GridPane Heavily Involved in Snicco’s Misinformation Campaign Against Competing WordPress Security Solutions
Recently, we have been seeing a fair amount of instances of people trying to be security conscious with their WordPress websites who have been misled by misinformation coming from a newer WordPress security provider named Snicco. The vector for them coming across Snicco has repeatedly been a WordPress focused web host named GridPane. Here was someone citing GridPane providing legitimacy to Snicco (and Automattic in turn providing them legitimacy):
However, the thoroughness of Snicco’s posts overall and their demonstrated expertise on the issue (not to mention their close partnership with the Automattic-backed enterprise-level WordPress hosting platform, GridPane) lends them a lot of legitimacy.
In another message from the same person, they referred to GridPane putting out “promotional material” for Snicco:
While there isn’t much information out there about their plugin, GridPane has put out some promotional material on it
The conversation that comes out of, which is fairly long, provides a pretty good picture of how Snicco’s misinformation about competing WordPress security solutions is able to trick the public.
Reading GridPane’s material on Snicco and Snicco’s own marketing material you get the sense that there isn’t much daylight between the two. And possibly misinformation is going in both directions.
To better understand the problem in all this, let’s look at a recently widely exploited vulnerability.
Snicco and GridPane Wouldn’t Protect You
Recently, a zero-day vulnerability in a plugin WordPress with 200,000+ installs was widely exploited. This was a type of zero-day vulnerability that web application firewalls (WAFs) can’t protect against. That is something the aforementioned Automattic admitted was the case with the WAFs used on at least a couple of their hosting solutions. By comparison, in our testing, two WordPress firewall plugins did protect against this. They were able to do that because they are tightly integrated in to WordPress in a way that server solutions can’t.
That reality runs counter to Snicco’s marketing. It also runs against GridPane’s information. In a knowledge base article, titled “Do I Need a Security Plugin When Using GridPane’s Security Features?” In that, they write this:
Do You NEED a Security Plugin?
If you’re using either the 7G WAF/ModSecurity WAF, Fail2Ban, and our additional security measures, then when it comes to most WordPress security plugins, our stance is probably not. The exception to this rule is Fortress (more info below).
That said, there are some additional benefits that a few security plugins can provide (some that aren’t actual security measures). In the following sections we cover some of the benefits as well as some downsides to consider.
They later mention that there are only a few features of security plugins that are not best done at the server level:
What most security plugins offer as features can only be done effectively at the server level. That said, there are some additional benefits that a plugin can offer outside of the GridPane feature set.
They then list six features (four of which Snicco does):
-
Two-Factor Authentication (2FA)
-
Upgraded Password Security
-
Rate Limiting
-
Secure Session Management
-
Vulnerability Reporting and Patching
-
Email Alerts
One notable aspect about those six is that none of them would protect against that widely exploited vulnerability. As we already noted, a zero-day like that can’t be stopped by server level security, but two firewall plugins did provide protection.
So GridPane is recommending not using solutions that could protect websites against real threats and promoting a solution, Snicco Fortress, that doesn’t.
False Vulnerabilities
On Wednesday, we went in to detail on how Snicco has been falsely claiming that competing security plugins have serious vulnerabilities. In that post we noted how other security providers have tried to explain to them these are not vulnerabilities, but they barreled ahead with the claims, anyway. GridPane has embraced those false claims as well:
Through their research and guidance they have helped 24 of the most well-known security plugins patch vulnerabilities in their code – many extremely serious that could have led to a full site takeover. Their security research found DOS vulnerabilities, a complete lack/misunderstanding of encryption, and unjustifiable security shortcuts. Many plugins even copied code from others verbatim, introducing inherent security issues into their codebase, and every plugin evaluated had at least 1 vulnerability, with most having 3 or more.
Recommending 7G Firewall?
An example where the misinformation might be going from GridPane to Snicco is Snicco’s recommendation to use the 7G Firewall:
Tank my site’s performance with a general purpose WAF:
A general-purpose WAF that checks for bad request parameters, SQL injection, or similar offenses is orders of magnitude faster and more effective at the web server level or CDN level.
We recommend the 7G Firewall for NGINX by Jeff Star.
Our limited interaction with the developer of the 7G Firewall suggested that they either don’t really know what they are doing or they were intentionally misleading people. That matches up with everything else we have seen from them. That includes falsely marketing another of their solutions as a “strong firewall” and “powerful waf“, which runs counter to testing that shows really poor results versus comparable solutions.
With the 7G Firewall, they have marketed as “powerful” and “super strong” firewall, despite it providing a fraction of protection that firewall plugins provide.
Snicco provides no explanation why they are recommending that, but GridPane has also promoted that, despite the limited protection it offers, for many years.
A CEO Snookered or Profiting Off Falsehoods?
In Snicco’s marketing, they include this quote from the CEO of GridPane
The guys behind Snicco are hands down among the most skilled developers I’ve ever met, and we’ve worked with people in over 100 countries, helping power over 100K websites. These guys know their shit cold. I can’t wait to see what they come up with next, and I look forward to hanging from their coattails for years to come.
Either the CEO has been snookered there or he is in league with misleading people, because if he talked to someone knowledgeable about security they would surely have warned him about much misinformation Snicco is peddling.
GridPane is reselling Snicco’s plugin, which might explain why they are involved in harming the WordPress community by spreading Snicco’s misinformation.
I’m shocked that GridPane is pushing this plugin so hard. Seems like a big affiliate scheme to me. Starting to lose trust in GridPane.
Harold: I’m pushing Fortress because I’ve seen literally everything on the market. And I know exactly how good of a product Calvin has built.
My company reviewed all 60+ of the vulnerabilities that Calvin disclosed. We did that work in conjunction with Pagely.
This website is NOT an authoritative source of anything other than mild entertainment for people that actually push WordPress security forward in a meaningful way.
As was mentioned in our post, you are also pushing the 7G Firewall, despite the very limited protection it provides versus other options. Unsurprisingly based on that, you haven’t released results of testing showing that it or Snicco Fortress works better than other options. By comparison, we have done plenty of it. Start doing testing and release the results. If start doing that, we will provide you a free copy of our firewall plugin, which it doesn’t look like you have actually looked at or you would understand how protection can actually be provided by a firewall plugin.
Neither GridPane or Pagely are security providers. Many security providers have tried to explain to Snicco that what they are claiming are vulnerabilities are not. We wrote a whole post about, which defends competitors of ours. Ignoring people trying to help you understand what you are saying isn’t true, doesn’t make your false claims anymore true.
I am the one who posted the support request for All In One Security at wordpress.org. I believe that David provided a pretty thorough counter to Snicco’s own seemingly thorough claims of their plugin vulnerabilities and was excited to see how Snicco would respond. Instead, I got word that they were not interested in corresponding with David’s own claims challenging Snicco’s security expertise. Now, as someone who is not myself a security expert I cannot determine who is right and who is wrong, but Snicco’s unwillingness to engage runs counter to their continued eagerness to go after AIOS. So I have to ask, what is their reluctance to publicly engage with AIOS then on these issues?
On the last issue regarding “DOS Through IP Spoofing” discussed in that support forum thread, I did carry on a conversation with Snicco in the comment section of their own post about it and their conclusion seemed to be that REMOTE_ADDR is fine, but the other options can leave a site vulnerable. Well, REMOTE_ADDR is the default option and as AIOS support explained the other options are there for situations where a proxy is being used in which REMOTE_ADDR is not detecting the correct IP address. The helper text in the AIOS dashboard also explains the risk very clearly and advises users to seek assistance from their hosting provider before selecting any of the other options. Rather than being unacceptable as Snicco asserts, this seems very fair to me.
From my own non-expert position, GridPane’s assertion that “we did our best to explain this to people and I’m done trying – by now you’re either in or your out” in the context of the hyperbolic air of Snicco’s detailed analyses (as David pointed out) and their low-rent smears otherwise, doesn’t have the ring of truth to me. It might just be a messaging problem too though, because I’m just not going to react to that in the way that they want me to. While the response from David and team at AIOS has been a lot better in my opinion.
That is, I am NOT an expert, but a non-response and a larger-than-life air of arrogance regardless is going to give me pause.
We haven’t gotten any response from Snicco, but in our recent interaction with the CEO of GridPane, they didn’t seem interested in having a honest discussion about what Snicco is doing. Including claiming that Snicco isn’t competing with the providers they are smearing, despite GridPane’s own marketing disagreeing with that.
It’s unclear what is going on with Snicco, but they have been told by various parties in the security space that they are making misleading claims and the response to that has been in line with the response you got. In our experience, the security space seems to attract a lot of people that are not able to handle acting in professional manner, including not being able to handle not being right about things. Those that could truly be called security experts try to be careful about what they say, since they understand that they don’t understand everything. That opens up a lot of room for non-experts to present themselves as being the true experts by presenting a level of certainty that doesn’t really exist.
I love all the completely passive aggressive jabs and yet we’re the ones with the “low-rent smears.” It’s also interesting how you’re so admittedly “NOT an expert” and yet you’ve so thoroughly ingrained yourself in this conversation.
There’s not a messaging problem here: you just don’t like what I’m saying. I could manufacture a way to say it more delicately but I would still be saying the same thing.