16 Dec

No WordPress Security Plugin Prevented Exploitation of Unfixed Arbitrary File Upload Vulnerability in Popular Plugin

When it comes to the chances of vulnerabilities being exploited the reality is that many types of vulnerabilities are highly unlikely to have anyone even try to exploit them. Unfortunately far too often we see security companies and the press making a big deal of vulnerabilities that are are of little to no threat, while ignoring vulnerabilities and [Read more]

17 Nov

Even Security Plugin Mislabels Vulnerability as Less Concerning Potential Vulnerability

Nearly two years ago we looked over the vulnerabilities that were in our data set at the time to get a better understanding of how often security fixes are left out of the changelog entries for the version of the WordPress plugin that fixed it. We found that nearly 20 percent of the time no [Read more]

14 Nov

Developer Of WordPress Security Plugin Thinks Its Normal For Security Plugins to be Insecure

When it comes to the poor state of security one of the big problems is that instead of addressing the causes of that poor security, the focus is often on pushing security products, which are often of limited use and when it comes to WordPress plugins, are known to introduce their own security vulnerabilities. The lack [Read more]

26 Sep

No WordPress Security Plugins Protected Against Recently Disclosed Vulnerability That Exposes WooCommerce Order Data

Recently we started testing to see what protection WordPress security plugins provide against vulnerabilities in other plugins (since plugins vulnerabilities are an actual source of websites being hacked, unlike some other things that these plugins make a big deal or providing protection against). The first vulnerability we tested could be used for serving up malware on [Read more]

22 Sep

Only One WordPress Security Plugin Fully Protected Against a Recently Disclosed Arbitrary File Upload Vulnerability

Last week we did our first test to see what protection that WordPress security plugins can provide against the exploitation of the vulnerabilities in plugins. The results for a persistent cross-site scripting (XSS) vulnerability were not good, with only 2 of the 11 plugins tested providing any protection and even the protection in those two [Read more]

12 Sep

WordPress Security Plugins Provide Little to No Protection Against Recently Discovered Persistent XSS Vulnerability

In the past few months we have done several one off tests of WordPress security plugins to see if they could prevent exploitation of a vulnerability in a plugin. We tested an extraordinary claim by Wordfence that their plugin could prevent persistent cross-site scripting (XSS) and found that it failed both with a vulnerability that [Read more]