Wordfence Security and Solid Security Developers Not Supporting Standard to Avoid Security Problem They Confronted
In a recent post on the WordPress security provider Wordfence’s blog, they were claiming their “mission is to Secure the Web.” If you understand their business model this rings hollows, as what they offer is built around trying to address the after affects of not securing the web. That very blog post also disputes that, as they confronted a well-known problem with better securing plugins and simply ignored the problem. They are not alone, as the situation detailed in the blog post also directly involves another security provider, StellarWP. StellarWP is the developer of Solid Security.
The blog post discusses a situation where Wordfence bought a vulnerability in another plugin from StellarWP, GiveWP. Twice in the post, they note that they failed to successfully communicate with StellarWP about that. First, they wrote this:
We contacted the StellarWP team on June 13, 2024. After not receiving a reply, we escalated the issue to the WordPress.org Security Team on July 6, 2024. After that, the developer team released a patch on August 7, 2024.
Then they provided this information in their timeline:
June 13, 2024 – We sent the full disclosure details to the vendor’s known email address.
June 28, 2024 – We did not receive a response from the plugin developer and sent a follow-up contact.
July 6, 2024 – We escalated the vulnerability to the WordPress.org Security Team and sent over the full disclosure details.
August 7, 2024 – The fully patched version of the plugin, 3.14.2, is released.
So either Wordfence didn’t send an email to the right place, StellarWP didn’t properly handle responding, or a combination of both. That problem wasn’t addressed by Wordfence’s post and it doesn’t appear that StellarWP has taken action to better handle things. There is a fairly easy solution to some of this, which neither of them has embraced.
Wordfence doesn’t mention what the “vendor’s known email address” refers to. It could refer to several things. In looking into this, we didn’t find any easy to find mentions of an email address to contact either GiveWP or StellarWP about security issues. Or even information on how you should contact them about security issues. GiveWP’s website does contain a contact form, which based on Wordfence’s wording they didn’t use for some reason. (That would seem like something for journalists to follow up on with them.)
There are better ways to handle this. There is standard for providing security contact information, security.txt. That has been promoted since 2017 to be used on websites. It isn’t used on either the GiveWP or StellarWP websites. It is used on Wordfence’s website.
We have recently promoting using that in WordPress plugins. Before that we have been pushing for years for WordPress to better handle providing a mechanism to report security issues, but they haven’t seemed all that interested in addressing it. There are also two other file standards also available for that. The security.md files used on GitHub and SECURITY-INSIGHTS.yml from the Open Source Software Foundation.
Part of the way we are promoting WordPress plugin developer to add a security.txt file or one of the alternates is by having a grading criteria of our new Plugin Security Scorecard be the inclusion of one of those. Wordfence Security, Solid Security, and GiveWP fail on that front. They fail more generally, as Wordfence Security has an F grade and the other two plugins have a D+.
Security providers should be modeling best security practices and working to address the problems they confront. Hopefully, both StellarWP and Wordfence will come around to those conclusions. In the meantime, we would recommend relying on security providers that are better handling things than them. A good starting point in determining how security providers are handling security would be to check if plugins from them are free of issues raised by our Plugin Security Scorecard.
Plugin Security Scorecard Grade for GiveWP
Checked on August 19, 2024See issues causing the plugin to get less than A+ grade
Plugin Security Scorecard Grade for Solid Security
Checked on June 14, 2025See issues causing the plugin to get less than A+ grade