21 Dec

Wordfence Is Leaving Sites Relying on Their Plugin Vulnerable to Unfixed Vulnerability That They Know is Being Exploited

On WordPress’s Plugin Directory page for the Wordfence Security plugin the description of it begins:

Secure your website with Wordfence. Powered by the constantly updated Threat Defense Feed, our Web Application Firewall stops you from getting hacked.

And later states that:

Wordfence Security is 100% free and open source. We also offer a Premium API key that gives you Premium Support, Country Blocking, Scheduled Scans, Password Auditing and we even check if your website IP address is being used to Spamvertize.

Despite that, it turns out that unless you are not using Wordfence’s paid service you actually can easily get hacked (and even with that you are left vulnerable to their slow response to vulnerabilities). You don’t have to take our word on that, Wordfence admitted to that fact yesterday.

Before we get to that, let’s provide you with some important background information. On November 20 the security company NinTechNet discovered that the WordPress plugin Delete All Comments had an arbitrary file upload vulnerability, which allows a hacker to upload any file they want and through that they can do almost anything they want with a website. They discovered that while cleaning up a website that was hacked through that vulnerability (unlike so many security companies they actual did the important step of trying to determine how the website was hacked). They contacted the developer of the plugin and didn’t get a response. Subsequently they notified the Plugin Directory and the plugin was removed from that. The vulnerability has yet to be fixed, so anyone still using it is vulnerable to being exploited.

On December 10 NinTechNet publicly disclosed the vulnerability. We then added it to the data for our service. We put out a new version of our service’s companion plugin with the vulnerability added to the free data included in it on Monday, the 12th, so those not using our service yet started getting warned about the issue (WordPress really should be warning about this, but their position is that doing that would put people at more risk). On Monday we also started seeing what looked to be hackers probing for usage of the plugin, so it looks like more widespread exploitation of the vulnerability probably began then as well.

Then on Friday we did a test of 15 security plugins, including Wordfence Security, to see if they would prevent the vulnerability from being exploited. This would be a situation where a security plugin could provide some value, since even if you keep your plugins up to date, you would still be vulnerable since the plugins hasn’t been fixed. The result was that none of the plugins provided any protection.

That wasn’t the only instance where Wordfence security wouldn’t stop you from being a vulnerability from being exploited, in five previous test we have found that it provided no protection in three and the protection was easily bypassed in the other two (many of the other plugins we have test have provided no protection in any of test they were included in).

Against those results a recent posting on Reddit by them stood out, they wrote:

I’d say about 2 years ago I would not have been comfortable running WordPress even with Wordfence on a mission critical site where data theft is a disaster.

Today that has changed and there is one thing that changed it: Our firewall. Back when I wrote and launched the code for Wordfence myself (in 2011) we didn’t even have a firewall. We launched a full blown firewall some time ago and it’s now evolved to the point where I’m completely confident that if you install our firewall and are running WordPress, you are going to be much more secure than if you’re running an alternative product, even if that alternative CMS is behind a firewall.

and

So if you run our firewall I’m 100% confident you can run WordPress securely on a large mission critical production site. We’re doing it ourselves for wordfence.com along with several other major sites we run. All use our firewall.

We responded pointing to the results of our testing that showed the reality is their product doesn’t live up those claims.

Their response to that is rather troubling.

In regards to the vulnerability in Delete All Comments they only did anything about it on December 16:

We developed a firewall rule for that exploit and released it into production on December 16th, the moment we heard about it from our users. That’s a screenshot from our internal Slack. It’s a fun read – shows what a great place Wordfence is to work.

They also only became aware of because of their users, so they are not actively monitoring for information on vulnerabilities in plugins. We were not the only ones that noticed the disclosure before then, it was included in WPScan Vulnerability Database on December 11.

Later in the post they claim that:

As you can see, the team responds very quickly.

Which is the opposite of the truth.

But now people using their plugin are protected right? No:

The rule is now in production for Wordfence Premium. It will only be available in the free Threat Defense Feed 30 days after release, so around Jan 15th.

So they know that vulnerability is already being exploited, since that is how it was discovered, but they are leaving people that use their plugin, but not also their paid service, vulnerable for a month.

Update (1/24/2017): More than a week after the rule was supposed to be available to those using the plugin without their service, we found that the Wordfence Security plugin still doesn’t protect against the vulnerability, so the claim the rule would be available to those using just the plugin after 30 days turned out to be false (or less likely, the rule isn’t effective at all).

They then went on to try to downplay this by claiming the plugin was not very popular twice (emphasis ours):

FYI, that plugin was pulled from the repository and is no longer available. It wasn’t very popular when it was in the repo.

We deploy rules for vulnerabilities and their exploits the moment we hear about them or see them exploited in the wild. That just wasn’t a widely exploited vulnerability or a popular plugin. In the case of the vulnerability above, we heard about it because you were making some noise about it. Our users alerted us.

So what do they consider to be an unpopular plugin, one that as of a month ago had 30,000+ active installs.

We would consider that popular. So does WordPress, as the Popular section of the Plugin Directory currently includes plugins with a 10,000+ active installs.

It turns out that not that long ago so did Wordfence. In a post written in November of last year,  New Vulnerabilities in 6 Popular WordPress Plugins, one of the 6  popular plugins had 30,000+ active installs. It went even lower than that. One of the others had only 2,000+ active installs. Did they really radically change their view of what constitutes a popular plugin in 13 month or does their view change to fit the narrative they are going with?

Also worth noting in that is this portion “We deploy rules for vulnerabilities and their exploits the moment we hear about them or see them exploited in the wild”. So their protection relies on them being aware of vulnerabilities, which is fairly big problem since we have repeatedly found that Wordfence is unaware of vulnerabilities despite them promoting their Real-Time Threat Defense Feed as giving them “unmatched access to information about how hackers compromise sites”.

What You Should Do If Use Wordfence Security

The best case we see with Wordfence is that they don’t have a good understanding of security, which leads them to repeatedly make false claims. That probably isn’t a good base for creating a good security plugins, which makes the fact that it is the most popular WordPress security plugin with 1+ million active installs problematic (the plugin even has been found to have vulnerabilities of its own in a number of instances). It then wouldn’t be all that surprising that they would make claims about their plugin,like we mentioned earlier in the the post, that don’t match reality.

A worse case scenario is that they are intentionally misleading people to push their plugin and service. Take an example last week where they claimed that there was a recent increase in brute force attacks against WordPress admin password and of course the way to protection yourself against them is to use their plugin. The problem with that being that brute force attacks are not happening. What looks to be going on are dictionary attacks, which involved trying common passwords and can be protected against by simply by using a strong password, no security plugin needed.

Given that, avoiding their plugin could help to attract more people to plugins and companies that have a better handle on security, leading to improved WordPress security.

Beyond that, getting warned when you are using a plugin with a vulnerability that is being exploited would be a good idea. As we mentioned earlier the WPScan Vulnerability Database has included since before Wordfence even became aware of it, so using a plugin that uses their data would do the trick in this instance (if you do a search for “wpscan” on the Plugin Directory you will find a number of those plugins).

As we have discussed in the past though the WPScan Vulnerability Database doesn’t always do a good job of included vulnerabilities in their data (among other issues). That is where the companion plugin for our service can come in. Last week in addition to adding the vulnerability in Delete All Comments to the free data included with that, we added vulnerabilities that were likely being exploited in the current versions of a plugin with 20,000+ active installs and another with 40,000+ active installs (this one has now been fixed). Neither of those are currently included in WPScan’s data, despite us publicly disclosing them at the same time we added them to our data for the service and in the plugin.

If you want more comprehensive information on vulnerabilities in plugin you use can sign up for our service. With that you get information on not just vulnerabilities that are already being exploited, but all vulnerabilities being discovered whether by others or by us (as well as rating on the likelihood of the vulnerability being exploited).

You also get support, so if you run into a situation where you are using a plugin that has yet to be fixed we can help you to make the best decision on handling that. In some cases you can safely ignore the issue, in others we can provide you with a workaround, in others the best option might be to stop using the plugin.

To help keep it from getting to situation where vulnerabilities are first discovered when they are being exploited our paying customers get to suggest and vote for plugins to get a security review done by us.

Finally, by using our service you are helping to improve to the security of WordPress plugins for everyone, as the work we do for the service helps to get numerous vulnerabilities, including many that were already being exploited, fixed for everyone.

Currently you can try the service for free for a month.

Leave a Reply

Your email address will not be published. Required fields are marked *