16 Sep

Wordfence’s Troubling Claim About Their Knowledge of Zero-Day Vulnerabilities

Wordfence is a WordPress security company that we have found on multiple occasions misleading the public. It is our belief that a lot of that is due to their lacking even basic security knowledge. That makes it bit hard to tell with a recent claim whether they are being incredibly irresponsible or just trying to mislead people in to believing their products provides a level of protection far beyond what it does.

In a recent post they wrote this about the firewall that is part of their product:

We also protect against many zero day vulnerabilities that aren’t yet known to the public but are known to us exclusively. These rules protecting against zero day vulnerabilities are unique to Wordfence.

The Wikipedia explains why zero-day vulnerability is known as that with the following:

It is known as a “zero-day” because it is not publicly reported or announced before becoming active, leaving the software’s author with zero days in which to create patches or advise workarounds to mitigate against its actions.

If Wordfence knows about vulnerabilities that are being exploited and hasn’t notified the developer that would be incredibly irresponsible. Let’s hope that is not the case.

So what else could they mean, it could be that they are just referring to vulnerabilities that are not widely known by the public and maybe that they discovered. Keeping those quiet on a long term basis would be quite bad if they haven’t been fixed, seeing as if they could find them, someone else could as well. If the public was made aware of them they could take action to protect themselves, while if Wordfence keeps quite the public will remain vulnerable. If the vulnerabilities had already been fixed, then Wordfence wouldn’t be providing any protection over what you would have by simply keeping your plugins up to date instead.

While we don’t know about zero-day vulnerabilities Wordfence knows about exclusively, we do know about many they don’t appear to have been aware of (unless they never notified the developers and or the Plugin Directory). Back in May during on routine monitoring of our websites for hacking attempts we started seeing hackers probing for usage of plugins that there did not have disclosed vulnerabilities that we could find. We were then able to find vulnerabilities that hackers would be likely to target in those plugins. In some cases we were later able to confirm that those vulnerabilities were in fact what was targeted. Once we started monitor some third-party data we were able to find more of these and started seeing that many of these appear to have been know by hackers for some time. One of the first we found through that may have been known by hackers for more than a year. With that vulnerability, it was fixed within two weeks of us discovering it and notify the proper people. So either Wordfence knew about this vulnerability and never took action to get it fixed or they didn’t know about it. That isn’t a one off thing discovery, in a previous post where we mentioned Wordfence apparent lack of knowledge of this type of vulnerability we included a listed 21 vulnerabilities we had found like this so far. That was back in June and we have found plenty more since then.

There is another problem with Wordfence claim of protection, we found their firewall’s protection can either doesn’t work or can be easily evaded in at least some cases. Months ago, based on a claim Wordfence made, we did a couple of test to see if their firewall could protect against a vulnerability, in both instances we found it failed. Earlier this week we tested it and 10 other WordPress security plugins against another vulnerability. This time we found that it was one of only two that stopped exploitation of the vulnerability at first, but we were able to easily find a way to bypass the protection by simply adding “\” to the exploit. Properly fixing a vulnerability instead or relying on this type of bandaid avoids this type of thing as the protection usually doesn’t rely on the same type of pattern matching and since everyone can take look at the fix, if there is a problem with the fix someone else might spot it (we have found numerous security issues in plugins while reviewing other reports of vulnerabilities).

If you are concerned about plugin vulnerabilities we think you would be much better off with our service as we are actually focused on getting vulnerabilities fixed. When that doesn’t happen we will warn you that you are vulnerable so that you can take action to fully protect yourself, you can even get in touch with us to discuss what is your best option to handle it.

Highly Suspect Claims

The rest of Wordfence post also made some other claims that really should be the kind of thing that would clue people in to the fact that they play fast and lose with the truth. At one point while mentioning that new feature requires more checks to be done they claim:

This new layer of protection is extremely fast and comes with zero performance penalty for your website.

Even if it is extremely fast, that still implies that more is happening, but they don’t claim it will have a minimal impact, they have to go all the way to zero.

They also claim that the additional checks did no result in any false positives:

this new detection did not result in any false positives on your website

When you consider that the additional checks involve running checks that when done elsewhere are known to produce some bad false positives, that would pretty clearly be false.