play if you have open user registration (this is good reason not enable that if you don’t actually need it) or you have untrusted users with accounts. Due to the nature of the vulnerability the people at Wordfence absolutely knew that it required an account, but they excluded that information when they went public with this.

2 thoughts on “How Wordfence Makes A Minor WordPress Plugin Vulnerability Sound Much More Serious

  1. I completely agree. Its scaremongering tactics. You example is very similar to someone claiming that your children are not safe inside of their room, while failing to mention that lack of safety is dependent on someone having security system passcodes and key to your front door.

    No site is ever going to be 100% secure. Even encrypting iPhone did not prevent access. It only made it more difficult. So all we can do for ourselves, and our clients, is to make access more difficult than it is worth wasting time on.

    Good example would be Denuvo and how much trouble video game pirates are having with it. By delaying them this much, video games like Farcry Primal, perhaps result in much increased sales.Or maybe not, jury is still out on whether video game piracy actually helps sales in some cases.

  2. Yep, I agree 100%. If anyone is really paying attention to what Wordfence is really all about they will see a very clear picture. Wordfence says they are all about the users, but anyone who is really paying attention can clearly see that Wordfence is all about Wordfence – their own image and sales. I don’t think there is anything wrong with “selling” yourself, but when you distort facts and sensationalize information for you own personal self interests/benefit that that is a disservice to everyone who reads that bad information. It is good to get that type of security information out there to the public, but it is irresponsible to use that type of information in a way that serves your own self interests, skews the facts and makes people fearful or worried about something they should not be worried about.

Leave a Reply

Your email address will not be published. Required fields are marked *