So often, what passes for security journalism misses the important details in claims made by security providers that are the sole source for stories. Take, for instance, a recent story that popped up a Google News alert we have to alert us to stories about WordPress plugin vulnerabilities. That story, by Roger Montti at the Search Engine Journal, claimed that the ecommerce platforms WordPress and WooCommerce were being targeted by a hacking campaign (no explanation was provided for classifying WordPress and WooCommerce as being separate platforms). Nothing in the story suggests what would have made this hacking campaign noteworthy, but it did mention a recommendation that is noteworthy. It said that it is recommended to use a web application firewall (WAF) to protect against this hacking campaign, but the sole source for their story, Akamai, itself said those don’t work against attacks:

Generally, these attacks cannot be detected by popular methods of web security, such as web application firewalls (WAFs), and are executed on the client side. [Read more]