15 Dec 2017

When a WordPress Plugin Security Checker is Really Just a Site Search

One of the many problems we see in the security industry is that often tools and services are promoted as doing more than they really can, which makes it hard to determine what, if anything, they can do to help protect websites and how they truly compare to other options. The public often takes those claims at face value and it leads to them using things that provide little to no value over other options that provide better protection but are not promoted inaccurately.

The security industry surrounding WordPress does that type of thing in spades. Take the most popular WordPress security plugin, which is promoted with the unqualified claim that it “stops you from getting hacked”, despite the developers being well aware that is far from the truth. Another example of that involves something we came across as we have been looking around to see what is out that offers functionality that is similar to our recently introduced tool for doing limited automated security checks of WordPress plugins, so that we can make improvements. So far though, much of what we have found has been rather lack luster.

When doing a Google search for “wordpress plugin security checker” one of the first page results is the WordPress Plugin Security Checker on the website wpwss.com:

At the top of it states:

Check to see if the WordPress Plugin you are about to install is safe.

No details are giving as to what it actually does. It could be that it checked the plugin against known vulnerabilities or it could be it checks the plugin for security issues. Or maybe it did both, as our tool does.

When we entered the name of some plugins we got a strange result, like this one:

That result will make more sense in a moment, but as we were trying to figure out what was going on, we then noticed that well below the search box was the following:

Terms of use

WPWSS are part of CiroQu Ltd based in the United Kingdom.

  1. The WordPress Plugin Security Checker is provided to help WordPress users evaluate WordPress Plugins before they install on their website. By using this facility you agree to the these terms:
  2. The results displayed provide the information we think that you will need to make your own conclusions. We do not provide an exhaustive investigation. There may be problems that our research has not uncovered. You should therefore not rely on our results but use your own judgment as to whether a plugin is appropriate. We hope that our assessments will help you in that process.
  3. Accordingly, we make absolutely no guarantees. If we are wrong in our assessment you accept that you are not able to sue us for that reason.
  4. If you object to any of our assessments, for example if you are a developer of a plugin we have listed then please contact us. We do not guarantee to change or remove anything merely on request.

Our results are provided as an aid to plugin selection and should be considered as such.

There is a lot of text there, but the closest you get to an explanation as to what is being checked for is a mention “our research” and “our assessments”.

Clicking the first item listed after “Did you mean” got us some results, but nothing that made much sense in the context of checking this plugins for security issues:

Looking over that website we found that those results were blog posts on the website and then we found what was really going on. Pulling up a web browser’s developer console we could see that when you type something in to that search box an AJAX request was sent to WordPress with the action set as “ajaxsearchpro_search”. Ajax Search Pro is a plugin for searching AJAX based searching of a website, so this page really just searches the website to see if it has any content related to the plugin.

At best that would produce information on known vulnerabilities, but even that would require that the company to be blogging on lots of them to be of much value. The website looks like it hasn’t been updated since 2015, so the information the page could provide would be limited.

Even for what it is doing it doesn’t work to well, as if do a search for Akismet, for which there was a blog post that showed up in the in the prior search, it comes up empty:

Leave a Reply

Your email address will not be published.