The Developer of BulletProof Security Pro Knows it Doesn’t Actually Protect Against Most Zero-Days
On the forum for the WordPress security plugin BulletProof Security Pro, someone asked if the plugin can protect against zero-days:
I’m wondering if BPS Pro can protect us against zero-day vulnerabilities discovered in plugins.
One of your competitors ([Wordfence]) has a strong marketing argument in the fact that it provides real-time firewall rule updates to protect the website of its paying customers against new vulnerabilities (whereas free customers have to wait 30 days to get access to these new rules).
So I have a few questions:
- As a WP security professional, do you get informed in near real time of such vulnerabilities?
- Can you usually quickly create new firewall rules to protect the website of your customers until the plugin releases an update?
- As for ordinary vulnerabilites, is it safe to assume that a serious company will email paid customers?
- What about free plugins from the WP repository? Are we supposed to check the changelog each and every time a plugin got an update released?
Overall, I’m open to any best practice that you might advise me to follow.
That was a thoughtful set of questions, though inaccurate in regards to Wordfence. Wordfence markets their rules as real-time protection, but it isn’t, since they have to write a rule to provide protection, which means they are not real-time. Notably, they don’t show what their response time is to writing rules for vulnerabilities. In some cases, they don’t write rules at all and in others the rules are written well after they should have been.
But to get back to BulletProof Security Pro, here was the non-response by the developer:
One strange element of the response is that the supposed proof that no websites has been hacked when using BulletProof Security Pro is to link to reviews for the free BulletProof Security. How would reviews, even of the Pro plugin, prove that no websites had been hacked?
While there, the developer claims that it protects all plugins. The developer knows that isn’t true. We had a strange interaction with them years ago, where they claimed that security plugins shouldn’t even try to protect against vulnerabilities in other plugins. No, really, they said that. But let’s look at another example of that, where the developer was informed that a website was hacked while using BulletProof Security Pro and responded by claiming it must not have been. At the same time, they acknowledged that their plugin wouldn’t protect against the vulnerability that was exploited:
We could create a specific security rule to block this specific attack, which is what the other security plugins have done after the fact. I googled that and see that new WAF security rules were created to block the specific attack string used in this exploit, but the bigger problem is how the Yuzo Related Posts plugin is coded in general.
I considered creating a specific security rule that would block the hack, but have decided that is not really a smart thing to do. Why? Because the Yuzo Related Posts plugin is fundamentally coded incorrectly. This is not an isolated and specific problem with the plugin – the entire plugin itself is a security risk/vulnerability. You should remove it from your website/hosting account.
So the response to knowing that there was an exploited vulnerability that BulletProof Security Pro didn’t protect against was to suggest removing the vulnerable plugin. That doesn’t match with what we quoted earlier:
So there is no need to add anything or do anything additional to the Plugin Firewall on an ongoing basis – it is always On as long as you have it turned On/Activated.
Here is where things get worse. Other WordPress security plugins do protect against vulnerabilities like the one being referenced there without writing a specific rule for the vulnerability.
What seems to be going on there is a developer who believes that their plugin provides bulletproof protection, and when confronted with reality, claims that reality isn’t real. The real world results of this is a plugin that provides significantly less zero-day protection than other options, both free and paid.