We were recently looking back at some of our messages on the WordPress Support Forum in relation to some posts we have been writing related to the terrible moderation of that forum. In one of the topics we had started, there were a few things that we noticed that we thought were worth discussing as they relate to other things we have been looking at recently.

Eight months ago we had created a topic on the forum of a plugin, letting people know that there were some unfixed minor security issues in the plugin:

This plugin was recently selected by our customers to have a security review done by us. While there were no issues that were likely to lead to the average website being hacked found, we did find a couple of security issues with the plugin. We notified the developer of those, but as of yet they have not been resolved. Seeing as the plugin hasn’t been updated in 10 months, they might not be resolved any time soon.

After a moderator told us that we should email the Plugin Directory about this, we explained that the issues didn’t rise to the level that they would take action and therefore there wasn’t a use for doing that. In a reply to that, the head of the Plugin Directory responded:

I’m not sure what the issue is here, but we have always read, reviewed, and replied to your very welcome reports of plugin issues.

We clearly have a different view of what should be the focus of the people running the Plugin Directory, as we have never notified them in hopes they would do any of those things, but to take the action only they can take, removing the plugin until it is fixed (though we would expect they would we read and review the details of the issue before doing that). As removing unfixed plugins prevents anyone else from starting to use a known vulnerable plugin.

Due to WordPress’ continued poor handling of security we suspended notifying of them of vulnerable plugins in the Plugin Directory back in June, which has lead to there currently being plugins with over 2.3 million active installations that are known to be vulnerable that have remained in the Plugin Directory (if you were using our service and one of those plugins you would already been notified that your website contains a vulnerable plugin).

The most recent reply in the topic gets to something we have recently been thinking about more, which is when information about security issues, whether confirmed or possible, in plugins are being inaccurately cited. That is a concern with our new tool for check possible security issue in plugins, as based on past experience, we could easily see misuse of the results and we don’t want plugin developers having to deal with more inaccurate information on the security of their plugins.

Here is all but the last sentence of the reply (we will get to that sentence in a moment):

I can verify that there are serious problems with this plug-in. My hosting provider recently suspended my account temporarily because I was generating spam. We traced the problem to this particular plug-in.

We had not claimed there were serious problems with the plugin and the issues we found don’t seem like they could have lead to the issue this person had (or really had any chance of being exploited on the average website). Based on our past experience we would guess that the hacker just happened to place the malicious code in a file in the plugin’s directory, as we mentioned recently web hosts often incorrectly claim that wherever they find a malicious file is the source of the hack.

Unsupported Belief of Protection Provided by Wordfence

The final sentence of the reply is:

This problem occurred despite the fact that I had WordFence premium installed on the site.

It easy to understand why this person would have assumed that the Wordfence Premium paid service should have protected them, since Wordfence claims that just their free plugin Wordfence Security “stops you from getting hacked”. Until a week ago that claim was the second sentence in the description of the plugin in the Plugin Directory and it now exist in a FAQ answer on the page:

How does Wordfence Security protect sites from attackers?

The WordPress security plugin provides the best protection available for your website. Powered by the constantly updated Threat Defense Feed, WordFence Firewall stops you from getting hacked. Wordfence Scan leverages the same proprietary feed, alerting you quickly in the event your site is compromised. The Live Traffic view gives you real-time visibility into traffic and hack attempts on your website. A deep set of additional tools round out the most comprehensive WordPress security solution available.

That unqualified claim is a lie and Wordfence knows it (and the lie is something the public does believe, contrary to people trying to excuse Wordfence’s behavior will tell you). The reality is that a WordPress plugin cannot stop certain types of hacks from happening, including server level breaches and compromise of FTP logins. That the most popular WordPress security plugin has been prominently promoted with a blatant lie, is a good indication how bad things are currently when it comes to the WordPress security industry. Though it certainly isn’t alone, as the second most popular uses a false claim to collect users’ email addresses and one of the developers of third most popular thinks it is normal for security plugins to be insecure.

Considering that trust is an important part of security, any dishonesty from a security company seems like it should be something that leads to people avoiding doing business with them. So far it hasn’t though, but if it did, it would impact many more companies than just Wordfence.

The Wordfence plugin and service can’t stop a lot of hacks for basic technical reasons, but even for the types of things that they should be able to protect against they don’t present evidence, much less evidence from independent testing, that they are effective against those hacks. The testing we have done in the past showed their plugin either didn’t protect against threats or the protection was easily evaded (that was one of the best results among the plugins we tested). So results from independent testing really are necessary before any claims are made as to the protection it provides (whether coming from Wordfence or from others).

We have had plenty of people come to us after using services that claimed to protect websites that failed to do that and everything we have seen about those services is that the claims being made are unlikely to match what the companies have the capability to provide. So you really should avoid any service that makes claims like that unless they are presenting evidence from independent testing that they are effective at protecting websites. We have yet to see any that provide that, which also probably is a good indication of those services limited ability to provide protection, as either the providers don’t know if they effective or not, or they know they are not.

You Can See What We Are Doing

With our service we don’t claim that we are going to stop your website from being hacked, only that we will help to protect you from security vulnerabilities in WordPress plugins. Being honest isn’t great for business, since so many security companies have no qualms about outright lying, but we actually care about security and being honest.

With our service you don’t have to guess if we are really providing you with anything of value as we currently put out a monthly post detailing most of what we have done during the month. That way people can compare what we are doing versus other providers, and we even sometimes provide public comparisons. We don’t just do that type of comparison for marketing purposes, but so that we can make sure that we are providing the best service possible.

One of the areas that we provide you better protection than services that make overstated claims about what they provides is that instead of simply trying to stop a vulnerability from being exploited we proactively monitor changes made to plugins to try to catch serious vulnerabilities as they are added to plugins (something we could expand to less serious issues if we had more customers) and we provide the ability for paying customers to suggest/vote for plugins to get reviews, so you can get a determination if a plugin is secure or not (and hopefully we can then work with the developers to fix any issues), before a hacker might start exploiting it. We also continue look at ways to improve the detection of vulnerabilities, including our recently introduced tool for doing some limited automated security checks of plugins and our plugin for making it easier to confirm the existence of the very serious PHP object injection vulnerabilities, which has been cited in the discovery of a couple of those vulnerabilities by others.