09 Nov

Wordfence Security and Wordfence Premium Fail To Protect Websites, But Defiant Is Happy to Lie and Tell You Otherwise

Over at our main business we have a steady stream of people contacting us to ask if we offer a service that will stop their websites from being hacked, a not insignificant number of them mention that they are currently using a service that claimed to do that and there website got hacked anyway. That second item obviously tells you that these service don’t necessarily work, but what seems more relevant to the poor state of security is that even when one of these doesn’t work these people are often sure that they can and do work, just the one they used didn’t. That probably goes a long way to explaining why the complete lack of evidence that these services are effective at all hasn’t been an impediment to people using them. The problem with that is not only do they end up not working well or at all, but the money spent on them could have been spent on services that actually improve security of these websites (and everyone else’s website if there services is anything like ours), but are not sold on false promises.

Seeing as there are lots of people that still haven’t gotten the message about these services should be avoided if there isn’t evidence that shows effectiveness, we thought it would be worth emphasizing and expanding on something we mentioned in a post yesterday where websites could have been protected by doing one of the basics of security, keeping WordPress plugins up to date, while a security service failed to protect them while being promoted as being able to do that.

Defiant Against the Truth?

The current state of the security rewards unscrupulous companies and individuals that have no qualms about misleading and outright lying to the public to sell their products and services. In the WordPress security field there are plenty of companies and individuals that would fit that bill, but probably the most prominent WordPress focused one would be the company and people behind the Wordfence Security plugin. Nearly two years ago we ran across the head of that company, Defiant, making this claim on a Reddit thread:

I’d say about 2 years ago I would not have been comfortable running WordPress even with Wordfence on a mission critical site where data theft is a disaster.

Today that has changed and there is one thing that changed it: Our firewall. Back when I wrote and launched the code for Wordfence myself (in 2011) we didn’t even have a firewall. We launched a full blown firewall some time ago and it’s now evolved to the point where I’m completely confident that if you install our firewall and are running WordPress, you are going to be much more secure than if you’re running an alternative product, even if that alternative CMS is behind a firewall.

We then responded pointing out that the real world results did not match their claimed belief in what they provide:

We have been testing security plugins against real plugin vulnerabilities over at our Plugin Vulnerabilities service and the results have not been good when it comes to your plugin or any other security plugin.

The latest test involved a vulnerability in the plugin Delete All Comments that was discovered by the makers of NinjaFirewall while they were cleaning up a hacked website. This vulnerability hasn’t been fixed, so keeping plugins up to date won’t protect against it and therefore a security plugin could provide some real value. Unfortunately, none of the 15 plugins we tested, including Wordfence, prevented it from being exploited.

In the other three tests we found that your plugin provided no protection or was the protection was easily bypassed. Most of the tested plugins have provided no protection in any of the test and in only one test did a plugin, NinjaFirewall, provide protection that wasn’t easily bypassed. The protection it provided came with the tradeoff that Editor-level and below users are unable to upload media.

We also did two previous one off test with your plugin and it didn’t prevent exploitation in either case.

You might think that would cause that person to get to work improving their offering, but that person being who they are, just lied through their teeth. Somehow our specific testing was knocked down to “generalizations”:

Lots of generalizations in the above post. If you have any other specific issues/exploits/bypasses that are current, I’d love to hear about them. As you can see, the team responds very quickly.

The lies were turned up with a popular plugin with a widely exploited vulnerability that they only became aware days after wide exploitation had happened, but to hear them the story was very different:

We developed a firewall rule for that exploit and released it into production on December 16th, the moment we heard about it from our users. That’s a screenshot from our internal Slack. It’s a fun read – shows what a great place Wordfence is to work.

The rule is now in production for Wordfence Premium. It will only be available in the free Threat Defense Feed 30 days after release, so around Jan 15th.

FYI, that plugin was pulled from the repository and is no longer available. It wasn’t very popular when it was in the repo.

We deploy rules for vulnerabilities and their exploits the moment we hear about them or see them exploited in the wild. That just wasn’t a widely exploited vulnerability or a popular plugin. In the case of the vulnerability above, we heard about it because you were making some noise about it. Our users alerted us.

As one example of how ridiculous that was the plugin was actually popular by their own metrics:

As of a month ago, it had 30,000+ active installs according to wordpress.org. That seems to be popular to us. It also does to WordPress, as the Popular section the of Plugin Directory currently includes plugins with as little as 10,000+ active installs. In November of last year you also considered that be enough to be popular. In your post New Vulnerabilities in 6 Popular WordPress Plugins, one of those 6 popular plugins had 30,000+ active installs. In fact one of the popular plugins only had 2,000+ active installs. So either you have radically changed your view of what is popular in 13 months or your view changes to fit the narrative you want to present at the moment.

In are later testing either their protection against that vulnerability it didn’t work or it didn’t actually exist, at least if you were not paying for their Wordfence Premium service.

Two Years Later Things Haven’t Changed

Yesterday as a vulnerability in the plugin WP GDPR Compliance started being exploited, another Defiant employee made this claim:

So was that true?

In another thread on Reddit someone that was hacked due to this vulnerability described the result of that:

Over the last few hours we have had a slew of registrations using the email address trollherten@mail.com which show up with Administrator access. This was across 3 sites for the same client. This email address has shown up on cleantalkrecently as well.
Has anyone else experienced this or know of a security issue? These sites do share a few plugins:
Feed them social
Gravity forms
Really simple SSL
WidgetKit
WP GDPR Compliance
The core, themes and plugins are all up to date. Anyone else having this issue?

In response someone asked if anyone impacted was using Wordfence:

Anybody with wordfence installed and its firewall configured get p0wned?

The original poster responded that they were using Worfence Premium and it didn’t protect them:

Yo. WordFence Premium and Firewall enabled.

So what happened? It is quite simple, Defiant only even claims to have added protection after the widespread exploitation happened (whether their protection is effective is an open question without independent testing), which is too late:

Leaving Wordfence Security Users To Be Hacked

Coming back to head of Defiant, he had the following response to someone that was using Wordfence and got hacked due to this vulnerability:

How releasing protection after websites have already been hacked is supposed to mitigate against that is a mystery to us.

It gets worse though, if you look at the post cited in the tweet it reads (emphasis ours):

At this time, the Wordfence Threat Intelligence team has released a new firewall rule preventing exploitation of this flaw for all premium users. Users of the free version of Wordfence will receive the new rule following a thirty-day delay, but as always they can protect themselves by updating their site’s plugins.

Considering that the vulnerability was already widely exploited before they even had protection in place, the free protection after thirty days seems worse than useless, since people will hear that Wordfence Security provides protection against numerous vulnerabilities, but could easily be unaware that they are not protected when it actually matters. At that point Wordfence is there to sell them a clean up service, which they shouldn’t have needed if they were doing the basics.

Updating Provides Better Protection

The last part of that previous quote seems to be the most important element of this since while website using Wordfence Security and Wordfence Premium would have been hacked, websites that simply had plugins update automatically would have been protected since the vulnerability was fixed before the exploitation started. We used to provide a plugin that did just that, but WordPress removed that as part of their efforts against improving security.

In this instance using our service could have provided even better protection since we started warning our customers that the plugin was vulnerable before the new version was easily upgraded to (since the new version had been released, but the plugin was closed on the Plugin Directory) and could have help them to upgrade to that version. Or once it was easily upgraded, they would have already known that there was a vulnerability that had been fixed that had a high likelihood of exploitation.

Leave a Reply

Your email address will not be published. Required fields are marked *