Wordfence is a security company that we don’t think to highly off, due to things like fact that security vulnerabilities have been found in their security plugin numerous times and them not seeming to not have any clue what they are talking about. The problem is that a lot of people who don’t know have the security knowledge we have, have been tricked into thinking they have a clue what they are doing. To give you an example of this lets look at something we ran across recently.
Before we get into the details you really should read the comments of their blog post we are going to discuss part of in a second. It consist of lots of people thanking them for what the information they provided. What isn’t mention in those comments is that Wordfence is telling them things that they don’t actually have any idea as to whether they are actually true. This can be spotted in this part of the post discussing a plugin that they claimed had vulnerabilites that had been fixed:
The SP Projects and Document Manager plugin version 220.127.116.11 has multiple vulnerabilitiesincluding file upload, code execution, sql injection and XSS. Update to to version 18.104.22.168 immediately which contains the vendor released fixes and is the newest version.
As we discussed in a post three weeks after that post was released, the most serious of the vulnerabilities, the arbitrary file upload vulnerability, in that plugin still existed in the plugin at that time. We also mention in that post how easy it was to test that out that the vulnerability still existed, so that tells you that Wordfence didn’t bother to actually to check over the vulnerabilities before telling the public that they had been fixed. A lot of security is trust, so when a security company is telling you something that they don’t actually know to be true that isn’t a good sign.
On Wordfence’s homepage they specifically tout that they can protect you from vulnerable plugins:
Even if you are running a vulnerable plugin or theme, Wordfence will protect you from being hacked by blocking attacks based on known and constantly updated attack patterns.
Since they are not taking the simple step of testing known vulnerabilities it seems hard to believe that protection is any good.
Since we actually test out each vulnerability before adding it to our data set, we were able to see it hadn’t been fixed and then make sure the vulnerability actually got fixed. If we hadn’t checked it out there is good chance it still wouldn’t have been fixed now. Before it was fixed our customers were actually aware that it wasn’t fixed unlike people relying on information from Wordfence, so they could have actually protected themselves.