Last week we discussed how the developers of the Wordfence Security plugin are selling their Wordfence Premium service as being able to do something that it can’t and they don’t even try to accomplish. One of the claims about it is this:
Stay a Step Ahead of Attackers with Real-time Threat Intelligence [Read more]
On multiple occasions the team behind the Wordfence Security plugin have failed to credit us when discussing vulnerabilities we discovered. We are not alone in that it turns out and unfortunately journalists will cover them and not give any credit to other security companies that are actually doing the work to keep ahead hackers (which is how Wordfence falsely markets their Wordfence Premium service of doing).
Here is part of an article the Threatpost (which is itself secretly owned by a security company) from Friday that showed up in a Google alert we have: [Read more]
Among the oddities of the security industry is that so often people seem to be skeptical of the wrong things, as they are more likely to believe that security companies are lying about things where there isn’t a logical reason to do that, while being overly trusting about extraordinary claims being made about security products and services, which often turn out to be false. Last week we touched on the kind of claim that should elicit suspicion, that being that unqualified claim that the Wordfence Security plugin “stops you from getting hacked”. As we found when dealing with a website hacked due to a widely exploited vulnerability it didn’t protect the website (that is far from the first time we have seen it fail to stop a hack).
Making such a claim and not actually accomplishing that looks worse when you go to their homepage and see the first thing shown is an advertisement for them doing hack cleanups: [Read more]
Yesterday we noted how a moderator of the WordPress Support Forum was getting in the way of people looking for help dealing with the exploitation of a fixed vulnerability in the plugin Simple 301 Redirects – Addon – Bulk Uploader. Today, when we went back to the topic that was the source of that post we found that many of replies on that topic, including almost of all the ones we had quoted, had been removed. In total, only 3 of the previous 11 replies remained. Some of those removed pointed out how what the moderator was doing was bad for the WordPress community. The moderators replies were also removed. You can see the replies at that time of previous post here and what is there at this moment here. That is in line with the kind inappropriate behavior by those moderators we have seen for years and had led to us starting a protest against it nearly a year ago.
You can get a better understanding of the mess that is moderation and related poor handling of the Plugin Directory from the message left earlier today by a moderator, Ipstenu (Mika Epstein), who also leads the six person team running the Plugin Directory (with our commentary inserted): [Read more]
Over at our main business today we have been dealing with a website that was hacked due to the now fixed vulnerability in the plugin 301 Redirects – Addon – Bulk CSV Uploader that started getting widely exploited to redirect websites shortly after it was fully disclosed by the discoverer on Saturday (in this case the redirect was to tomorrowwillbehotmaybe.com). Simply keeping plugins up to date at all times would have avoided websites getting hacked as it was fixed on Thursday. If you were a customer of our service you would have been warned of the high likelihood of that vulnerability being exploited on Monday of last week (we knew about the vulnerability because the discoverer had obliquely disclosed the vulnerability some time before Monday).
What wouldn’t protect you is the Wordfence Security plugin, as the website we have been dealing with is using that. The plugin is clearly active on the website as it locked us out of trying to login after we were provided incorrect login details for WordPress on the website. [Read more]
When vulnerabilities in WordPress plugins get exploited a lot of those impacted don’t have a good understanding of what is going on. One example we have seen frequently with recent instances of that is that people get confused in to believing that the version that fixes the vulnerability instead contains malicious code that is causing the result of their website already having been hacked. That seems in part because they don’t understand that the new version doesn’t undo what the hackers have already accomplished. The best approach for people in that situation would be to hire a professionals like us to clean the website, since we can help to explain what is actually going on and make sure the issue has been fully resolved. The next best would be for people to discuss it on the support forum for the plugin, but as has happened with the plugin Simple 301 Redirects – Addon – Bulk Uploader that runs in to the problematic moderators of the WordPress Support Forum.
In a recent topic for the plugin someone asked a reasonable set of questions: [Read more]
When we say that our service provides the best data on vulnerabilities in WordPress plugins you are using that isn’t just a marketing slogan. That is something that is based on us continually comparing what we are doing to others and also continually looking at how we can improve. An improvement that is just over a week old already has paid off in terms of our customers being warned well ahead of others about a vulnerability now being exploited in the plugin Simple 301 Redirects – Addon – Bulk CSV Uploader.
Yesterday we had a lot of traffic coming to our website for content we have on a plugin related to that Simple 301 Redirects, which would usually indicates something security related is occurring with it. Yet early last year we did a security review of the plugin and only found one minor issue among the things we checked for, so at least at that time it was rather secure. Monitoring we do and other information pointed to what was going on, as we had what looked to be a hacker probing for usage of the plugin Simple 301 Redirects – Addon – Bulk CSV Uploader on our website by requesting this file: [Read more]
From what we have seen from testing WordPress security plugins against real vulnerabilities in other WordPress plugins as well other things, many of them don’t provide any protection against the types of threats they should be able to protect against. For the few that do provide some protection it is hard to recommend them because the developers greatly overstate the protection they provide, either because they don’t understand the limitations of them, they are lying about the capabilities, or a combination of both. In the real world that has led to websites being unnecessarily hacked.
One example of overstated protection is the plugin NinjaFirewall WP Edition. Nearly three years ago the developers of that had come across a vulnerability in a plugin and when disclosing that vulnerability they made this claim: [Read more]
A core problem with the handling of the security issues with WordPress plugins is the team running the Plugin Directory, who have shown themselves not to be up to task of handling the role they are in. Part of that involves an inability to work with others to fix the problems the team are causing. That seems in part due to a belief they have capabilities they don’t. You can get a taste of that from the bio for one of the members that reads in part:
Fundamentally, I started using WordPress because I was bored at work. So I started messing around on the forums, reading questions, finding the answers by reading the code, and then by answering the questions for others. Do that for a year and you will know everything there is to know about the code. [Read more]
Last Thursday we started warning any customers of our service using the plugin ND Shortcodes (ND Shortcodes For Visual Composer) that there were a couple of vulnerabilities in the plugin. We warned them on the basis of one of them being fixed in a new version with the changelog “Improved nd_options_import_settings_php_function function for security reasons” (the second vulnerability is related to the fixed one). Those not using our service were not so lucky, as the plugin was at the time and remains closed on the WordPress Plugin Directory, so it isn’t possible to update the plugin normally to protect against the fixed vulnerability (we are always available to help our customer to update to a new version in a situation like that).
If you were relying on the main competing data source for vulnerabilities in WordPress plugins, the WPScan Vulnerability Database, even now you are not getting warned: [Read more]