31 Jan

Developer of Popular WordPress Security Plugin Thinks It Outside of Scope For Them To Protect Against Vulnerabilities

Back in November we discussed the belief of a developer of a WordPress security plugin with 500,000+ active installs, that it was normal for security plugins to themselves be insecure. While that was fairly incredible to hear, we have just across a belief from the developer of another security plugin, with 100,000+, which we think that tops that.

The developer of the plugin BulletProof Security stated that “it is outside of the scope or intended purpose for any security plugins” to protect against vulnerabilities that exist in other plugins (and based on their explanation of why, it would seem other similar vulnerabilities as well). When you consider that vulnerabilities in plugins are a leading source of WordPress websites being hacked (exploitation of vulnerabilities in WordPress itself being few and far between), that means that relying on this plugin to protect a website will leave it fairly vulnerable to a real threat. The description of the plugin doesn’t make any mention of this intended limitation, which seems like it should be something that is prominently warned about.

Let’s take a step back from that statement, because in how that came about, what is provided is a good example of poor state of the security information surrounding WordPress.

One of things we do to keep track of vulnerabilities in WordPress plugins is to monitor the wordpress.org Support Forum for threads related to those. In doing that we run into a lot of other security threads and occasional we will add our input.

In a thread from someone asking about the security of WordPress, someone suggested using a couple of security plugins:

The terms “secure” and “security” mean different things to different people, and the fact that WordPress is well-written in relation to “security” — no major flaws or vulnerabilities to be exploited — does not mean your self-hosted site is secured by WordPress. I use BulletProof Security to “harden WordPress” and much more…
…and I also have the stand-alone version of NinjaFirewall out in front of everything at my hosting account:

There are various other options, of course, but just do not let the idea that WordPress is “secure” lead you to believe WordPress covers your needs related to site security.

We responded explaining that through our testing of them, those two plugins and all the others tested have provided very little to no protection against the exploitation of vulnerabilities in other plugins:

It’s worth noting here that security plugins don’t necessarily provide much, if any, protection against vulnerabilities. We have done fourtestsofthem to see if they could protect against exploitation of real vulnerabilities that existed in other plugins. In only one instance did one, NinjaFirewall (WP Edition), provide protection that wasn’t easily bypassed and that came with the tradeoff that Editor-level and below users could not upload media through WordPress anymore. BulletProof Security provided no protection in any of the tests.

The developer of BulletProof Security responded, but apparently confused us with the developer of NinjaFirewall (WP Edition):

Uh well your opinion is biased. So you should state something to that effect. Also your tests do not include all/every possible BulletProof Security code that is available and the test parmeters seemed skewed in favor of your plugin. Nothing personal, I don’t blame you for using this tactic – just noting facts.

Before we figured that they were confusing us with another company, we were confused about the claims that our testing was skewed.

They then responded again:

Oops. I misread the article. This is not an obvious sales pitch article and link. I reread the article and it is completely unfounded and frankly ridiculous because the test parameters are not any sort of valid security test parameters. I could make up stuff too, but why bother. 😉

Obviously whoever posted that junk does not know anything about website security at all.

Again somehow the testing wasn’t valid (and we don’t know “anything about website security at all”).

Yet another response:

Normally I would just ignore ridiculous junk like this, but in reality this is a disservice to average folks. Why? Because that information is misleading either intentionally or unintentionally due to an unqualified person reporting some junk that just makes people worried about nothing.

This time they called the testing “ridiculous junk”, but still not citing anything that specifically that was wrong with it. The only person at this point that seemed to be misleading people was the developer of BulletProof Security, but the average person would have a hard to knowing that. That is ongoing problem with WordPress security information, as even many of the biggest names don’t understand the basics, but claim and feel otherwise, leading to false information to be spread widely.

After we posted a response they claimed that the testing was “not valid information”:

Oops again. Guess I should have checked WhoIs first. I see that this is your website. Sorry about negating your article, but unfortunately it is not valid information.

But again there wasn’t any specific issue they were pointing to and we were still not sure what they might be referring to.

When they final got to some detail on what was wrong with the testing, it didn’t make sense:

What I question is your test parameters themselves. They seem too general/broad and not realistic. Security plugins are not supposed to block anything that appears to be normal functionality in another WordPress plugin, otherwise security plugins would end up breaking most WordPress plugins normal functionality. So your test parameters need to factor in a realistic attack vector that excludes any normal functionality in any other plugins. There a lot of other things that you also have to factor into the test environment equation that I will not go into. In a nutshell, your test parameters and environment are simply not realistic.

As we responded, what they are really saying is that it is not realistic to test security plugins against real vulnerabilities (including one that looks to have been widely exploited at the time we did the testing):

You are proving our earlier point, as it is hard to distinguish between a request legitimately accessing functionality and exploitation of a vulnerability. Many, maybe most vulnerabilities, involve legitimate functionality being used by someone that shouldn’t have access to it or in a way that it wasn’t intended. The end results is that it would be very hard for security plugins to provide much, if any, protection against vulnerabilities.

Before we had left that response they had left another, which seems like an endorsement of our plugin/service since we actually warn about security vulnerabilities in plugins:

I’ll just use this one test example that you did:

For each of the tested plugin we set up a fresh install of WordPress 4.7, installed the version 2.0 of Delete All Comments, and installed the latest version of the security plugin. We tried to enable any feature of the plugin that could possibly have an impact on stopping exploitation of the vulnerability.

The problem here is that the Delete All Comments plugin has a coding mistake/security vulnerability. Most if not all WP security plugins will not interfere with the normal functionality of another WP plugin for the reason I stated above. So basically the basis of this test is no good. What of course is the only solution is the Delete All Comments plugin would need to fix the bug.

If security plugins are not intended to protect against vulnerabilities, that means they are not doing much to protect you against real threats (security plugins can’t protect against lots of other things, since those involve an attacker having access at a lower level than the plugins run).

Humorously they then were offering to provide us further explanation of why security plugins shouldn’t protect against vulnerabilities:

Yep, I understand where you are coming from, but unfortunately it is outside of the scope or intended purpose for any security plugins. If you would like further explanation then you can contact us here: https://www.ait-pro.com/contact/

4 thoughts on “Developer of Popular WordPress Security Plugin Thinks It Outside of Scope For Them To Protect Against Vulnerabilities

  1. I’ve got to agree with the BPS Pro representative on this. A good security plugin tries to cover all of the known hacking exploits being used – based upon specific behaviours. This approach creates a net to catch attempts which are essentially “illegal” methods.

    What you are expecting security plugins to do is to
    a) monitor the security flaws of *other* plugins (given there are probably hundreds and hundreds of them with major bugs),
    b) and then create exceptions for these issues, and
    c) then have to provide support to their customer base for those issues as well.

    The problem with this is that:
    1. Security plugins which are based on identifying illegal behaviours cannot be expected to be blocking what is essentially *normal & legal* functionality which is now insecure due to the poor coding of a 3rd party plugin. This would mean that they are essentially writing one-off specific case code for individual plugins and having to maintain that in their plugins. What a nightmare that would be for them.
    2. They would need a team of people just to identify and test for 3rd party plugin code bugs and security issues. Purely from a business perspective, I cannot see how it would be viable to provide this based upon the costs of maintaining a security plugin in the rapidly changing WordPress ecosystem, notwithstanding that there are probably thousands of free plugins that are horribly written.

    Unlike desktop anti-virus programs, the don’t have the luxury of working directly with the manufacturer of the “operating system” (in this case WP) nor a limited amount of applications to cater for, nor do they have the budget of such companies.

    Now, to reasonably achieve what you are saying that doesn’t mean the immediate doubling or tripling in price of commercial security plugins (I fail to see how any free security plugin could even think of trying to do this) I believe you’d have to have a number of major things to happen.

    1. The WP plugin repository would have to start rejecting plugins based upon bad coding similar to Apple’s App Store.
    2. There would need to be a comprehensive industry-supported service that they could refer to that provides specific plugin vulnerability data that they could refer to, and their marketing material would have to disclaim that they use and rely on this service for identifying these insecure plugins (ie. they have no liability for any 3rd party plugins that they don’t include fixes for).

    If you are saying that is what Plugin Vulnerabilities can provide, then maybe you should be pioneering the effort, along with petitioning WordPress, to bring the industry together to make this happen for the benefit of the WP community, instead of shaming people for not addressing this, especially when no-one does this for obvious reasons. If this was approached from a community aspect you are perfectly positioned to be the driving force behind an industry wide effort to combine logging data and work with WP to improve security efforts. That is the challenge I put to you.

    I, for one, would be happy to get behind it and help with such a pursuit, because security is IMHO the no.1 problem with the WP ecosystem.
    Ironically this post came about because I suggested to AIT-Pro that they use aggregated customer logging data of security breaches to create a “plugin vulnerabilities knowledgebase”, and also to maybe approach you about supporting your efforts.

    Disclaimer: We are a customer of AIT-Pro and use their BPS Pro plugin and service as an important part of our security hardening setup for our client’s WordPress websites. We also use Plugin Vulnerabilities. I am not a security expert, but a founder/director of a web company est. in 1995, who is responsible for ensuring that we have the best reasonable protection available for our WordPress clients. So yes, I’ve been around the block with WP security plugins and settled on BPS Pro due to its use of htaccess files and constant file monitoring. It also allows for extensive customisation which we require on some of our more complex custom sites. But nothing on the web, especially the average WordPress site, is 100% hackproof.

    • If “A good security plugin tries to cover all of the known hacking exploits being used – based upon specific behaviours” then BulletProof Security isn’t one, as the developer specifically states that it “it is outside of the scope or intended purpose for any security plugins” to protect against vulnerabilities in other plugins. Doing that is actually one of the main types of exploit it should be able to protect against, as there are other types of hacking exploits it could not actually prevent (it wouldn’t be able to stop exploitation of compromised FTP credentials, for example). The rest of your message doesn’t point to anything that it does that actually protects websites.

      A lot of what is portrayed as protecting, including a lot of security hardening, doesn’t actually provide any protection. There is even a term for that type of thing, security theater. That is part of the reason we started doing testing of security plugins against real vulnerabilities, to show what, if any, protection they provide. So far BulletProof Security hasn’t provided any, which is what brought this up in the first place.

      The rest what you are describing here is largely what our service has been doing for some time, as we “monitor the security flaws of *other* plugins (given there are probably hundreds and hundreds of them with major bugs)” and “provide support to their customer base for those issues as well.” Instead of you second item, “then create exceptions for these issues”, we work with the developers to get the vulnerabilities fixed, which helps everybody, even if they don’t use our service.

      If you want to help us you can sign up for the service and promote it to others.

      Plugins like BulletProof Security actually make what we do harder because they give people a false sense of security and they don’t look for services that will actually provide them protection they are looking for.

  2. Firstly, you’re stating the obvious. And I’m not sure that you actually read or understood my post. Asking me to list what BPS Pro, or any other security plugin does to provide security is outside the scope of what we are discussing, and frankly a waste of time. You can do this yourself by going to their websites.

    > That is part of the reason we started doing testing of security plugins against real vulnerabilities, to show what, if any, protection they provide.
    Your approach seems quite antagonistic. It seems that you started your company to prove a point, not to provide a service. Which is it then…? To make the WP world a better place or to prove a point?

    So can you please point to a security plugin that does includes the ability to catch flaws in all other 3rd party plugins which have bugs which compromise what is essentially normal functionality? Or is this just a specific rant about BPS Pro because they questioned you on this? Your service alerts of insecure plugins with known security flaws, but it doesn’t stop them.

    > “A lot of what is portrayed as protecting, including a lot of security hardening, doesn’t actually provide any protection”
    Security theater. This is a big claim and it is one you would need to back up with some proof, especially given that so many people rely on them to protect their websites. Please point me to articles which back these statements. As a typical web dev customer who spends time hardening sites, and promoting a secure WP service, I’m unconvinced about your claims.

    I am well aware of what your plugin provides (As previously stated, I use your plugin) and also your service – and in my opinion it only complements security hardening, since it’s not only plugins that create security holes, and not every exploit will be covered by identifying holes in other people’s software, however important and useful a service that may be.

    You seem to be avoiding the point – if you are so convinced that WP security plugins don’t provide an appropriately useful or proper service then wouldn’t it be better to work with them, and try to cooperate with them for everyone’s benefit, yours as well?

  3. Sorry.. i should amend this to read…

    So can you please point to a security plugin that does catch potential hacking exploits in all other 3rd party plugins which have bugs which compromise what is essentially “normal functionality”? Essentially, as previously stated, to protect against normal functionality it would most likely require writing specific case code.

    (…otherwise you may construe this to mean a service which identifies flaws, such as yours, but not one that blocks the actual attacks from such flaws.)

Leave a Reply

Your email address will not be published. Required fields are marked *