17 Nov

Wordfence’s Idea of Keeping “site owners safe from exploitation” Actually Puts Them At Risk

When it comes to improving the poor state of security, what can be seen over and over is that the focus needs to be on the basics. Take for instance the widely covered breach of Equifax, which was a situation where simply keeping their software up to date would have prevented the breach from happening. But the security industry isn’t focused on that and doesn’t seem to ever consider that what they are doing is far too often part of the problem, even when it impacts them.

That type of issue applies with WordPress plugins, where many hacks involve exploitation of vulnerabilities that have already been fixed. So what is probably going to provide you better protection then any security product or service would be to simply keep your plugins update at all times (many of the security plugins don’t seem to provide any protection against those vulnerabilities), which can be done with things like our Automatic Plugin Updates plugin. But telling you that doesn’t help the security industry to sell their products and services, so you don’t often here that from them.

As example let’s take a look at a post from yesterday from Wordfence about vulnerabilities in several plugins, which ends:

We encourage you to share these vulnerabilities with the larger WordPress community to help keep site owners safe from exploitation.

If you read through the rest of the post they don’t ever say that you should be keeping your plugins up to date at all times, which is actually the best advice when it comes to the vulnerabilities mentioned there. Instead they tell you the plugins they are mentioning now should be updated “immediately”, which for one of the plugins is well after a hacker had started trying to exploit one of the vulnerabilities that had been in it. The three plugins they mention are far from the only recent updated plugins that had updates that fixed security vulnerabilities, so only mentioning that people should update those isn’t all that helpful.

The rest of the post is like so much from Wordfence, mainly an ad for their services, which seems to be the real reason they want people to share it. As well get to in a moment one of the vulnerabilities in the plugins they mention is an example of the poor quality of what Wordfence paid service provides over doing the basics and the post shows again that Wordfence has very limited security knowledge, despite claims to the contrary.

A Week Behind

A week ago Thursday we discussed the details of a vulnerability that had been fixed in Formidable Forms, after Robert Mathews disclosure that it was being used to exploit vulnerability in another plugin (it is probably worth another post discussing how it was being exploited after it was fixed but before the discoverer had disclosed it). Since it was being exploited, we also added the vulnerability to the free data that comes with the companion plugin for our service, so that anyone that hadn’t updated the plugin already could have been warned about the issue last Thursday if they used our plugin. The update that fixed the vulnerability had been released a couple weeks before all that happened.

According Wordfence’s post they only got around to adding to protection against that to their paid service yesterday:

We released a firewall rule today, protecting Wordfence Premium customers from attempts to exploit this vulnerability.

That paid service is promoted by the claim that Wordfence has “unmatched access to information about how hackers compromise sites”. We would love to hear how Wordfence would try to justify that claim when they are a week behind the information that someone simply following our blog would have. That is far from the first time they have been well behind our blog, in another instances they only became aware of a vulnerability that was already being exploited because we were “making some noise about it” on this blog.

That was not the only thing that points to Wordfence not having the expertise they promote themselves as having (they claim to have a “large team dedicated exclusively to WordPress security”), take their mention of the vulnerability:

  • A preview function allowed unauthenticated users to execute an arbitrary shortcode. Normally, the use of shortcodes is restricted to site authors or administrators, as many of them could be used to exploit a site.

If they had simply read another recent post of ours they would have known that normally any one logged in to WordPress can access shortcodes, not just “site authors or administrators”:

In that access had not been there, then the vulnerability wouldn’t have existed, as those logged in to WordPress are already allowed to execute shortcodes through AJAX.

A Lack of Due Diligence or Worse

For another one of the vulnerabilities mentioned by Wordfence, they either didn’t do any due diligence or they don’t understand an even more basics element of web security:

WPVulnDB also reports that the Duplicator, running on over 1 million active sites, fixed a stored cross site scripting vulnerability affecting versions 1.2.28 and older. This report also included the code changes.

For some reason Wordfence didn’t actually link to the report on the vulnerability or credit the discoverer Ricardo Sanchez (though they managed to link to another page on their own website in that). If you look at that report you would not see any mention that this is a stored (or as we refer to them, persistent) cross-site scripting (XSS) issue, instead it indicates that it is a reflected XSS:

The XSS reflected because the values are not filter correctly:

The security implications of those two types of vulnerabilities are very different, so you would hope anyone in the security industry that provides a service related to dealing with them understands the difference.

It is possible that Wordfence doesn’t understand what they are talking about here (considering they link to changes in the code that don’t show the vulnerability they claimed), but a simpler explanation is that they just repeated the labeling of it by the WPScan Vulnerability Database:

That would be a bad idea as their data is well known to have accuracy issues, one of them lead to Wordfence recently falsely claim that the current version of a plugin contained a vulnerability that had been fixed six years ago. Does Wordfence with their “large team dedicated exclusively to WordPress security” not know this or do they not care enough to make sure they are presenting accurate information to their customers and the wider public?

A Paid Service That Really Helps

While Wordfence just got around to mentioning to people about Duplicator’s vulnerability yesterday we started notifying our customers about the issue last week when it was originally disclosed and before it was fixed. We also notified the developer that this unfixed vulnerability had been disclosed. That type of notification is something that we frequently do (we seem to be about the only ones) and can lead to unfixed vulnerabilities getting fixed within hours, which helps to protect everyone, not just our customers.

That is far from the only thing we do that others don’t, that helps everyone, one of the other things that we do that we have seen no evidence that anyone else does is that we monitor changes being made to plugins in the Plugin Directory to detect serious vulnerabilities.

Help Site Owners by Getting the Word out on Wordfence

This isn’t the first time Wordfence has put out type of post that is less focused on helping protect websites, than on marketing Wordfence. In other cases their posts are worse because they lie about what are security threats against WordPress and lead people believe that WordPress is insecure in ways it isn’t or they focus on making people reliant on them instead of actually improving WordPress, which would lead to  everyone being better protected then they would be by Wordfence.

Even worse they falsely promote their plugin with an unqualified claim that it “stops you from getting hacked”, despite them knowing this isn’t true. If the WordPress community would get involved in warning others about security companies that are so obviously dishonest, we think it would go a long way to helping to protect the public from companies like Wordfence that have shown they don’t have even their own customers best interest at heart, much less that of the larger WordPress community.