The WordPress security plugin WP Cerber is marketed as if it protects websites from being hacked:
Defends WordPress against hacker attacks, spam, trojans, and malware. [Read more]
Last week Bloomberg’s Katrina Manson covered a recommendation from the US Cybersecurity and Infrastructure Security Agency that urged companies to automate threat testing. The story touched on one of the realities of the poor state of security that doesn’t get much attention, the current method of threat testing is both much more expensive than it needs to be and not very effective. The story mentioned a chief information security officer of a company that changed course after a ransomware attack two years ago that found that changing had this impact:
the price was cheaper than employing so-called penetration testers, who do similar work but less regularly and effectively [Read more]
Last week numerous news outlets ran scary sounding stories about a claimed security issue in a WordPress plugin. Here are some of the headlines of stories that were included in Google News:
- WordPress zero-day vulnerability compromised more than 280000 websites: Researchers
- 280000 WordPress sites hacked by exploitation of CVE-2022-3180 – Web Hosting
- Shocking Cyberattack by Hackers on 280000 WordPress Sites
- Shocking cyberattack! 280000 WordPress sites attacked by hackers
- Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability
- Zero-day in WPGateway WordPress plugin actively exploited in attacks
- WordPress Plugin Vulnerability Abused in Zero-Day Exploit
- WordPress zero-day vulnerability leads to 4.6 million attempted attacks on websites
- WordPress plugin vulnerability leaves sites open to total takeover
- Over 280000 WordPress sites may have been hijacked by zero-day hiding in popular plugin
The last one of those was from a TechRadar story written by Sead Fadilpašić. The sub-headline of the story was: [Read more]
One of the things we do to be able to provide customers of our service with the best information about known vulnerabilities in WordPress plugins is by monitoring the WordPress Support Forum for possibly relevant topics. Along with the information we are looking for, we often see people who have gotten incomplete and or inaccurate information from other security providers that are cutting corners. Once recent example involved a service named WP Sec. A user of the service wrote this to the developer of a plugin:
It says that the plugin has a security problem.
Did you know it? [Read more]
Two days ago the developer of the iThemes Security plugin, which is one of the most popular WordPress security plugins, disclosed that another of their plugins, BackupBuddy, had a zero-day vulnerability. A zero-day vulnerability is one that is being exploited before the developer is aware of it. That seems like a big story, but when the vulnerability was covered by the WP Tavern, there was no mention of iThemes Security or question raised about what that says about the state of WordPress security plugins.
iThemes’ post also makes this strange claim: [Read more]
Last November GoDaddy, which heavily markets themselves to the WordPress community, disclosed a massive breach of the data on customers using the managed WordPress hosting service. A stunning element of that was that they were still storing customers’ passwords in non-hashed form, despite that being a big security no-no for easily over a decade. If they hadn’t been improperly storing those passwords, the damage from the breach would have been more limited. It turns out that another web host marketing itself to the WordPress community is still doing that now.
Cloudways is heavily marketing themselves in the WordPress community. That includes through Post Status (alongside to GoDaddy entities, GoDaddy Pro and Pagely): [Read more]
Recently someone posted on Reddit looking for a better alternative to the Wordfence Security plugin:
For years I used Wordfence and it was okay(ish), but I would like to try something different with better security. [Read more]
Two days ago, WPScan described a vulnerability fixed in the WordPress plugin Ninja Forms the day before this way:
The plugin does not validate merge tags provided in the request, which could allow unauthenticated attackers to call any static method present in the blog. One from the plugin in particular could allow for PHP Object Injection when a suitable gadget is also present on the blog. Attackers have been exploiting such issue since June 9th, 2022 [Read more]
Yesterday, we compared the claims the developer of WordPress security plugin BBQ Firewall makes about its protection to the reality of the very limited protection in provides. The developer of the plugin is also the developer of a set of .htaccess rewrite rules they refer to as the 7G Firewall. Like the BBQ Firewall, the developer makes claims it is a strong and powerful firewall (emphasis in the original):
7G is a lightweight (only 12KB) strong firewall that provides site security and peace of mind. [Read more]
One of the most recent reviews for the BBQ firewall plugin for WordPress is titled “Not a real firewall..” and the author makes this claim:
I had the PRO version and it doesn’t stop the real hacks. [Read more]