Analysis

29 Sep 2021

The BBQ Firewall Plugin for WordPress Isn’t a “Strong Firewall”

A clear takeaway of of our testing to see if WordPress security plugins can protect against vulnerabilities in other plugins, is that the developers of these plugins are making inaccurate, to highly inaccurate, claims about the protection they can provide. One of those plugins, which we took a closer look at while addressing a question from someone, is the plugin BBQ Firewall. That plugin has 100,000+ installs, according to the wordpress.org stats.

In one of the most recent topics on the support forum for it, the developer claimed it is a “strong firewall”: [Read more]

28 Sep 2021

Mika Epstein and Samuel “Otto” Woods Block 30,000+ WordPress Websites From Getting Critical Security Update

What continues to be one of the worst aspects of dealing with the security of WordPress plugins is that it would be so easy to get to a much better situation, if not for the people that Matt Mullenweg, the head of WordPress, has empowered to run the WordPress Plugin Directory. There are easy changes that could be made, but don’t happen because of them. One of them has been impacting 30,000+ websites using the plugin WP DSGVO Tools (GDPR).

A Recipe for Bad Results

You can tell that something is very amiss with the team running that directory when you see that there are only claimed to be four people on the team. By comparison, the team running the theme directory has 10 people listed being listed as being Team Representatives and Theme Moderators (presumably there are more people below that level). The theme directory is listed as currently having nearly 9,000 themes, while the plugin directory is listed as having about 59,000 plugins, so you would expect the plugin team to be larger, not smaller. It isn’t for a lack of interest, instead they claim they can’t add more members: [Read more]

24 Sep 2021

Five of the 100 Most Popular WordPress Plugins Are Insecurely Using the extract() Function

Last week we noted that the most popular WordPress security plugin, Jetpack, was insecurely using PHP’s extract() function. It turns out that it isn’t alone among the most popular WordPress plugins, as running the 100 most popular plugins in the WordPress Plugin Directory through our Plugin Security Checker identified four more plugins that are similarly insecure. Jetpack is the most popular with 5+ million installs according to WordPress’ stats, but the others are also have large install counts:

Advanced Custom Fields: 2+ Millions Installs
CookieYes GDPR Cookie Consent & Compliance Notice: 1+ Million Installs
MetaSlider: 700,000+ Installs
Ocean Extra: 700,000+ Installs

As we noted in the previous post, the documentation for the extract() function has this warning: [Read more]

17 Sep 2021

Poor Coding of Wordfence Security Plugin Includes Failing to Properly Uninstall

While developing our upcoming WordPress firewall plugin, we have done a fair amount of comparison to the two existing firewall plugins that provide a reasonable measure of protection. With both of them, we have come away with a poor impression of quality of the development of those plugins. That comes through in them failing to provide the level of protection they should. With Wordfence Security, it also could be causing a significant unnecessary performance penalty on websites running it.

A way we are trying to better understand where other firewall plugins are not delivering the result they could be is to look at the reviews of the on the WordPress Plugin Directory. One recent review of Wordfence Security shows that the developer of the plugin doesn’t have a good grasp of the basic of developing a WordPress plugin, while having 4+ million installs according to WordPress’ stats. Here is the whole review: [Read more]

17 Sep 2021

WordPress Plugin Directory Team Again Allows Incredibly Insecure Plugin in to Directory Despite Doing “Security Review”

Last week we noted that despite every new WordPress plugins being added to the WordPress Plugin Directory having supposed to have gone through a manual review first, including a security review, plugins that should never be approved are. A possible explanation for that is that there is a fabulist running the team handling the directory, Mika Epstein, who is claiming to do reviews they are not. Fairly prominently on the WordPress website, they claim to have reviewed 46,800 plugins, despite that being hard to believe possible to do as a part-time volunteer:

[Read more]

16 Sep 2021

The Most Popular WordPress Security Plugin is Insecurely Using the extract() Function

Last month we noted that one of the largest companies in the WordPress ecosystem, Automattic, had a security team that didn’t seem to have a good grasp of a security issue they were publicly discussing. It turns out the situation is worse than we originally knew.

On the blog of Automattic’s Jetpack service, one of their security employees wrote a post seemingly oblivious that code he was discussing was doing something in a way that explicitly noted in the PHP documentation as something you shouldn’t do. Specifically, the documentation for the extract() function has this warning: [Read more]

10 Sep 2021

Does a Fabulist Explain Why The Security Reviews of New WordPress Plugins Are Not Happening?

August 13th the WP Tavern, which is owned by WordPress and Automattic head Matt Mullenweg, published a post written by Sarah Gooding that presented an inaccurate view of the state of the security of WordPress plugins. The post was about a report based in part on data from a security company named WPScan that has been inflating the number of vulnerabilities in WordPress plugins they claim to be aware of. The story didn’t address that inflation, but instead put forward this claim to explain what is actually being caused, at least largely, by that inflation:

Both Wordfence and WPScan claim that the greater number of vulnerabilities reported this year is indicative of the growth of the WordPress ecosystem and a maturing, healthy interest in security. Themes and plugins aren’t getting more insecure over time but rather there are more people interested in discovering and reporting vulnerabilities. [Read more]

3 Sep 2021

Wordfence and Saturday Drive Provide Hackers With Critical Info to Exploit Unfixed Vulnerability in Ninja Forms

When we discover vulnerabilities, we have always warned our customers only at the same time we were publicly disclosing them, since doing otherwise would allow hackers an ability to have information that the public doesn’t. Other companies are okay with giving hackers a possible leg up and possibly profiting off them. One of those being the developers of the Wordfence Security plugin.

As a practical example of what that means, currently hackers can exploit an unfixed authenticated information disclosure vulnerability in the plugin Ninja Forms, which has 1+ million installs, because of Wordfence. Making things easier for hackers, the developer of Ninja Forms, Saturday Drive, has disclosed even more information on the vulnerability in a form easily accessible by hackers, but unlikely to be noticed by the public, but has yet to provide users of the plugin with a fix. [Read more]

27 Aug 2021

Wordfence’s Explanation for Misusing the Term Brute Force Attack is Something

While working on another blog post explaining how Wordfence inflates the number of “attacks” that their plugin blocks, we ran across a rather stunning explanation as to why they are misleading people about the type of attacks are concurring against WordPress admin passwords.

Attempts by attackers to log in to WordPress is not something that the administrators of the average WordPress needs to worry about. All they need to do is to use a strong and unique password and then they can move on to other things. That is bad for the security industry, as WordPress already provides a password strength meter. That might explain why they mislead people about what is happening, telling them that brute force attacks are happening and then recommending plugins and other solutions needed if those were really occurring (so this isn’t a semantics issue). Not only does that does that waste time and create unnecessary fear, it has led to websites becoming vulnerable, as plugins to handle brute force attacks can and have introduced security vulnerabilities on websites. This is the security industry at its worst, but they are able to get away with it. [Read more]

20 Aug 2021

Wordfence Security Doesn’t Protect Against a “Vast Variety of Attacks”

As we noted in a post a week ago, the most popular WordPress security only plugin, Wordfence Security, is being promoted with greatly overstated claims of what it delivers. That isn’t good for the security state of WordPress, as instead of security plugins competing on actually providing better results than others, they are competing on who is the best at lying to people about what they are capable of. Already in working on upcoming WordPress firewall plugin we have been able to easily surpass what Wordfence Security and other plugins provide, despite that plugin and other having been around many years, because those plugins are not competing to provide better results. That isn’t a boast, but a lament, as that shouldn’t be something we should already be able to say.

In trying to explain what our plugin is capable of, it seems helpful to understand how other plugins are being inaccurately being promoted. One instance of that we recently ran across with Wordfence Security seems like a good example of that type of thing. [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Analysis