16 Nov

No Ninja Forms, Wordfence Security is Not Trustworthy and Blacklisting IP Addresses Doesn’t Provide Effective Protection

When it comes to choosing security products and services what is lacking is nearly any evidence that they are effective, while at the same time there is plenty that shows that many of them are not. For example, over at our main business we regularly have people asking if we offer one that will really [Read more]

15 Nov

Detectify is Eight Months Behind Detecting Vulnerability in WordPress Plugin With 2+ Millions Installs

For us providing the best data on vulnerabilities in WordPress plugins is important, but we could easily being doing that even if we were doing much less than we do currently, but even with that we continue to work to improve and find ways to gather data on more vulnerabilities. As an example of how [Read more]

14 Nov

The Need and Limits of Warning That Closed WordPress Plugins Contain Security Vulnerabilities

Earlier today we full disclosed that a WordPress theme contains a vulnerability due to its inclusion of the plugin OptionTree, which we had full disclosed contained the same vulnerability last week. That plugin was removed from the Plugin Directory after the disclosure (though strangely that hasn’t happened with a security plugin that has the same [Read more]

09 Nov

Wordfence Security and Wordfence Premium Fail To Protect Websites, But Defiant Is Happy to Lie and Tell You Otherwise

Over at our main business we have a steady stream of people contacting us to ask if we offer a service that will stop their websites from being hacked, a not insignificant number of them mention that they are currently using a service that claimed to do that and there website got hacked anyway. That [Read more]

08 Nov

Unlike Wordfence and Other Security Providers We Warned About WP GDPR Compliance Before Websites Started to Get Hacked

When it comes to protecting WordPress websites against vulnerabilities in plugins we provide a level of protection that others don’t for the simple reason that we do the work they don’t (but that they absolutely should be doing). The result can be seen with the plugin WP GDPR Compliance, which had multiple vulnerabilities fixed in version [Read more]

07 Nov

RIPS Technologies and BleepingComputer Creator Claim That Plugin’s Functionality Not Working When Disabled is WordPress “Design Flaw”

We generally avoid security journalism as it frequently involves widely misleading to flat-out falsehoods, one example of that being something we discussed just a couple of weeks ago. One of the security journalism outlets we mentioned in that post was the BleepingComputer, so when a Google news alert let us know of another story related [Read more]

05 Nov

More of WordPress Support Forum Moderator Jan Dembowski’s Bizarre Handling of People Trying to Deal With Closed Plugins

In protest of the continued inappropriate behavior by the moderators of the WordPress Support Forum just over a month ago we started full disclosing vulnerabilities until the moderation is cleaned up, so far it hasn’t caused them to change their behavior (apparently continuing to act inappropriately is the only thing they seem to care about [Read more]

05 Nov

The WordPress Forum Moderators Keep Bizarrely Deleting Replies Just Saying Thank You

Where we first saw indications that something was very amiss with the moderation of the WordPress Support Forum was when a reply from someone just thanking us for answering a question they had, was deleted. It didn’t make any sense to delete that and went against what people were being told as to the limited [Read more]

05 Nov

It Looks Like Hackers Have Started Probing For Usage of AMP for WP – Accelerated Mobile Pages

A week ago we put out a Vulnerability Details posts with the details of a vulnerability in the plugin AMP for WP – Accelerated Mobile Pages, which had been closed on the Plugin Directory recently, so if you were already customer of our service and using that plugin you would have been warned about that particular issue, [Read more]

02 Nov

With a Source Like This It is No Wonder Security Journalism Is Making WordPress Websites Less Secure

Recently an instance of security journalism received a significant spotlight and significant pushback. Bloomberg claimed that a malicious chip had been found in servers used by Apple and Amazon, which both Apple and Amazon categorically denied. Either there is a significant cover up or Bloomberg got things very wrong. The latter possibility wouldn’t surprise us [Read more]