Login

Tag Archives: Analysis

11 Oct 2022

Automattic’s Idea of Coopetition Involves Copying Data From Competitors Without Credit

Companies operating in the WordPress space have to deal with a problematic situation. While WordPress is promoted as an open source community, the head of WordPress, Matt Mullenweg, uses his various entities to exert control and influence over the community to the benefit of his business interests. One of those entities is the news outlet the WP Tavern, which, when covering him, doesn’t disclose it is owned by him and its writers work for him. That lack of disclosure occurred again with a recent story about one of his employees causing WordPress to hide information useful to competing companies .

In the story, it also wasn’t disclosed that one of the quoted sources, Josepha Haden Chomphosy, is an employee of Matt Mulleweg’s company Automattic, instead incompletely describing her as “WordPress Executive Director”. She was quoted saying that there should be a focus on coopetition mindset in terms of data access: [Read more]

10 Oct 2022

WordPress, Automattic’s WPScan, Patchstack, and CVE Make Mess of Unfixed Vulnerability in WordPress Plugin

The two most recent support forum topics for the 30,000+ install WordPress plugin Kraken.io Image Optimizer are about a claimed security vulnerability in the latest version of the plugin:

[Read more]

7 Oct 2022

Automattic Employees Don’t Appear to Understand What Security Is

The WordPress community is in the midst of a controversy involving a strange, largely unexplained, situation. A chart that used to be shown on the Advanced View page for plugins in the WordPress’ plugin directory was removed. This is an example of that chart:

[Read more]

7 Oct 2022

All In One WP Security & Firewall Only WordPress Firewall Plugin to Increase Protection in Our Testing This Month

One of the ways we measure how much protection that WordPress security plugins provide against the real threat of vulnerabilities in other WordPress plugins, is to run software we have designed to make sure that our own firewall plugin’s protection isn’t broken when we make changes, against other plugins. Since May we have been doing a monthly run of that and logging the results, so that we can monitor changes in the results of the other plugins.

Until this month, there have been only two changes. One was that the amount of protection changed for plugins when we added tests for more exploit attempt variants, with most plugins not providing protection against the new tests. The other was that we detected that Shield Security’s protection became entirely broken. That first occurred in the June test and hasn’t been fixed yet. [Read more]

6 Oct 2022

Security Journalist Blames WordPress for Poor Security Handling Unrelated to WordPress

A week ago, we highlighted a key detail of a recent hacking of the news outlet Fast Company, which other news outlets covering it were failing to discuss. That being that the hacker of Fast Company’s WordPress website claimed they gained access because the website’s Administrator account had the password “pizza123”. That is an important detail as it provides a reminder that a basic security practice, using strong passwords in that case, clearly isn’t always being done. That isn’t a lone example, as what we often see in our working with hacked websites, as well in coverage of other hacking incidents, is that many of these hacks involve failures to do the basics.

The security industry though continues to push more complicated security solutions before focusing on making sure that the basic are being done. As we will touch on in a few moments, that can actually create serious security risks that wouldn’t otherwise exist. [Read more]

5 Oct 2022

Automattic Employee Introduced Serious Exploitable Vulnerability Into WordPress’ Own Plugin

As detailed in a more technical post, proactive monitoring we do caught a serious vulnerability of a type highly likely to be exploited being introduced in to a WordPress plugin this week. By the install count of the plugin, this wouldn’t be all that notable, as the plugin only has 200+ installs. But the plugin, Create Block Theme, comes directly from WordPress:

[Read more]

4 Oct 2022

WordPress is Obfuscating the Connection Between the WordPress Plugin Directory and Automattic

An odd controversy has recently taken up the spotlight in the WordPress plugin developer community, the removal of the Active Install Growth chart from the Advanced View page for plugins in the WordPress Plugin Directory. That chart showed the growth of installs of a plugin over time. This is what that looked like:

[Read more]

3 Oct 2022

WP Hive’s Memory Usage Measurement Math Doesn’t Add Up

In the past, we have looked at the performance impact and memory usage increase caused by WordPress firewall plugins that provide real protection. We recently ran across a website called WP Hive that provides claimed measurements of the performance impact and memory usage caused by plugins. We were interested in seeing how the results compared to our testing. What we found was that the results don’t add up.

As an example of that, look at the memory usage results for one of the plugin’s we have tested, Wordfence Security: [Read more]

30 Sep 2022

WP Cerber Competitors Automattic and Patchstack Also Spread False Claim of Vulnerability in the Plugin

Earlier in the week, we detailed what looks to be going on with the closure of the popular WordPress security plugin WP Cerber on WordPress’ plugin directory. What seems like it could have started the closure was a claim made by a competing plugin, Wordfence, of a vulnerability in the plugin.

Here is how Wordfence described the issue: [Read more]

29 Sep 2022

The Simple Way to Avoid Your WordPress Website From Being Hacked Like Fast Company’s Was

The news outlet Fast Company has been in the news for the past couple of days over obscene push notifications sent out through Apple News and an apparently relating hacking of their WordPress powered website. The hacker posted on Fast Company’s website a claimed explanation of how they were able to hack Fast Company’s WordPress installation and take further actions from there. While we can’t independently verify the claims, they read like something written by someone who is knowledgeable and would match up with what they were able to accomplish. Two things stood out for us in that. The hacker gained access to WordPress through an easily avoided security failure and that once the hack occurred it doesn’t appear that someone with expertise was brought in to address the hack.

Avoid Using a Weak Password

News reports we have looked at have obscured a key point, how the hacker claims to have got in through a weak password. Here is how Engadget explained it: [Read more]