31 May

Wordfence Premium Is Not Real-Time Protection

The company behind the Wordfence Security plugin is not by any means an honest company from what we have seen from over the years, so it wasn’t surprising for us torun across them advertising their payed service in a dishonest way. Yesterday we had noted that they appear to have left the public in the dark about an unfixed vulnerability in a WordPress plugin that was being exploited. After viewing Wordfence’s website while looking over that post we started getting re-targeted ads for their Wordfence Premium service and a lot of them.

By a lot, on just one page in one instance we served up five unique ads (plus multiple copies of the unique ads). What seems clearly to be key selling point is something that the security industry frequently uses to mislead people, which is promoting services as being “real-time”:

Here were three more ads also emphasizing that:

You don’t have to go any farther than Wordfence’s post we cited in our previous post to understand why real-time protection isn’t meaningful on its own. Real-time protection just refers to the speed that updates are propagated to customers, it doesn’t tell if they are providing updates in a timely basis though, which matters much more.

In their post they provided this timeline of a vulnerability:

  • May 24 – Vulnerability discovered. Notified developers privately.

  • May 28 – Patch released by developers. Firewall rule released for Premium users.

  • June 27 – Planned date for firewall rule’s release to Free users.

So they knew about a vulnerability for multiple days before they added protection on Tuesday, so not real-time at all. What makes that rather problematic according to a comment on their post, the vulnerability was already being exploited sometime last week. It even seems possible that Wordfence knew that it was being exploited as they don’t explain how they even knew about the vulnerability and it would seems to be a bit of an odd coincidence that they happened to randomly run across a vulnerability that was being exploited at the same time.

In the real world this leads to their customer getting hacked when they could have avoided being hacked by taking steps that are free, which the people behind Wordfence deal with, not by improving what they are doing, but instead simply lying and claiming they provide protection they didn’t. You would hope that something like that would hurt their business, but unfortunately with everything going wrong surrounding security, you don’t, say, have security journalist providing critical coverage of that sort of thing. Instead they spend their time spreading their lies, which might be explained in part by much of the security news industry, being done by people who work for security companies (sometimes secretly), so criticizing security companies could hurt their job prospects.

Another misleading claim they make, which makes it seems like maybe they are trying to take advantage of people who don’t have almost any familiarity with WordPress is that they tout it having 75 million downloads:

75 million is figure thrown around as to the total number of WordPress websites, so that would seem to be an incredibly high figure, but the actual current number of downloads of the plugin is 120 million. That is possible because the download count of WordPress plugin includes every time someone updates a plugin, so that figure isn’t all the meaningful. According to wordpress.org the number of active installations is 3+ million, which is impressive, so why mislead people?

We should note that having a lot of installs doesn’t necessarily tell if a security plugin is very good (and seems like it could indicate the inverse), with this plugin it could have do with things like lying and claiming that it “stops you from getting hacked”, when as the timeline mentioned before shows they intentionally leave people using their plugin but not paying for their payed service vulnerable until long after it usually matters. They also sell a hack cleanup service they promote with the popularity of the plugin, which in turn is promoted with the claim that it would lead to not need a cleanup service.