Dealing with the security of WordPress plugins, we see a lot of the bad parts of the WordPress business space. Plugin developers making extraordinary claims about their handling of security, while not even doing the basics isn’t uncommon. Much worse are security providers, who, for example, frequently are lying about what their products and service actually deliver (sometimes while lying about what other providers are offering). One of those providers, Wordfence, has taken things to a new low. They have filed bad faith DMCA takedown requests with Google to get accurate, but critical information about them removed from Google’s search results. Which we know about because they came after us.

A DMCA takedown request is legitimately used to deal with copyright infringement. It also is frequently abused to try to silence criticism, as is the case here.

One of Wordfence’s takedown claims states that “information cited in the blog post was directly taken from our website“, but the website is the website of WordPress, wordpress.org:

So Wordfence is claiming to own the WordPress website. It doesn’t actually own that.

The other takedown claims at least cite their website as the source.

The description for all the takedown claims made at the time were, in full, this:

‘The information cited in the blog post was directly taken from our website without authorization and without citing the original source.

You don’t need to get authorization to cite information from someone’s website. The second claim that we didn’t cite the original source isn’t true (and doesn’t even make sense in the context of the posts they filed against).

Looking at the posts they are trying to keep people from seeing makes it clear what is going on. They are trying to cover up coverage of falsehoods they are putting out.

One of the posts is titled “Not Really a WordPress Plugin Vulnerability, Week of April 28“, which mentions a claim they made about a supposed vulnerability in a WordPress plugin. We quoted two sentences of description of the supposed vulnerability. The sentences are in a quote block and right before that, we wrote:

Wordfence claimed that the change fixed a vulnerability:

So we did, in fact, cite the original source.

After that, we explained in detail why the claim of a vulnerability isn’t true, which is why we were quoting them first.

In another instance, things are even more ridiculous, as we quoted a single sentence in an over 800 word post. The title of the post gives you a good idea why they wouldn’t like people to be able to see that, “Wordfence Intelligence Vulnerability Database is Still Falsely Claiming Vulnerabilities Have Been Fixed“. Again, the quoted text was in a quote block and this was what preceded that:

Wordfence parroted that claim and wrote this:

So, again, we did in fact cite the original source. It doesn’t make sense that we wouldn’t cite the original source, since the post was in large part about how Wordfence was providing inaccurate information.

If our posts were inaccurate in any way, Wordfence could have contacted us and we would have corrected them, but they haven’t done that, instead they took the action they did instead.

It Happened Again

On Tuesday, we wrote a post after seeing that again Wordfence (and possibly WordPress) had mishandled vulnerabilities in a plugin.

By the next day, they already have filed a DMCA takedown for that with this claim:

Text from our wordfence intelligence page “database is actively maintained by some of the top WordPress vulnerability researchers in the industry.” and an unauthorized screenshot of the page on our site for posts like dislike vulnerability

Yes, they are claiming copyright infringement for quoting less than a sentence and an “unauthorized screenshot“. The quote is simply showing how they are marketing themselves, which is contradicted by the actual results, as explained by the post. The screenshot show them providing inaccurate information. They subsequently changed the information included in the screenshotted, though in a way that still isn’t accurate. You can see how the screenshotted page looked as of Tuesday here and how it looked as of yesterday here. No wonder we provided a screenshot in the post.

It isn’t hyperbole to say that what they are trying to do there is to make journalism illegal.