16 Nov

No Ninja Forms, Wordfence Security is Not Trustworthy and Blacklisting IP Addresses Doesn’t Provide Effective Protection

When it comes to choosing security products and services what is lacking is nearly any evidence that they are effective, while at the same time there is plenty that shows that many of them are not. For example, over at our main business we regularly have people asking if we offer one that will really protect their website from being hacked after the one they were using didn’t prevent their website from being hacked. So why would people being using those if there isn’t evidence that they work? One of the reasons we have heard from people we have dealt with that have had their websites hacked is that they are using products and services based on recommendation of others. Since those are not going to be based on evidence, since there is a dearth of that, not surprisingly a lot of that advice is quite bad. Take as an example of that bad advice, the most recent post on the blog of the Ninja Forms plugin, which is used on 1+ million websites. We ran across that while looking if they had released a post on the vulnerability fixed a couple of days ago, when were detailing that.

Right off the bat the post, 5 WordPress Security Plugins to Keep You Safe, puts forward the proposition that the Wordfence Security plugin is trustworthy, which seems to be disputed by reality. The post claims the Wordfence Security plugin is “one of the most trusted security plugins for WordPress”. They provide no evidence that it is trusted at all, much less one of the most trusted. Maybe by that they mean that it is tied for most popular and therefore it is trusted due to that, but that doesn’t mean it actually works at all or should be trusted (the security plugin it is tied for most popular with currently contains a vulnerability and is not needed). Near the end of their discussion of the plugin they again refer to it as “trustworthy”.

Considering that the company behind the plugin, Defiant and their employees, lie all the time, trustworthy isn’t a word we would use with their plugin. From claiming that the plugin provides data that it doesn’t, to having promoted it with an unqualified claim that “stops you from getting hacked” despite their employees knowing that isn’t true, to just last week lying that their related paid service, Wordfence Premium, had you “covered” with a vulnerability, when in fact it didn’t. We could go on from there, but that seems like more serious lies then should possibly be coming from a security company.

The post also mentions this about their plugin and Wordfence Premium service:

In addition to keeping you safe at the source, Wordfence also keeps an up to date list of black listed IP addresses that will be halted before they ever reach your site. For free users this list is automatically updated every 30 days, but there is a premium version that updates immediately.

As we just mentioned their Wordfence Premium service failed to protect websites using it just last week even with that IP address blacklisting in place. That isn’t surprising since what we have seen is that hackers have access to and use numerous IP addresses (some use a different IP address for each request they send to a website), so IP address blacklisting would likely have serious limits at best, but you need to be able to detect that malicious activity is coming from an IP address to blacklist them and for that you would have to be keeping up with the threats out there and Wordfence doesn’t do a good job (hence the website being hacked last week), so it likely to be even worse. Data that is 30 days out of date is likely going to be even less useful.

The problems go on from there, as for example, the post touts the second plugin listed as “a great tool to prevent brute force attacks on your site”, which are not actually even happening.

What helps to explain the quality of the advice is the author of the post “is an English teacher and content writer for WP Ninjas”, which isn’t exactly an indication of someone that has much security experience. Unfortunately many people feel they should be handing out security advice without have the necessary expertise to do that or relying on evidence based advice from others to come up with recommendations.

What we would advise when looking for a broad based security product or service is evidence, preferably from independent testing, that it works because otherwise you are likely not going to be using something that really works. When it comes to products and services that provide something specific functionality, you should look for evidence that what that provides is actually something you need.