19 Oct

You Shouldn’t Assume That Wordfence Security or Other Security Tools Actually Provide Effective Protection

When it comes to explaining how so much money is spent on security while the results of that spending don’t seem to be appearing, a lot of the explanation seems like it can be found in the almost complete lack of evidence that those products and services marketed as providing protection provide effective protection. Considering that those are often promoted with extraordinary claims of their capabilities that seems to indicate those claims are baseless or that the developers actually know that they are false since if they actually had evidence to support them it seems unlikely they wouldn’t present that.

Everything we have seen over the years is there really is a lack of effectiveness and some combination of a lack of understanding by their developers that they are not effective and developers not caring if they do since they can make a lot of money while selling something that doesn’t have to work well (if at all). Certainly one of those would apply to the company behind the tied for most popular WordPress security plugin, Wordfence Security (the reality behind the other plugin is also telling about popularity not equally providing good security). For example, they previously very prominently claimed that their plugin “stops you from getting hacked” without any qualification (and still make the claims less prominently), despite that simply being false.

Earlier this week Janek Vind put a report claiming that they had found a “WordPress username disclosure protection partial bypass” vulnerability in Wordfence Security, which they explained with the following:


Let’s try well know WordPress username disclosure method with activated Wordfence:


Result: “Oops! That page can’t be found.”

Now let’s try modified query:


Result: “Author: root”

This method can disclose only one username – from author of the last post

That wouldn’t be the first time that it was found that claimed protection by that plugin could be bypassed. We have found that with much more serious issues in the past, both a persistent cross-site scripting (XSS) vulnerability and an arbitrary file upload vulnerability. Both of those being the kind of vulnerabilities that hackers would be interested in exploiting, the latter one being a type where it isn’t a question if hacker will try to exploit if they are aware of it, but just how soon they will.

What seems more important about this though is that with WordPress usernames are not intended to be private. Maybe the developers of the Wordfence Security plugin don’t really understand the WordPress security model, which would be a problem, or if they really believe that usernames being disclosed is a problem they should be pushing for WordPress to change how they do things instead or requiring people to use a plugin to provide something that should be integrated in to WordPress (if that were the case, it wouldn’t be the first time).

If you are looking for a security product or service that will provide protection we would recommend finding one that provides evidence, preferably from independent testing, that it is effective. Though from what we have seen you are unlikely to find that or a one that could actually provide that protection.