17 Sep

Sucuri Doesn’t Understand the Recently Disclosed Vulnerability Created by Duplicator (or Security in General)

The reputation of security companies is often very different than the reality. One company that seems to have a good reputation is Sucuri. That is despite everything we have seen over many years indicating they really lack even a basic understanding of security (we wish that were a gross exaggeration). We once again were reminded […]

14 Sep

Astra Falsely Claims That Minor Vulnerabilities in Contact Form 7 Lead To Websites Being Hacked

If you are looking for information on vulnerabilities in WordPress plugins a common suggestion is to do a search for them, like this recent one from a moderator from the WordPress Support Forum: Do a search for any known vulnerabilities in the plugin. If any exist for old plugins, they should be well known by […]

07 Sep

Wordfence Security Doesn’t Protect Against Exploited Vulnerability (or Finding a Balance When it Comes To Detailing Vulnerabilities)

One of the ways we work to make sure we have the best information on vulnerabilities in WordPress plugins for our customers is to monitor the WordPress Support Forum. Through that we came across a couple of threads¬†yesterday that involved exploitation of a vulnerability connected to the plugin Duplicator (and yet another example of the […]

05 Sep

Hackers Will Try To Exploit Vulnerabilities in WordPress Plugins in Ways That Will Never Succeed

One the things we find rather telling about the security industry is that they seem to find various statistics valuable, but ones they seem to be totally uninterested in are any that would actually show that their products and services are actually effective at protecting websites (despite that seeming like it should be a prerequisite […]

04 Sep

Phishing Email Claiming to Be Related to WordPress Database Upgrades Being Sent Out

We have an email address we use to handle all communications related to notifying the developers of WordPress plugins about security issues in their plugins (whether those are ones that we have found or ones that others have disclosed before they have been fixed). The email address isn’t publicly disclosed, so it shouldn’t receive¬† email […]

24 Aug

Sucuri’s Post With FUD Claim of Massive Infection Really Shows That They Are Failing Their Customers

It has taken us a long time to fully grasp the level of dishonesty in the security industry, since it is so rampant that is hard to believe how bad things truly are, even seeing examples every day. That there is almost any dishonesty should be surprising since trust is so important when it comes […]

24 Aug

RIPS CodeRisk Doesn’t Look To Produce All That Reliable Risk Scores for WordPress Plugins

While so much of the security industry seems to have no interest in providing accurate information about security, for those that do care, if our experience is any indication, it is difficult to find a way to present information in a way that provides the proper concern without creating unnecessary fear due to misinterpretations of […]

28 Jun

Other Data Sources on WordPress Plugin Vulnerabilities Belatedly Add Vulnerability While Falsely Claiming It Has Been Fixed

When it comes to the problems with the security industry one of the fundamental issues is the abundance of false and misleading claims about the capabilities of products and services. The breadth of that is on display in how often that occurs with our little piece of the industry, data on vulnerabilities in WordPress plugins, […]

04 Jun

Trying To Determine If WordPress Plugins Are Being Exploited Is Harder When Hackers Do Odd Things

One of the things that we do to make sure our customer are getting the best protection against vulnerabilities in WordPress plugins is to do monitoring to try to spot when hackers are looking to exploit vulnerabilities in those plugins. In doing that we have found that other security companies that make extraordinary claims about […]