On multiple occasions the team behind the Wordfence Security plugin have failed to credit us when discussing vulnerabilities we discovered. We are not alone in that it turns out and unfortunately journalists will cover them and not give any credit to other security companies that are actually doing the work to keep ahead hackers (which is how Wordfence falsely markets their Wordfence Premium service of doing).
Impacted by the campaign is a plugin called Simple 301 Redirects – Addon – Bulk Uploader as well as several plugins made by developer NicDark (now rebranded as “Endreww”). All plugins have updates available resolving the vulnerabilities – but researchers in a Friday post warned that WordPress users should update as soon as possible to avoid attack.
We figured that would be a link to the website on NinTechNet, the makers of the Ninja Firewall plugin, considering they discovered those vulnerabilities, but it was instead to Wordfence. Wordfence’s post makes no mention of NinTechNet’s discovery of them and likely due to that neither does the Threatpost article.
We have notified the author of the Threatpost article, Lindsey O’Donnell, about the lack of credit in her article.
The Threatpost article then includes this claim from a Wordfence employee and the author of their post, Mikey Veenstra:
Veenstra told Threatpost that exploitation began on or around July 31, just as the first disclosure for one of the vulnerabilities was published.
When was NinTechNet’s post on the vulnerability posted? The same day, so it seems clear they know who discovered this. In reality though, exploitation had begun before then and we had already warned and disclosed to our customers about the vulnerability on July 25. Like we said before, Wordfence doesn’t keep ahead of hackers.
When it comes to another of the vulnerabilities, we had written a post 10 days before Wordfence’s post mentioning how their Wordfence Security plugin failed to protect against this. So Threatpost’s coverage of Wordfence’s post doesn’t really make a lot of sense since they neither discovered the vulnerabilities or that they were being exploited.
So why wouldn’t Wordfence credit the discover? Well when it comes to us, recently they have claimed we were doing things irresponsibly (while doing much the same themselves), but NinTechNet hasn’t done things in the way we have (and we didn’t when they started doing it with us), so it seems pretty clear they don’t want people to know that there are other security companies that are doing the work to keep websites secure, while Wordfence is not.
What also makes it so bad to cover Wordfence, as that journalist did, is that they wait until after vulnerabilities have been widely exploited to warn people about them. Why do that? Well at the end of the post, you get a possible answer, they are promoting doing hack cleanups:
As always, please consider sharing this post with your peers to spread awareness of this malicious activity. Additionally, if you believe your site has fallen victim to these or any other attacks, our site cleaning team is here to help. Thank you for reading.
Spreading awareness of the malicious activity long after it happened, as they did here, doesn’t make a lot of sense, unless you don’t want people to avoid getting hacked, but instead get business cleaning up unnecessary hacks. That seems like it would be more worthy of coverage, but when so many security journalists work for security companies, good coverage of what security are doing is not surprisingly in short supply.