22 Mar

Does Wordfence Threat Analyst Really Not Know About All The Vulnerable Plugins Still in The WordPress Plugin Directory?

When it comes to trying to improve security surrounding WordPress two of the big problems are inaccurate information being spread by security companies and journalists, and often they are combined. As an example of that, an article popped up the other day for the Google News alert we have set to keep track of coverage of plugin vulnerabilities (which we previously mentioned in the context of another inaccurate claim, that 90 percent of websites hacked last year were running WordPress). Part of that article, which quotes someone from the company behind the most popular WordPress security plugin, Wordfence Security is as follows:

All new plugins are checked by WordPress before being added to the public repository, but the same doesn’t apply to updates.

“The members of the plugin team work hard to keep the repository clean, but realistically they’re a team of volunteers, and sometimes the heavy lifting has to be done reactively instead of proactively,” says Veenstra.

“We see this in cases where a bad actor buys ownership of a plugin with a good reputation and install base, only to inject malicious code as a new update. The team is responsive when issues are reported, but doesn’t always catch problems before they arise.”

There are several big issues with that.

Let’s start with the claim that new plugins are reviewed for security, here is what we wrote on Tuesday of last week:

As we have mentioned repeatedly in the past, while brand new WordPress plugins are supposed to go through a security review before being allowed in the Plugin Directory, that either isn’t happening or it isn’t very good, as we keep finding brand new plugins that contain vulnerabilities that the possibility of is flagged by our Plugin Security Checker, an automated tool for checking for the possibilities of some security issues in WordPress plugins. We have offered the team the running the Plugin Directory free access to the more advanced mode of that tool to assist them in avoiding that happening (or help in creating similar functionality in their own workflow), but we have had no interest from them. They unfortunately seem more interested in covering up the problems they are having (and in some cases causing) instead of working with others like us to get them fixed.

It is hard to square the claim that the “plugin team work hard to keep the repository clean” considering things like that they so far have not done anything about the vulnerabilities they know still exist in a plugin that was widely exploited this week and that there are currently plugins with 4.50+ millions active installs that have publicly disclosed vulnerabilities that are still in the Plugin Directory. You would think that is something the Wordfence employee being quoted there should know that since they are a “threat analyst”.

So why are there plugins used by so many websites that are still there despite being known to be vulnerable? The answer to that gets to why security surrounding WordPress is so poor, since making sure those plugins are removed until fixed is such a low hanging fruit and yet it isn’t being done. In fact the only ones that we can tell have ever been focused on making sure they were removed was us and we suspended notifying the Plugin Directory team about those in June of 2017 due to a continued refusal of people on the WordPress team to stop making security worse. Since then they haven’t agreed to clean up their act and they haven’t shown any interest in taking over doing that. It seems like a good question for a journalist to ask why the Wordfence doesn’t do anything about that either and doesn’t seem concerned about their customers being exposed to those publicly known vulnerable plugins.

As to the claim the team is made up of volunteers, that isn’t all that accurate considering that one of the six members of the team is paid to be the WordPress security lead by GoDaddy and two work directory for Matt Mullenweg. What the team could use is more members, but they claim they can’t:

At this time, we are not accepting new reviewers due to technical issues. While the new directory platform has solved most issues, we have no way to give people the right amount of limited access to emails via SupportPress. To that end, we are in the process of moving to a new system, however we do not have an ETA.

Much of the work that should be being done, like keeping track of unfixed vulnerabilities wouldn’t even require the access mentioned there, so the given explanation is hard to understand. From what we have seen it seems more likely that it is that they don’t want people that don’t share some of their strange beliefs, which have been unnecessarily putting WordPress websites at risk.

What is unfortunate is that these are things that could be resolved. If WordPress simply agreed to clean up their problems we would go back to making sure plugins with unfixed vulnerabilities are not remaining in the Plugin Directory and we could even today help them to actually implement the security reviews that are supposed to be happening now.

In the meantime, if you sign up for our service you would immediately be alerted if you are using one of those publicly known vulnerable plugins still in the Plugin Directory.