When it comes to the poor state of web security a lot of the blame for that can be placed on the security industry. The security industry is terrible in many ways, but one of the most troubling ones we have seen from being in it, is how often security companies are not telling the truth. Trust is an important part of security and the public is largely relying on the companies to be truthful about the protection they provide, since few in the public (and few at security companies) would have the ability to tell if the claims were truthful.
When it comes to WordPress security, one company that we have repeatedly seen saying things that are not true is Wordfence, the company behind the most popular security plugin Wordfence Security. One example of this we found was their claim that they provide “protection from the latest threats” through “unmatched access to information about how hackers compromise sites”. What we have repeatedly found is that they (and every other security company) are unaware of vulnerabilities that are in the current version of plugins and being exploited. We know this because we have found those vulnerabilities and taken action to protect the public against them. More striking is that we found many by just monitoring our few websites, where Wordfence’s claim is tied to being involved with over 1 million websites, so either they are not doing what they claim to be doing or they are completely incompetent, neither which should be true about a company behind such a popular product.
As we discussed a month ago, how Wordfence promotes their plugin is false even in relation with other claims they make.
On WordPress’s Plugin Directory page for the Wordfence Security plugin the description of it begins:
Secure your website with Wordfence. Powered by the constantly updated Threat Defense Feed, our Web Application Firewall stops you from getting hacked.
And later states that:
Wordfence Security is 100% free and open source. We also offer a Premium API key that gives you Premium Support, Country Blocking, Scheduled Scans, Password Auditing and we even check if your website IP address is being used to Spamvertize.
But as we mentioned in that post:
Despite that, it turns out that unless you are not using Wordfence’s paid service you actually can easily get hacked (and even with that you are left vulnerable to their slow response to vulnerabilities). You don’t have to take our word on that, Wordfence admitted to that fact yesterday.
You see, when they add protection against a vulnerability they only provide protection for their paying customers at first and they claim that after 30 days they provide it to non paying users of the plugin. That would mean for the first 30 days if you are using their plugin and not their paid service you are not protected, which is in direct contradiction the claim that the plugin “stops you from getting hacked”. For the vulnerability in Delete All Comments that we were discussing then, it turns out that isn’t even true.
The protection for the vulnerability in Delete All Comments should have been provided to the public on January 15, as Wordfence belated started providing protection to their paying customer against the vulnerability December 16.
We were curious to see how robust their protection would be against the vulnerability, due to something we noticed when we tested 15 security plugins ability to protect against the vulnerability back in December and found that none of them protected against it. That was surprising for one of the plugins, since it was from the company that discovered the vulnerability while cleaning up a website that had been hacked due to it and they said that their plugin provided protection. When we went to see what was going on we found that it did protect against exploitation if you tried to exploit the vulnerability in a different way then we tried. So we were curious to see if Wordfence Security did a better job or not.
When we tried to do that today we found that Wordfence Security still doesn’t protect against the vulnerability, so either the Wordfence hasn’t provide firewall rule to free users of the plugin as they claimed they would by now (it looks like that is the case) or the rule doesn’t work. Considering that the vulnerability has still not been fixed and is being exploited pretty widely that obviously is a big issue and likely lead to websites getting hacked that wouldn’t if people used better solutions, like our plugin, which even if you are not using paid service, has been warning about the vulnerability since December 12 (it similarly warns for other vulnerabilities that we see being exploited).