In August, the WordPress security provider Wordfence announced a new service named Wordfence Intelligence with a lot of lofty claims about the service and what they were already providing. What was lacking is evidence that it delivers on the promises being made. That should be a big concern for any security service, considering the really poor results that the security industry has been providing for the billions of dollars they are being paid, but Wordfence has a history of making easily checked false claims, so evidence is even more important. In some instances, their employees have admitted the claims are not true, while the company continues to make those claims. In looking over some of the underlying data connected with that service, we have found that what they are promising doesn’t come close to matching with what they actually deliver.

Bad Plugin Vulnerability Data

You can get a good sense of the strong claims they make about what they are delivering with just a couple of sentences of the marketing of the service:

Wordfence Intelligence includes a comprehensive and extremely current vulnerability database for WordPress that contains nearly 7,000 unique vulnerability records. This database is actively maintained by some of the top WordPress vulnerability researchers in the industry.

That sounds impressive, but the reality is very different.

Relying on their data could lead to web hosts of the Wordfence Intelligence service to spread false information to their customers.

For example, last week we covered an instance where they were falsely claiming that a WordPress plugin with 300,000+ installs contained a vulnerability in the latest version. Wordfence hasn’t apologized or addressed the situation publicly, so it isn’t entirely clear what caused this. But the likely explanation is they fell for what would have been for “top WordPress vulnerability researchers in the industry” an obvious false report of a vulnerability that had been publicly released. None of the three competing providers of that type of data fell for it, even though two of them frequently run with false claims of vulnerabilities as well.

Two weeks ago we looked at a situation where they were claiming without evidence that the latest version of a plugin contained a vulnerability. When there was pushback on that, they pointed the finger at a competing provider named WPScan, which runs against the claim to actively maintain the database. In the past Wordfence had not created their own data, but relied on WPScan, while falsely claiming to be using “official” data, despite that not even existing.

Missing Plugin Vulnerability Data

In addition to web hosts, this service is marketed to enterprises:

This product is ideal for hosting companies looking to create value-added services for their customers or enterprise defenders who run WordPress at scale.

Enterprises would want to know promptly if WordPress plugins they are using contain known vulnerabilities. If Wordfence’s data was truly “comprehensive and extremely current”, it would deliver that. But it isn’t.

Two weeks ago we wrote about two of Wordfence’s competitors failing to warn about a vulnerability in a WordPress plugin that has 600,000+ active installs and the incomplete fix that had been made to try to address it.

Over the weekend, we detailed for our customers, a much more serious vulnerability in another plugin which also had a failed attempt to fix it.

In both cases, Wordfence had the same information available to them that could have allowed them to be the first to realize there was a vulnerability and that these fixes were incomplete. A they had been warned about elsewhere after that, Wordfence would have had an even easier time of warning about them.

Today we checked if they were warning their customers about either of those vulnerabilities and found that they are not.

Big Numbers, Poor Results

In one of their announcements for Wordfence Intelligence, Wordfence began with this:

Wordfence protects over 4 million websites around the world on 12,000 unique networks, and we block over 1.8 billion attacks targeting those websites every month. For years we have had a relationship with our customers that is a virtuous cycle: We receive attack reports from our customers at a rate of over 700 reports per second, and we distill those attacks into malware signatures, firewall rules, and an IP blocklist, and we give that data back to our customers in the form of a threat intelligence feed.

Claiming to block 1.8 billion attacks a month sounds like a lot if you don’t deal with website security, but it doesn’t amount too much. Spread across 4 million websites that amounts to only 450 attacks per month per website, or 15 attacks in a 30 day month. At 15 attacks per day, it likely means that they are not blocking a lot of the attacks against the websites since hackers are constantly trying to exploit websites. As they say that involves over 4 million websites, the numbers of attacks per website would be even lower.

A more important issue with that is one of the things they don’t mention: how many of the attacks would succeed. Hackers are known to, say, try to widely exploit vulnerabilities in WordPress plugins with under a hundred installs. And to do those attacks in a way that would never succeed. Blocking a lot of attacks that wouldn’t succeed isn’t really meaningful. It is hard to believe that Wordfence could be unaware of this, especially with the claims they make about their expertise.

What is even more important for the Wordfence Intelligence service is something else they didn’t mention. They are blocking attacks that they are already aware of. What that means is in practical terms is that the information generated from is of little value. If there is a known vulnerability in software, the solution is to address the vulnerability, not trying to block IP addresses that are trying to exploit it. Trying to do that instead is likely to lead to websites being hacked, since it does nothing against attempts using an IP address other than the ones they are blocking. Making that a worse idea here, attackers can easily gain access to Wordfence’s IP blocklist, so it isn’t an effective solution.

The results of that have been on display for years, with Wordfence being unaware of numerous zero-day vulnerabilities in WordPress plugins and therefore not providing protection against those or warning about them.

Missing Firewall Rules

One way to understand how little Wordfence actually knows would be to look at the firewall rules they are adding. We have done that and the results are incredibly underwhelming.

Looking at the free version of that data, which is the same data as available with their paid offering, just delayed by a month, we found that they only changed the rules on two days in August. In September, there were only two days with changes made as well.

In August, they only added a firewall rule for one vulnerability in a WordPress plugin.

In September, they only added a firewall rule for two vulnerabilities in WordPress plugins.

That isn’t in line with how many newly disclosed vulnerabilities in WordPress plugins would have needed firewall rules to provide protection, or even close to what would have been needed.

To look at that another way, in June we warned about a serious vulnerability we found in a plugin being targeted by a hacker. That vulnerability seems likely to have been the target of the hacker. That would be exactly the kind of thing that Wordfence should have been aware of if you were to believe the marketing claims of the Wordfence Intelligence service. And yet, their firewall doesn’t protect against that vulnerability even four months later.

Never Heard of Managed WordPress Hosting?

Another strange claim is that hosting providers don’t know what attacks are going on against their customers:

Many hosting providers cannot see attacks targeting their own customers because the data transiting their network is encrypted from browser to customer-managed server. When a host does have access to server logs, the POST body of requests is not available for analysis. Network owners cannot see which servers on their own network are compromised and which are launching attacks targeting the online community because the attacks transiting the owner network are TLS encrypted.

It’s as if Wordfence has never heard of managed WordPress hosting and the popularity of such hosting services. What makes that odder is they seem like an obvious potential customer for such a service. If hosts have customer managed servers, then much of what Wordfence Intelligence is offering wouldn’t even work in that situation. So the entire premise seems odd and not well thought out.

More Issues

There is more that could be discussed. Including how they are not using data they collect from customers to help protect them, but to instead try to sell the Wordfence Intelligence service. But we are also interested in questions that others without the same security background might have about the service and the claims being made. If you do have a question that you want covered, leave a comment below or contact us.