So often, what passes for security journalism misses the important details in claims made by security providers that are the sole source for stories. Take, for instance, a recent story that popped up a Google News alert we have to alert us to stories about WordPress plugin vulnerabilities. That story, by Roger Montti at the Search Engine Journal, claimed that the ecommerce platforms WordPress and WooCommerce were being targeted by a hacking campaign (no explanation was provided for classifying WordPress and WooCommerce as being separate platforms). Nothing in the story suggests what would have made this hacking campaign noteworthy, but it did mention a recommendation that is noteworthy. It said that it is recommended to use a web application firewall (WAF) to protect against this hacking campaign, but the sole source for their story, Akamai, itself said those don’t work against attacks:

Generally, these attacks cannot be detected by popular methods of web security, such as web application firewalls (WAFs), and are executed on the client side.

Akamai provides a WAF, so it seems notable they are warning that their own security solution doesn’t work well. That isn’t all that surprising considering they don’t even know how the websites were hacked:

it is unclear how these sites are being breached

Akamai’s information came from their Akamai Security Intelligence Group, which doesn’t seem to be living up to the name if they don’t know how websites are being hacked, despite that being a critical detail if you are going to be providing security solutions that provide protection actual threats. Those issues run counter to Akamai press release that marketed their WAF as getting “particularly high marks for attack detection, attack response, and internal threat intelligence”.

Akamai isn’t the only big name WAF provider to recently admit their solution isn’t working and they don’t know how the attacks getting by it work and somehow have a journalist ignore that.

That is all an important reminder of the importance of using WordPress security solutions that are tested against real threats and shown to provide protection. Our testing has shown most don’t provide protection against threats they could fairly easily provide. The Certified WP Security program allows reputable providers to get a certification that they are really providing what they claim to offer.