22 Aug

Those Relying on Wordfence Premium Are Not Getting the Protection They Are Paying For

Among the oddities of the security industry is that so often people seem to be skeptical of the wrong things, as they are more likely to believe that security companies are lying about things where there isn’t a logical reason to do that, while being overly trusting about extraordinary claims being made about security products and services, which often turn out to be false. Last week we touched on the kind of claim that should elicit suspicion, that being that unqualified claim that the Wordfence Security plugin “stops you from getting hacked”. As we found when dealing with a website hacked due to a widely exploited vulnerability it didn’t protect the website (that is far from the first time we have seen it fail to stop a hack).

Making such a claim and not actually accomplishing that looks worse when you go to their homepage and see the first thing shown is an advertisement for them doing hack cleanups:

Just beyond that though they start promoting their Wordfence Premium service with claims like this:

Protect your websites with the best WordPress security available.

On the page for that service they make claims like this:

Stay a Step Ahead of Attackers with Real-time Threat Intelligence

If your website is mission-critical you can’t afford the downtime, reputation challenges or SEO impact of getting hacked. That’s why so many sites rely on the real-time protection provided by Wordfence Premium.

The real-time nature of that is repeated over and over, with this claim about protecting against WordPress plugin vulnerabilities:

Real-time Firewall Rule Updates
The Wordfence firewall leverages firewall rules to identify and block malicious traffic to your website, protecting you from the latest WordPress attacks and security vulnerabilities.

What is completely lacking is any sort of evidence to back the claims up. There is a good reason for that, since they don’t even try to accomplish what they are claiming they do there.

What we have seen for years is that they don’t actually keep ahead of hackers, instead we have seen for years that they are adding protection against vulnerabilities after they have already been widely exploited, which is too late to protect the website from being hacked (which you can then pay them to clean up). Considering that they could have known about the vulnerabilities before then, as we did, there isn’t an excuse for that. While looking into something recently we noticed another aspect of this, it turns they are not even adding protection at all in a lot of instances.

One way to look at that is to look how many rules they have, since many vulnerabilities, including the vulnerability that was exploited on the website we mentioned earlier, require them to write a rule to protect against it. Considering that just last month we added over 100 vulnerabilities to our data set there should be a lot of rules. There are not. In the free version, which is supposed to include everything from the premium older than 30 days, there are currently only 132 rules.

To look at that another way, the free rules were last updated on July 15, so that means that for over a month they didn’t add any new rules, despite plenty of new vulnerabilities being disclosed during that time.

One of the two other features of Wordfence Premium is:

Real-time IP Blacklist
Blocks all requests from IP addresses that are actively attacking WordPress sites protected by Wordfence. Improves protection while improving site performance.

To extent something like that is actually useful it would require that they are able to detect that attempts to exploit vulnerabilities from an IP address, which would require them to keep up with vulnerabilities, so that isn’t going to work all that well.

The final feature definitely doesn’t involve keeping you ahead of hackers:

Real-time Malware Signature Updates
The Wordfence security scanner and firewall rely on thousands of malware signatures to help identify malware on your website and to block malicious uploads.

If you are detecting malware on the website that means it has already been hacked and since they have to right a rule to detect, it means that malware could be sitting on the website for some time before they add a rule.

Reputable Company?

Here is another claim from the page for that service:

Wordfence Premium provides the real-time endpoint protection you need to protect your mission-critical website.

That seems like the sort of claim that should bring some sort of government or legal action against them, seeing as what they are doing seems to be grossly negligent since they don’t even try to accomplish what could be reasonable done (even if they could, the service seems incapable of providing that), but with the current state of security it isn’t likely to even lead to any negative coverage of them by journalists. Making that sort of thing worse people on the WordPress side of things promote the company as being reputable in violation of their own rules.

Those That Can’t Deliver Security Tout Support

What also seems telling on that page is the customer review that they highlight:

Awesome Plugin and Premium Support

WordFence Premium has provided excellent customer service. The plugin is easy to use, and the premium support is friendly and informative. Very happy with their service.

There is no claim that the service provides any protection, but that there is good support. That isn’t the first time we have seen a security company promoting their support, while failing to even attempt to provide security in line with their claims.

Staying Ahead of Hackers When Running a Mission Critical Website

For those running mission critical websites the real way to stay ahead of hackers is to have the security of the software you use reviewed so that security issues are found and fixed before hackers find them, instead of getting hacked due to relying on protection from a company that waits until after hackers have already widely exploited a vulnerability to add protection. When it comes to software that is used by others, you can even help others to get their websites more secure as well.

If you need the plugins you use reviewed we appear to be the only company out there doing security reviews of WordPress plugins.