Login

Tag Archives: Analysis

1 Nov 2022

Automattic’s WPScan Failed to Catch That WordPress VIP’s Co-Authors Plus Plugin is Still Disclosing Email Addresses

During the summer, one arm of the company closely associated with WordPress, Automattic, WPScan disclosed a vulnerability in plugin, Co-Authors Plus, maintained by another arm of Automattic. WPScan and others in Automattic appear to have failed to look all that closely at the issue, as the plugin still has a closely related vulnerability.

According to the documentation for the plugin, it is maintained by WordPress VIP: [Read more]

31 Oct 2022

WordPress Changes Support Forum Policy on Discussing Vulnerabilities, Moderators Still Not Following Their Own Rules

The moderation of the Support Forum for WordPress has long been a mess. That is particularly true when it comes to security. Part of the problem is that it isn’t possible to abide by the rules. There are stated rules and then there are unstated rules, both of which the moderators sometimes enforce and sometimes don’t. So you can end up getting in trouble while abiding by what appears to be the rules. Making things more problematic, the moderators don’t even always tell people what they are supposed to have done wrong. The moderators seem to be able to do whatever they want and they have in the past changed the rules when it was pointed out they were violating them.

Last month, the Support team’s meeting summary noted a change in the handling discussions of plugin vulnerabilities: [Read more]

31 Oct 2022

NinjaFirewall vs Wordfence Security

Last week, we compared the WordPress firewall plugins BBQ Firewall and Wordfence Security, after noticing that Google’s Search console showed that a lot of people were coming to our website looking for that comparison, despite us not having one. The results also showed a lot of people looking for a comparison of NinjaFirewall to Wordfence Security, but the top result for that search is a page comparing Wordfence Security to Security Ninja, which is unrelated to NinjaFirewall. So it seems like a comparison between the two would be useful to provide.

The most important thing to know about WordPress firewall plugins is the amount of protection they offer against real threats, but we are somehow the only ones that do testing that would measure that. A lot of the claimed threats that WordPress security plugins claim to protect against are not really threats. What is a real threat is vulnerabilities in other plugins being exploited and that is something that firewall plugins can provide protection against. The developers of NinjaFirewall and Wordfence Security both provide protection against those, but how much? [Read more]

28 Oct 2022

Wordfence’s Alarmism on Display With “Exploit Atttempts”, Which Are Not Really Exploit Attempts

Last week we looked into a false claim made by WordPress security provider Wordfence that a plugin had contained a “critical” security vulnerability. In discussing that, we mentioned someone’s concern related to another situation about Wordfence issuing alarmist warnings:

This is demonstrably alarmist, and poor advice considering that they have conceded to several different people that it is not a critical issue. So course this damages Wordfence’s reputation for me. How do I know that they are not issuing alarmist warnings about other issues? [Read more]

27 Oct 2022

WP File Manager Getting Evidence Free Blame for Hacked WordPress Websites

Earlier this week we mentioned how GoDaddy’s Sucuri security service isn’t doing basic work to properly clean up hacked WordPress websites. That involved them not trying to figure out how websites are being hacked. They are not alone in that, but others take that even further by blaming something for the hack without actually knowing if that is true, as they didn’t try to figure out the source. One recent example of that involves a thread on Reddit, which had 88 upvotes, where someone, claiming to work for a web host, blamed websites being hacked on a WordPress plugin named WP File Manager. By comparison, someone asking for evidence to support the claim was downvoted. While you can point the finger at Redditors for that mess, the claims made are worth breaking down, as they show how things can go wrong when dealing with hacked websites and how those that have the misfortune of having their website hacked, can get a better outcome.

Confusion Over Outdated Software

One of mistakes the poster makes is a failure to understand the implications of outdated software. They start their post this way: [Read more]

26 Oct 2022

Wordfence Is Failing to Provide Information That Would Help Protect Their Customers Unless Web Hosts Pay Them as Well

Two days ago, we detailed multiple issues with a recently launched service from the WordPress security provider Wordfence, Wordfence Intelligence. There was something we ran across while researching that, which we felt was worth separating out for its own post because it seems so problematic. One promoted reason to sign up for that service is so that web hosts can get information on servers in their infrastructure that are launching attacks. Here is how Wordfence describes that:

Compromised Host Identification
Many cloud hosting providers and security operations teams do not have access to the operating system of servers they are responsible for securing. Wordfence defends over 4 million websites globally. We have excellent visibility on which servers are infected for a hosting provider, cloud provider, or geographic area, which helps indicate when these servers may be launching attacks against other web services. If you are a network defender responsible for securing a large network, we can help you identify which hosts on your network are compromised and need to be mitigated. Securing these infected hosts helps reduce attacks across the global Internet and helps keep the online community safer. [Read more]

25 Oct 2022

Wordfence Intelligence Vulnerability Data Feed Keeps Looking Worse

Yesterday, we detailed significant discrepancies between the way the WordPress security provider Wordfence marketed their Wordfence Intelligence service and the actual results they are delivering with that. Much of that affects those also relying on their Wordfence Security plugin as well. One aspect that affects users of their plugin, as well as other plugin developers, is Wordfence’s information on vulnerabilities in WordPress plugins. As of yesterday, they marketed that part of Wordfence Intelligence this way:

Vulnerability Detection at Scale [Read more]

25 Oct 2022

Sucuri Doesn’t Seem Concerned Their Customers’ Websites Keep Getting Hacked

Last year GoDaddy disclosed a massive security breach of their managed WordPress hosting service, which according to them, impacted 1.2 million of their current and previous customers. They also claimed that customers’ passwords were compromised:

•The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords. [Read more]

24 Oct 2022

BBQ Firewall vs Wordfence Security

Looking at Google’s Search Console stats for our website showed that a lot of people were coming to our website searching on “BBQ Firewall vs Wordfence”, despite us not having a page comparing the two WordPress security plugins. It doesn’t look like anyone else has done a comparison, so it seems like that would be useful to provide.

The most important thing to know about WordPress firewall plugins is the amount of protection they offer against real threats, but we are somehow the only ones that do testing that would measure that. A lot of the claimed threats that WordPress security plugins claim to protect against are not really threats. What is a real threat is vulnerabilities in other plugins being exploited and that is something that firewall plugins can provide protection against. The developers of BBQ Firewall and Wordfence Security make it sound like they provide strong protection against those vulnerabilities, but in reality they don’t do a very good job. [Read more]

24 Oct 2022

Wordfence Intelligence Doesn’t Deliver on Its Promises

In August, the WordPress security provider Wordfence announced a new service named Wordfence Intelligence with a lot of lofty claims about the service and what they were already providing. What was lacking is evidence that it delivers on the promises being made. That should be a big concern for any security service, considering the really poor results that the security industry has been providing for the billions of dollars they are being paid, but Wordfence has a history of making easily checked false claims, so evidence is even more important. In some instances, their employees have admitted the claims are not true, while the company continues to make those claims. In looking over some of the underlying data connected with that service, we have found that what they are promising doesn’t come close to matching with what they actually deliver.

Bad Plugin Vulnerability Data

You can get a good sense of the strong claims they make about what they are delivering with just a couple of sentences of the marketing of the service: [Read more]