Login

Tag Archives: Analysis

12 Dec 2022

How to Check if WordPress Plugins Are Secure

When it comes to determining if a WordPress plugin is secure or not, there is a lot of bad advice out there, much of it coming from security companies you should be able to trust to give good advice. For example, a plugin not having been updated for a certain period of time doesn’t mean it isn’t secure, as someone recently suggested might be the case with a plugin:

Please, can you update the plugin and check is all good? my site is hacked may is cause your plugin don’t update for 2 years. [Read more]

9 Dec 2022

Awesome Motive’s Not So Awesome Five for the Future Sponsorship of Plugin Security Reviewer for WordPress

The website of the WordPress focused company Awesome Motive paints them in an incredibly positive light. For example, one of their five core values is “We Do The Right Thing every time.”, which they explain this way:

When it’s right for the people, the company, and you’re proud of the decision, then it’s the right thing. Sometimes doing the right thing is hard, but doing it over is harder. This is why we must always do the right thing, every time. [Read more]

8 Dec 2022

Even Wordfence Competitor Has Been Fooled by Untruthful Marketing of Wordfence Premium

We recently tried to add a WordPress firewall plugin named BitFire in to our automated testing system of WordPress security plugins, but found that the plugin wasn’t working properly and then an update totally broke it. We also noticed that the plugin’s marketing continued rather inaccurate information, which is, unfortunately, not a unique situation from a WordPress security provider. But it turns out that some of the inaccurate information makes it sound like a competitor of theirs provides much better results than they do. Here is how they talked up the Wordfence Premium service from Wordfence while saying why you shouldn’t use it:

If you use WordFence, you should only use the paid version. WordFence has a team monitoring emerging WordPress vulnerabilities and writing custom rules to block specific exploits. They are very good at it and run a great blog on their work. Paying customers receive these virtual patches as soon as they are available. Free customers receive the patches 30 days later. If your website is vulnerable, it is almost guaranteed to be hacked before the patch is available to free customers. Don’t leave your site at risk. [Read more]

7 Dec 2022

Patchstack Isn’t Verifying Vulnerability Info Being Copied From WPScan’s Inaccurate Data

Yesterday, we noted that the WordPress security provider WPScan isn’t verifying claimed vulnerabilities being added to their data set, despite claiming to do just that. That came in the context of them claiming that there was a vulnerability in a plugin, where what they claimed was at issue wasn’t really a vulnerability, but there really was a more serious vulnerability. That wasn’t a one-off issue.

WPScan recently claimed that the plugin Popup Maker had contained an admin+ stored cross site scripting vulnerability, which they described this way: [Read more]

6 Dec 2022

WPScan’s Dedicated Team of Security Experts Are Actually Random Unpaid People on the Internet

Last week we discussed an example of WordPress security providers often make marketing claims that don’t match up with what they deliver involving Patchstack, but they are certainly not alone in that. We ran across another example of that involving WPScan and a claimed vulnerability in a plugin used by at least one of our customers.

WPScan markets their service with a claim that they have a “dedicated team of WordPress security experts” and that they are “continually monitoring the web for new vulnerabilities”, but if you look at their blog, they tell a different story. At the end of September, they wrote a post titled “Writing Good Submissions“. In that, they partially gave away what they are really doing, which is getting other people to do their work for them: [Read more]

5 Dec 2022

WordPress Deletes Negative Review of Wordfence Security Mentioning “Horrific” Wordfence Response Experience

Recently, we mentioned that the moderation of the WordPress Support Forum seemed to be moving in a better direction, but things still were not in great shape. We noted yet another problem last week. In the latest instance, we noticed they removed a negative review of a company that the moderators have frequently promoted.

One of the problems with the reviews of WordPress plugins on the WordPress website, which falls under the support forum’s moderators purview, is that they often are not reviews of plugins at all, but of paid services connected with them. That often is rather unhelpful. For example, many five-star reviews of a security plugin touting how responsive the paid support is, doesn’t help to determine if the security plugin actually provides the protection it claims to. The justification given for allowing this is: [Read more]

2 Dec 2022

Severity Scores From NIST’s National Vulnerability Database (NVD) Are Not Reliable

Two weeks ago, we looked at inaccurate information about claimed vulnerabilities in WordPress plugins, where a journalist was citing information from the National Vulnerability Database (NVD):

The U.S government National Vulnerability Database (NVD) published warnings of vulnerabilities in five WooCommerce WordPress plugins affecting over 135,000 installations. [Read more]

29 Nov 2022

WordPress Plugin Returns to Plugin Directory Without Vulnerability Being Resolved

Currently, in our dataset of vulnerabilities in WordPress plugins, there are plugins with at least 8.16 million active installs that are still available through the WordPress Plugin Directory despite the plugins being known to contain security vulnerabilities. That is a big problem. But what causes it?

Part of the problem is that plugins with known vulnerabilities get pulled from the Plugin Directory, but get returned without the vulnerabilities actually being fixed. That is the case with the plugin previously known as WooCommerce Fraud Prevention Plugin and now renamed Fraud Prevention For Woocommerce. [Read more]

28 Nov 2022

Patchstack’s Early Alert For WordPress Plugin Vulnerability is Actually Public Info Copied From Competitor

There is often a wide gap between the claims of WordPress security providers and reality. That has often been the case with Patchstack going back to its precursors, WebARX and ThreatPress.

This week Patchstack started promoting that it is providing “early alerts and protection” for vulnerabilities to their customers: [Read more]

28 Nov 2022

WordPress Security Providers Not Warning About Likely Targeted Unfixed Vulnerability in WordPress Plugin

During the weekend, third-party data we monitor recorded what appeared to be a hacker probing for usage of the WordPress plugin ContentStudio. The requests are looking for the plugin’s readme.txt file:

/wp-content/plugins/contentstudio/readme.txt [Read more]