Developer of Solid Security Thinks That Their Plugin Shouldn’t Be Easier to Secure Than Chrome Web Browser
This week we have covered plenty of questionable behavior by the developer of the 900,000+ install WordPress security plugin Solid Security. From focusing their plugin on a non-existent threat to responding to the plugin failing to prevent an infection by saying that plugin is focused on preventing infection, not detecting them. As part of that response, was another strange idea. The developer responded to a complaint of a security issue in the plugin, by writing this: “While that’s never ideal I believe the speed at which we resolved it is important context to this conversation. Even Chrome experiences security vulnerabilities, but it’s always about the response to these things.”
It’s hard to believe that the developer of a security plugin wouldn’t understand that the complexity of securing a web browser is in no way comparable to a security plugin. It would seem the developer doesn’t have a basic grasp of security.
Another problem with this is that the developer still doesn’t believe they should be proactive about security, even after having a zero-day widely exploited in one of their plugins last year. If you are responding to others finding that your software is insecure, instead of proactively addressing the security of the software, you are going to keep having problems like that, since hackers have the most incentive to find vulnerabilities in your software.
The final problem worth noting with this is that really wasn’t a security issue to begin with. Solid Security has implemented something that isn’t really security and didn’t implement it correctly. In fairness, they repeatedly claim that other WordPress plugins contain vulnerabilities that they don’t have, so calling this a vulnerability would be in line with their own inaccurate standard.