31 Jan

Developer of Popular WordPress Security Plugin Thinks It Outside of Scope For Them To Protect Against Vulnerabilities

Back in November we discussed the belief of a developer of a WordPress security plugin with 500,000+ active installs, that it was normal for security plugins to themselves be insecure. While that was fairly incredible to hear, we have just across a belief from the developer of another security plugin, with 100,000+, which we think that tops that.

The developer of the plugin BulletProof Security stated that “it is outside of the scope or intended purpose for any security plugins” to protect against vulnerabilities that exist in other plugins (and based on their explanation of why, it would seem other similar vulnerabilities as well). When you consider that vulnerabilities in plugins are a leading source of WordPress websites being hacked (exploitation of vulnerabilities in WordPress itself being few and far between), that means that relying on this plugin to protect a website will leave it fairly vulnerable to a real threat. The description of the plugin doesn’t make any mention of this intended limitation, which seems like it should be something that is prominently warned about.

Let’s take a step back from that statement, because in how that came about, what is provided is a good example of poor state of the security information surrounding WordPress.

One of things we do to keep track of vulnerabilities in WordPress plugins is to monitor the wordpress.org Support Forum for threads related to those. In doing that we run into a lot of other security threads and occasional we will add our input.

In a thread from someone asking about the security of WordPress, someone suggested using a couple of security plugins:

The terms “secure” and “security” mean different things to different people, and the fact that WordPress is well-written in relation to “security” — no major flaws or vulnerabilities to be exploited — does not mean your self-hosted site is secured by WordPress. I use BulletProof Security to “harden WordPress” and much more…
https://codex.wordpress.org/Hardening_WordPress
https://wordpress.org/plugins/search.php?q=bulletproof
https://www.google.com/search?q=harden+wordpress
…and I also have the stand-alone version of NinjaFirewall out in front of everything at my hosting account:
https://wordpress.org/plugins/search.php?type=term&q=ninjafirewall

There are various other options, of course, but just do not let the idea that WordPress is “secure” lead you to believe WordPress covers your needs related to site security.

We responded explaining that through our testing of them, those two plugins and all the others tested have provided very little to no protection against the exploitation of vulnerabilities in other plugins:

It’s worth noting here that security plugins don’t necessarily provide much, if any, protection against vulnerabilities. We have done fourtestsofthem to see if they could protect against exploitation of real vulnerabilities that existed in other plugins. In only one instance did one, NinjaFirewall (WP Edition), provide protection that wasn’t easily bypassed and that came with the tradeoff that Editor-level and below users could not upload media through WordPress anymore. BulletProof Security provided no protection in any of the tests.

The developer of BulletProof Security responded, but apparently confused us with the developer of NinjaFirewall (WP Edition):

Uh well your opinion is biased. So you should state something to that effect. Also your tests do not include all/every possible BulletProof Security code that is available and the test parmeters seemed skewed in favor of your plugin. Nothing personal, I don’t blame you for using this tactic – just noting facts.

Before we figured that they were confusing us with another company, we were confused about the claims that our testing was skewed.

They then responded again:

Oops. I misread the article. This is not an obvious sales pitch article and link. I reread the article and it is completely unfounded and frankly ridiculous because the test parameters are not any sort of valid security test parameters. I could make up stuff too, but why bother. 😉

Obviously whoever posted that junk does not know anything about website security at all.

Again somehow the testing wasn’t valid (and we don’t know “anything about website security at all”).

Yet another response:

Normally I would just ignore ridiculous junk like this, but in reality this is a disservice to average folks. Why? Because that information is misleading either intentionally or unintentionally due to an unqualified person reporting some junk that just makes people worried about nothing.

This time they called the testing “ridiculous junk”, but still not citing anything that specifically that was wrong with it. The only person at this point that seemed to be misleading people was the developer of BulletProof Security, but the average person would have a hard to knowing that. That is ongoing problem with WordPress security information, as even many of the biggest names don’t understand the basics, but claim and feel otherwise, leading to false information to be spread widely.

After we posted a response they claimed that the testing was “not valid information”:

Oops again. Guess I should have checked WhoIs first. I see that this is your website. Sorry about negating your article, but unfortunately it is not valid information.

But again there wasn’t any specific issue they were pointing to and we were still not sure what they might be referring to.

When they final got to some detail on what was wrong with the testing, it didn’t make sense:

What I question is your test parameters themselves. They seem too general/broad and not realistic. Security plugins are not supposed to block anything that appears to be normal functionality in another WordPress plugin, otherwise security plugins would end up breaking most WordPress plugins normal functionality. So your test parameters need to factor in a realistic attack vector that excludes any normal functionality in any other plugins. There a lot of other things that you also have to factor into the test environment equation that I will not go into. In a nutshell, your test parameters and environment are simply not realistic.

As we responded, what they are really saying is that it is not realistic to test security plugins against real vulnerabilities (including one that looks to have been widely exploited at the time we did the testing):

You are proving our earlier point, as it is hard to distinguish between a request legitimately accessing functionality and exploitation of a vulnerability. Many, maybe most vulnerabilities, involve legitimate functionality being used by someone that shouldn’t have access to it or in a way that it wasn’t intended. The end results is that it would be very hard for security plugins to provide much, if any, protection against vulnerabilities.

Before we had left that response they had left another, which seems like an endorsement of our plugin/service since we actually warn about security vulnerabilities in plugins:

I’ll just use this one test example that you did:

For each of the tested plugin we set up a fresh install of WordPress 4.7, installed the version 2.0 of Delete All Comments, and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping exploitation of the vulnerability.

The problem here is that the Delete All Comments plugin has a coding mistake/security vulnerability. Most if not all WP security plugins will not interfere with the normal functionality of another WP plugin for the reason I stated above. So basically the basis of this test is no good. What of course is the only solution is the Delete All Comments plugin would need to fix the bug.

If security plugins are not intended to protect against vulnerabilities, that means they are not doing much to protect you against real threats (security plugins can’t protect against lots of other things, since those involve an attacker having access at a lower level than the plugins run).

Humorously they then were offering to provide us further explanation of why security plugins shouldn’t protect against vulnerabilities:

Yep, I understand where you are coming from, but unfortunately it is outside of the scope or intended purpose for any security plugins. If you would like further explanation then you can contact us here: https://www.ait-pro.com/contact/

7 thoughts on “Developer of Popular WordPress Security Plugin Thinks It Outside of Scope For Them To Protect Against Vulnerabilities

  1. I’ve got to agree with the BPS Pro representative on this. A good security plugin tries to cover all of the known hacking exploits being used – based upon specific behaviours. This approach creates a net to catch attempts which are essentially “illegal” methods.

    What you are expecting security plugins to do is to
    a) monitor the security flaws of *other* plugins (given there are probably hundreds and hundreds of them with major bugs),
    b) and then create exceptions for these issues, and
    c) then have to provide support to their customer base for those issues as well.

    The problem with this is that:
    1. Security plugins which are based on identifying illegal behaviours cannot be expected to be blocking what is essentially *normal & legal* functionality which is now insecure due to the poor coding of a 3rd party plugin. This would mean that they are essentially writing one-off specific case code for individual plugins and having to maintain that in their plugins. What a nightmare that would be for them.
    2. They would need a team of people just to identify and test for 3rd party plugin code bugs and security issues. Purely from a business perspective, I cannot see how it would be viable to provide this based upon the costs of maintaining a security plugin in the rapidly changing WordPress ecosystem, notwithstanding that there are probably thousands of free plugins that are horribly written.

    Unlike desktop anti-virus programs, the don’t have the luxury of working directly with the manufacturer of the “operating system” (in this case WP) nor a limited amount of applications to cater for, nor do they have the budget of such companies.

    Now, to reasonably achieve what you are saying that doesn’t mean the immediate doubling or tripling in price of commercial security plugins (I fail to see how any free security plugin could even think of trying to do this) I believe you’d have to have a number of major things to happen.

    1. The WP plugin repository would have to start rejecting plugins based upon bad coding similar to Apple’s App Store.
    2. There would need to be a comprehensive industry-supported service that they could refer to that provides specific plugin vulnerability data that they could refer to, and their marketing material would have to disclaim that they use and rely on this service for identifying these insecure plugins (ie. they have no liability for any 3rd party plugins that they don’t include fixes for).

    If you are saying that is what Plugin Vulnerabilities can provide, then maybe you should be pioneering the effort, along with petitioning WordPress, to bring the industry together to make this happen for the benefit of the WP community, instead of shaming people for not addressing this, especially when no-one does this for obvious reasons. If this was approached from a community aspect you are perfectly positioned to be the driving force behind an industry wide effort to combine logging data and work with WP to improve security efforts. That is the challenge I put to you.

    I, for one, would be happy to get behind it and help with such a pursuit, because security is IMHO the no.1 problem with the WP ecosystem.
    Ironically this post came about because I suggested to AIT-Pro that they use aggregated customer logging data of security breaches to create a “plugin vulnerabilities knowledgebase”, and also to maybe approach you about supporting your efforts.

    Disclaimer: We are a customer of AIT-Pro and use their BPS Pro plugin and service as an important part of our security hardening setup for our client’s WordPress websites. We also use Plugin Vulnerabilities. I am not a security expert, but a founder/director of a web company est. in 1995, who is responsible for ensuring that we have the best reasonable protection available for our WordPress clients. So yes, I’ve been around the block with WP security plugins and settled on BPS Pro due to its use of htaccess files and constant file monitoring. It also allows for extensive customisation which we require on some of our more complex custom sites. But nothing on the web, especially the average WordPress site, is 100% hackproof.

    • If “A good security plugin tries to cover all of the known hacking exploits being used – based upon specific behaviours” then BulletProof Security isn’t one, as the developer specifically states that it “it is outside of the scope or intended purpose for any security plugins” to protect against vulnerabilities in other plugins. Doing that is actually one of the main types of exploit it should be able to protect against, as there are other types of hacking exploits it could not actually prevent (it wouldn’t be able to stop exploitation of compromised FTP credentials, for example). The rest of your message doesn’t point to anything that it does that actually protects websites.

      A lot of what is portrayed as protecting, including a lot of security hardening, doesn’t actually provide any protection. There is even a term for that type of thing, security theater. That is part of the reason we started doing testing of security plugins against real vulnerabilities, to show what, if any, protection they provide. So far BulletProof Security hasn’t provided any, which is what brought this up in the first place.

      The rest what you are describing here is largely what our service has been doing for some time, as we “monitor the security flaws of *other* plugins (given there are probably hundreds and hundreds of them with major bugs)” and “provide support to their customer base for those issues as well.” Instead of you second item, “then create exceptions for these issues”, we work with the developers to get the vulnerabilities fixed, which helps everybody, even if they don’t use our service.

      If you want to help us you can sign up for the service and promote it to others.

      Plugins like BulletProof Security actually make what we do harder because they give people a false sense of security and they don’t look for services that will actually provide them protection they are looking for.

  2. Firstly, you’re stating the obvious. And I’m not sure that you actually read or understood my post. Asking me to list what BPS Pro, or any other security plugin does to provide security is outside the scope of what we are discussing, and frankly a waste of time. You can do this yourself by going to their websites.

    > That is part of the reason we started doing testing of security plugins against real vulnerabilities, to show what, if any, protection they provide.
    Your approach seems quite antagonistic. It seems that you started your company to prove a point, not to provide a service. Which is it then…? To make the WP world a better place or to prove a point?

    So can you please point to a security plugin that does includes the ability to catch flaws in all other 3rd party plugins which have bugs which compromise what is essentially normal functionality? Or is this just a specific rant about BPS Pro because they questioned you on this? Your service alerts of insecure plugins with known security flaws, but it doesn’t stop them.

    > “A lot of what is portrayed as protecting, including a lot of security hardening, doesn’t actually provide any protection”
    Security theater. This is a big claim and it is one you would need to back up with some proof, especially given that so many people rely on them to protect their websites. Please point me to articles which back these statements. As a typical web dev customer who spends time hardening sites, and promoting a secure WP service, I’m unconvinced about your claims.

    I am well aware of what your plugin provides (As previously stated, I use your plugin) and also your service – and in my opinion it only complements security hardening, since it’s not only plugins that create security holes, and not every exploit will be covered by identifying holes in other people’s software, however important and useful a service that may be.

    You seem to be avoiding the point – if you are so convinced that WP security plugins don’t provide an appropriately useful or proper service then wouldn’t it be better to work with them, and try to cooperate with them for everyone’s benefit, yours as well?

    • Firstly, you’re stating the obvious. And I’m not sure that you actually read or understood my post. Asking me to list what BPS Pro, or any other security plugin does to provide security is outside the scope of what we are discussing, and frankly a waste of time. You can do this yourself by going to their websites.

      There is a difference between what a security product markets itself as doing and what if, anything, it does to protect against actual threats. Do you know of what BulletProof Security actual protects against, because it isn’t clear us to what it is supposed be doing to earn that title?

      > That is part of the reason we started doing testing of security plugins against real vulnerabilities, to show what, if any, protection they provide.
      Your approach seems quite antagonistic. It seems that you started your company to prove a point, not to provide a service. Which is it then…? To make the WP world a better place or to prove a point?

      It isn’t clear what you are referring to because you include a quote about our testing and then a question about why we started a company. The answer to your question though is that we are a web development company that has seen that security issues with plugins are not being handled well. That eventually led us to creating this service after a couple of previous attempts at handling vulnerabilities in plugins.

      So can you please point to a security plugin that does includes the ability to catch flaws in all other 3rd party plugins which have bugs which compromise what is essentially normal functionality? Or is this just a specific rant about BPS Pro because they questioned you on this? Your service alerts of insecure plugins with known security flaws, but it doesn’t stop them.

      The point of the testing was to see how well security plugins are at dealing with actual vulnerabilities in other plugins. If you look at the results of the testing you can see that some plugins provided some protection.

      Through our service we alert about insecure plugins, but we also work with the developers to get them fixed and in cases where that has yet to happen we can work with our customers on deciding what is the best way for them to handle that, including providing them a workaround. So the service does help to stop security flaws, just not by doing something that we haven’t seen a way to effectively at this time.

      > “A lot of what is portrayed as protecting, including a lot of security hardening, doesn’t actually provide any protection”
      Security theater. This is a big claim and it is one you would need to back up with some proof, especially given that so many people rely on them to protect their websites. Please point me to articles which back these statements. As a typical web dev customer who spends time hardening sites, and promoting a secure WP service, I’m unconvinced about your claims.

      You have this backwards, there should need to be proof that something actually does provide protection, not that it doesn’t. But as example of people focusing on something they don’t need to, take a look at a post we wrote about the widespread, but false, claims that there a lot of attempts to brute force WordPress admin passwords. You can look at the testing we have done of security plugins actual real vulnerabilities in other plugins to see an example of current suggested plugins not providing much protection despite products making claims like it “stops you from getting hacked”.

      I am well aware of what your plugin provides (As previously stated, I use your plugin) and also your service – and in my opinion it only complements security hardening, since it’s not only plugins that create security holes, and not every exploit will be covered by identifying holes in other people’s software, however important and useful a service that may be.

      You seem to be avoiding the point – if you are so convinced that WP security plugins don’t provide an appropriately useful or proper service then wouldn’t it be better to work with them, and try to cooperate with them for everyone’s benefit, yours as well?

      It doesn’t really sound like you were aware of our service provides, as you were largely describing what our service already does as if that was something that wouldn’t be reasonable possible to do.

      Our service is something that is intended to be used in addition to taking other security measures with a website, like keeping the software up to date, but much of what is referred to as security hardening doesn’t really improve security.

      We are not really following the rest of, if we don’t believe a service is useful and we provide a competing service that is useful, why would we want to improve someone else’s service instead of getting people to use our service that is already useful. It seems like you want us to do other security companies work for them for some reason, when they could do what we do (some actually claim to being doing, despite them not actually doing it). It would actually be to our benefit and the benefit of the wider WordPress community if other security companies stop misleading people about what they can provide, so that people would no longer be mislead and then it would be easier for us to get more customers, which would then allow us to do more to improve the security of plugins for everyone.

  3. Sorry.. i should amend this to read…

    So can you please point to a security plugin that does catch potential hacking exploits in all other 3rd party plugins which have bugs which compromise what is essentially “normal functionality”? Essentially, as previously stated, to protect against normal functionality it would most likely require writing specific case code.

    (…otherwise you may construe this to mean a service which identifies flaws, such as yours, but not one that blocks the actual attacks from such flaws.)

    • You seem to be conflating two things here, whether plugins can protect against vulnerabilities in normal functionality, which if you look at our testing you can see is possible, and whether there is any plugin that protects against them all, which in our testing there has not.

      Trying to write case code for each vulnerability would be difficult to do well, which is why we instead take the approach of trying to work with developers to fix the vulnerabilities, which provides everyone, not just our customers, with a fix. When that doesn’t happen we are there to work with our customer to come up with the best solution for them on how to deal with the issue, which includes us providing them with a workaround to protect against the vulnerability. By comparison the developer of BulletProof Security believes it outside the scope of security plugin to even try protect against them, so it provides no protection.

  4. Whether a security plugin provides protection from real life attacking attempts is pretty obvious from the logs of the incessant attacks that we get on some of our very busy client sites, with the secondary benefit of additionally blocking repeated said attempts.

    Also the fact that, though we host many many sites built on a range of web platforms (not just WP), and use hardening methods and security plugins on all CMS-based sites, we have had only 3 instances of any of our sites being successfully exploited in more than 20 years of operation – a testament to the fact that good security works. And the situations surrounding those exploits even more strongly reinforce that *good* security plugins are important and do work…

    The situations surrounding them are equally important to note. All exploits were WP-based – one happened right at the beginning of us building in WP before we had implemented any security plugins – after thorough investigation into the very specific type of attack it couldn’t be identified with any plugin and is highly likely to have been a WP core vulnerability. This was the beginning of our learning of WP security. The other (recent) exploit was from a security hole in a custom plugin from a payment gateway which we have since re-written, and monitor closely. And very recently, because of a security plugin, we were alerted to malicious code in a plugin loaded by someone else.

    Also, security plugins based on htaccess firewalls result in less cpu usage which can be a major benefit.

    You referred to the precise point I’m making:
    > So the service [plugin vulnerabilities] does help to stop security flaws, just not by doing something that we haven’t seen a way to effectively at this time.

    Your service only helps by identifying which plugins to avoid. Good service and necessary, and you are to be commended for it.

    But it doesn’t block anything.

    AND above you finally admitted that you can’t see a way that flaws in 3rd party plugins can effectively be blocked either. I don’t see how security plugins can be expected to do the same.

    I get your points, but I fail to see how you can castigate security plugins for (a) being ineffectual when they obviously aren’t.

    And I can understand if you rail against a security plugin maker professing 100% security with their product, but to say they shouldn’t profess to provide protection because they are not plugging holes in others 3rd party plugin flaws is a bizarre statement.

    So, I conclude:
    – I fail to see how you can label security plugins as not providing protection
    – I fail to see why you can expect security plugins to cover 3rd party plugin flaws
    – I fail to see how you cannot see that your service is just *one* part of ensuring WP security

    You see this as “us and them”.
    The whole reason I got involved in this post is because I suggested that the collated blocking data from BPS Pro plugin would be useful in an aggregation service highlighted plugin vulnerabilities, just like yours, and suggested BPS Pro work with you, instead of doing their own service.

    I see it as a business opportunity for you to be that aggregated service and to work in with security plugins to get as much data from security logs as possible. Something which would make you the primary source for this info and that commercial security plugins could actually bundle on top of their services for a licensing fee. And this would benefit the whole WP landscape.

Leave a Reply

Your email address will not be published. Required fields are marked *