In our years of dealing with vulnerabilities in WordPress plugins, one disturbing thing that we keep running into is plugin developers who are offering security services while not securing their own plugins. It’s hard to come up with a reasonable explanation of how they would feel comfortable offering security services while not even having made sure that they are handling security well with their own software.

The latest instance of that involves a provider named EverestThemes. They offer a backup plugin that has 4,000+ installs according to WordPress. Because of the security risk posed by features that backup plugins often have, properly securing them is more important than the average plugin. Unfortunately, the plugin lacks even basic security. While looking in to a false claim by Wordfence of a vulnerability in the plugin, we ran across that. The plugin has for over two years included a vulnerability that allows an attacker to delete arbitrary files from the website. A hacker could use that to delete the WordPress configuration file and then take control of the website.

That vulnerability and other security issues would have been caught by a professionally done security review of the plugin, so it appears they haven’t gotten one done.

While looking in to the developer, we found they are offering 24/7 Security Monitoring:

They described that as “Round-the-clock security surveillance to protect your website from malware and virus threats“. It’s unclear what that means because if they are detecting malware on the website, they haven’t protected the website from malware.

Another feature suggests this doesn’t actually protect the website, as they also provide Hacked Website Repair that they described this way “In the event your website is hacked, have no fear we are here! With our Hacked Website Cleanup & Repair service we’ll have your website fixed and running again in no time.”

They provide no evidence that their security monitoring is effective at either detecting or protecting against malware.

The fine print on the service mentions the domain N1tech.org, “*Monthly plan pricing shown above applies to new customers signing up to a minimum term of 6 months as per the N1tech.org terms of service.” It isn’t stated what the connection is between EverestThemes and that, but this is what is shown for that address:

While they haven’t gotten a security review of the plugin, they could afford to have over a hundred blog posts created for the plugin’s blog, including one about a vulnerability in another plugin.

If you are looking to improve the security of your WordPress website, getting security reviews of the plugins you use would likely be a better use of your resources than a security service.