13 Aug

Wordfence Security Plugin Failed to Protect Against Exploitation of 301 Redirects – Addon – Bulk CSV Uploader Vulnerability

Over at our main business today we have been dealing with a website that was hacked due to the now fixed vulnerability in the plugin 301 Redirects – Addon – Bulk CSV Uploader that started getting widely exploited to redirect websites shortly after it was fully disclosed by the discoverer on Saturday (in this case the redirect was to tomorrowwillbehotmaybe.com). Simply keeping plugins up to date at all times would have avoided websites getting hacked as it was fixed on Thursday. If you were a customer of our service you would have been warned of the high likelihood of that vulnerability being exploited on Monday of last week (we knew about the vulnerability because the discoverer had obliquely disclosed the vulnerability some time before Monday).

What wouldn’t protect you is the Wordfence Security plugin, as the website we have been dealing with is using that. The plugin is clearly active on the website as it locked us out of trying to login after we were provided incorrect login details for WordPress on the website.

That isn’t what you would expect to have happens if you believed how that plugin is marketed, as this is one the FAQs on its page on the Plugin Directory (emphasis ours):

How does Wordfence Security protect sites from attackers?

The WordPress security plugin provides the best protection available for your website. Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. Wordfence Scan leverages the same proprietary feed, alerting you quickly about security issues or if your site is compromised. The Live Traffic view gives you real-time visibility into traffic and hack attempts on your website. A deep set of additional tools round out the most comprehensive WordPress security solution available.

It obviously didn’t stop that website from being hacked and that can be said about many other vulnerabilities that have been widely exploited.

What seems to make that all worse is that they actually promote the popularity of their plugin as reason you should hire them to clean up a hacked website, say after their plugin failed to protect against it a hack despite being market as being able to:

But cleaning up a hacked website can be difficult if you have never done it before.  As the creators of the most popular WordPress security plugin, we have the most expertise in the industry.

Having the most popular security plugin doesn’t mean they have the most expertise and and they don’t have the most expertise. What seems more likely to explain the popularity is that they are willing to mislead the public about what the plugin is and isn’t capable of, which no security company should do, but they are not alone in that with WordPress security plugins.