When it comes to protecting WordPress websites against vulnerabilities in plugins we provide a level of protection that others don’t for the simple reason that we do the work they don’t (but that they absolutely should be doing). The result can be seen with the plugin WP GDPR Compliance, which had multiple vulnerabilities fixed in version 1.4.3.
We had been warning our customers of one of those before you could even normally upgrade to that version of the plugin as the plugin was closed at the time (we warned our customers that it was at high likelihood of exploitation). At that time we could have help our customers to upgrade to 1.4.3 and then shortly after we started warning them the plugin was re-opened and they could upgrade normally. That all occurred yesterday.
If you had been using our service or simply had plugins update automatically, something we suggest doing and even created a plugin to make easy to do, you would have been protected from what looks to be a large scale exploitation of another one of the vulnerabilities that started today. We could have also warned people that were not our customers if WordPress hadn’t gotten in the way of us doing that.
Other providers are now belatedly warning people after their websites likely have already been hacked, which looks in large part about promoting themselves to deal with the after effects of that instead of providing a useful resource. In looking over their tweets and posts we haven’t seen any contrition for being late to the warn about this and failing their customers or what steps they are going to take to prevent that from happening again (considering this is far from the first time that should have happened long ago for many of them).
What seems to be the worst example of that is with the company behind the plugin Wordfence Security. Here for example is a tweet from one of their employees:
Are you using this plugin to help with GDPR compliance? New exploit found. Over 100,000 installations,. If you have Wordfence Premium you are covered! https://t.co/HPVGpgQa2g
— Tim Cantrell (@tcan1337) November 8, 2018
Users of the Wordfence Premium service actually were not covered, because as tweet from another employee shows they added protection after the fact:
We've already begun seeing exploits in the wild of a vulnerability in the WP GDPR Compliance plugin. We've pushed out a new firewall rule to protect our users from these attacks, but it's still important to update any sites running the plugin. https://t.co/6b4Qy65Kcy
— Mikey Veenstra (@heyitsmikeyv) November 8, 2018
It is galling to see members of the security industry mislead people in this way, but that is unfortunately par for the course.
If a Reddit thread is to be believed you have at least one of the users of Wordfence Premium that got hacked despite using the service and there likely are more if other users of their service also used that plugin.
Being late to this isn’t how the Wordfence Premium service is promoted, instead they promote their Real-Time Threat Defense Feed that is part of that this way:
Wordfence protects over 2 million WordPress websites, giving us unmatched access to information about how hackers compromise sites, where attacks originate from and the malicious code they leave behind. The team in our Forensic Lab are constantly adding updates as they discover new threats. Premium members receive the real-time version of the Threat Defense Feed. Free users receive the community version, which is delayed by 30 days.
In this case though they were behind us, not because we have more advanced tools, but because we do the basics. From what we have seen it doesn’t appear they do what they claim to be doing there because they are consistently behind or missing things, even things that they could have known about by just following our blog.
What is also important in that is that they leave people relying on just their plugin and not their paid service vulnerable for thirty days, “Free users receive the community version, which is delayed by 30 days.”, which as this situation shows is over 30 days after it probably matters. By comparison before WordPress got in the way, we always warned users of companion plugin about exploited vulnerabilities even if they didn’t use our service since we don’t want websites to be hacked. If you look at their post cited in those tweets there is an unfortunate possible explanation for that at the end of it:
If you believe your site has been impacted by this vulnerability, please do not hesitate to reach out to our site cleaning team to begin the remediation process.
So if they can’t get you to pay for one service maybe they can get you to pay for another (or even both since they didn’t provide protection to those using Wordfence Premium until after the exploitation started).
Make Sure You Keep Your Plugins Up to Date At All Times
Also in Wordfence’s post cited in those tweets they twice belated tell people to update the plugin:
Any sites making use of this plugin should make it an immediate priority to update to the latest version, or deactivate and remove it if updates are not possible.
It is of critical importance that any site using this plugin performs the update as soon as possible.
What they should have told people is that you need to be keeping all of your plugins up to date at all times, since belated updating them after Wordfence warns you about a vulnerability doesn’t work.
Cleaning Up Hacks
Since we mentioned that they are marketing cleanups we should mention that if you have been hacked due to this and need someone to clean it up we provide a better option than other providers, not just because unlike so many other companies we properly clean up hacked websites, but you get a free lifetime subscription to our service, so you wouldn’t have to be belated notified of such a situation in the future.