Wordfence and “News” Outlets Recommend Updating WordPress Plugin to Version Still Known to be Vulnerable
What we see over and over is that WordPress security providers and supposed journalists are focused on getting themselves attention while failing to provide useful information that would make WordPress websites more secure. A recent example involved (once again) Wordfence. As usual, they were using a vulnerability in a plugin to promote themselves:
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk.
Twice in their post they told people to update the relevant plugin, Anti-Spam by CleanTalk:
We urge users to update their sites with the latest patched version of Anti-Spam by CleanTalk, version 6.45 at the time of this writing, as soon as possible.
We encourage WordPress users to verify that their sites are updated to the latest patched version of Anti-Spam by CleanTalk as soon as possible considering the critical nature of these vulnerabilities.
In general, that type of thing is unhelpful, since it promotes not keeping plugins up to date at all times. That isn’t bad for Wordfence, since their business is built around WordPress websites remaining insecure and getting hacked. The first thing when you visit their website is a message hoping that you will hire them to clean up a hacked website:
That runs against other claims in their post, as they claimed their “mission is to Secure the Web” and:
We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.
Those claims run counter to the rest of the story here. As the plugin was known to be vulnerable since August and it continues to be vulnerable in the version they recommend updating to.
Back in August, we were curious to see if security reviews being done by CleanTalk were legitimate. Not only did we find that were not legitimate, but we found that one the plugins they claimed to have review, their own Anti-Spam by CleanTalk contained at least one vulnerability based on a failure to implement basic security.
A security provider falsely claiming that they did a security review of their own plugin and claiming that it had “adherence to stringent security standards” is not someone we consider worth praising. Yet Wordfence also was praising CleanTalk:
We would like to commend the CleanTalk team for their prompt response and timely patch.
In between that in their post, they were promoting their using their paid services, which are failing to warn people they are still using a known vulnerable plugin.
Search Google News shows that various “news” outlets covered this
A closer look showed that all of those outlets simply parroted Wordfence’s claim without reaching out to any other sources. Wordfence is known to not be a reliable source. If they reached out to us, we could have pointed out that Wordfence was giving out bad advice.
Beyond not using this plugin, considering the obvious security problems are, it is a good example of how vetting plugin using our Plugin Security Scorecard can help to avoid insecure plugins. Beyond the tool warning about the known vulnerability, it flags five other issues with the plugin:
