Login

Tag Archives: BitFire

30 Jun 2023

NinjaFirewall and Plugin Vulnerabilities Firewall Are Only WordPress Security Plugins That Protected Against Recent Zero Day

Among the common, but inaccurate, security advice you will hear is that WordPress won’t get hacked if you take basic security measures, including keeping plugins up to date. While doing the basics is really important, the reality is that keeping plugins up to date does nothing to stop a zero-day, a vulnerability being exploited before the developer is aware of it. That is an area where a security plugin could provide additional protection. But just because they could, it doesn’t mean they will. More problematically, WordPress security plugin developers have for years claimed to provide zero-day protection when they don’t. The solution is to do testing to see which plugins really provide protection against zero-days.

Recently, a zero-day role change vulnerability in the 200,000+ install WordPress plugin Ultimate Member was spotted being exploited by the web host Tiger Technologies. That vulnerability was being exploited to create a new WordPress user and then change the user’s role to Administrator, which gives them full access to the website. [Read more]

7 Jun 2023

WordPress Firewall Plugins Lack Protection Against Arbitrary User Deletion Vulnerabilities

Last week, we ran across a vulnerability in a WordPress plugin that would allow an attacker to delete all the website’s WordPress user accounts, which would be nasty if exploited by an attacker. The ability to easily exploit the vulnerability involves, in part, a known bypass of WooCommerce’s security that hasn’t been addressed. The developer of WooCommerce, Automattic, has told us they are “aware of this and working on a fix to mitigate this issue”, though no timeline has been put forward for that (or clear information on how long they have been aware of that).

A way to help prevent this type of vulnerability from being exploited would be to use a WordPress firewall plugin that protects against non-Administrators being able to delete arbitrary WordPress users through a vulnerability like that. That is something we implemented in our own firewall plugin after running across the vulnerability. As part of adding that protection, we updated our regression testing software to make sure that the protection continues to work as we make additional changes to the plugin (the developer of one security plugin doesn’t appear to do that type of regression testing at all). [Read more]

13 Mar 2023

Only 25% of WordPress Security Plugins Protected Against Widely Exploited Plugin Vulnerability

In late January, an unfixed vulnerability in a WordPress plugin with 40,000+ installs started to receive widespread exploitation attempts and many websites were hacked. The hacking was in part caused by multiple WordPress security providers, including Wordfence, WPScan, and Patchstack, who all claim to have teams of experts reviewing vulnerabilities in WordPress plugins, claiming that the vulnerability had been fixed three months before that. The moderators of the WordPress Support Forum made the situation worse by deleting an early indication of the problem in the form a message complaining about a website being hacked because of the plugin.

The developer of the plugin promptly fixed the vulnerability once we advised them that it still existed. They then went further than other plugin developers usually do when a plugin has had an exploited vulnerability and got a security review done to ensure the plugin was now properly secured. [Read more]

6 Mar 2023

Here Are the 4 WordPress Security Plugins That Protected Against a Vulnerability Wordfence Failed to Protect Against Despite Having Discovered It

Last week, Wordfence disclosed the details of an authenticated persistent cross-site scripting (XSS) vulnerability they had found in a popular WordPress plugin with 3+ million installs (as well as something else that wasn’t really a vulnerability). There were some things they said in their post that are rather problematic.

One of them was that they were claiming to have responsibly disclosed the vulnerability, while also contradicting that. According to their post, the day before they notified the developer of the plugin about the vulnerability, they were already selling access to information about exploiting the vulnerability through their Wordfence Premium service. That isn’t responsible disclosure and any hacker willing to pay for the service could have started exploiting this before the developer was even notified about it. Wordfence’s paying customers would have been protected from it at the time, but others would not without having some other security in place. [Read more]

8 Feb 2023

WordPress Security Plugins Don’t Prevent Disclosure of One-Time Password Through Exploited Plugin Vulnerability

A month ago, we saw a hacker looking to exploit a vulnerability that had recently been fixed in the WordPress plugin User Verification. That vulnerability discovered by Lana Codes involved the plugin’s functionality to email a one-time password for logging in to WordPress. The problem with the functionality is that it didn’t just email the password, it also sent it back as part of the response from the request to have it emailed. So an attacker could submit the request to have that emailed for a WordPress user’s account, get the password that was only supposed to be emailed, and then log in to that account.

Trying to prevent an information disclosure issue like this would be difficult for a WordPress security plugin without being aware of the particular vulnerability, as it would have to realize that something that shouldn’t be disclosed is being disclosed, so it would be unlikely that a security plugin would provide protection. Our own firewall plugin, Plugin Vulnerabilities Firewall, doesn’t have protection against such a situation, but we are always looking to see how we might be able to expand its protection, so we were curious to see if any other plugins provided protection. [Read more]

1 Feb 2023

Wordfence Security Falls to Fifth Place in February Test of WordPress Security Plugins’ Zero-Day Protection

While developing our WordPress firewall plugin, we created regression testing software to make sure that, as we updated that; we didn’t break existing protection, which is something at least one other developer hasn’t done. What we realized once we started developing that is that we could also use that to do automated testing to get a sense of how much protection other WordPress security plugins provided against zero-days, which are vulnerabilities being exploited before the developer knows about them. In May, we started doing a monthly run of that against a wide range of plugins to start tracking how their protection changed over time. So far there haven’t been many notable changes, but this month had a significant change that follows on a change from December.

In December, the Wordfence Security plugin fell to fourth place with the Pareto Security plugin moving above it based on adding more protection. That month we also had tried to add the BitFire plugin to the testing, but the latest version of the plugin broke WordPress. By this month BitFire has gotten in to better shape, so we could include it in the testing. The result of that is that Wordfence Security has fallen yet another spot, as BitFire provided protection against 25.8% of exploit attempts versus only 20.0% for Wordfence. That also put BitFire in third place behind only our plugin and NinjaFirewall. [Read more]

8 Dec 2022

Even Wordfence Competitor Has Been Fooled by Untruthful Marketing of Wordfence Premium

We recently tried to add a WordPress firewall plugin named BitFire in to our automated testing system of WordPress security plugins, but found that the plugin wasn’t working properly and then an update totally broke it. We also noticed that the plugin’s marketing continued rather inaccurate information, which is, unfortunately, not a unique situation from a WordPress security provider. But it turns out that some of the inaccurate information makes it sound like a competitor of theirs provides much better results than they do. Here is how they talked up the Wordfence Premium service from Wordfence while saying why you shouldn’t use it:

If you use WordFence, you should only use the paid version. WordFence has a team monitoring emerging WordPress vulnerabilities and writing custom rules to block specific exploits. They are very good at it and run a great blog on their work. Paying customers receive these virtual patches as soon as they are available. Free customers receive the patches 30 days later. If your website is vulnerable, it is almost guaranteed to be hacked before the patch is available to free customers. Don’t leave your site at risk. [Read more]

2 Dec 2022

Wordfence Security Falls to Fourth Place in December Test of WordPress Security Plugins’ Zero-Day Protection

While developing our WordPress firewall plugin, we created regression testing software to make sure that, as we updated that; we didn’t break existing protection, which is something at least one other developer hasn’t done. What we realized once we started developing that is that we could also use that to do automated testing to get a sense of how much protection other WordPress security plugins provided against zero-days, which are vulnerabilities being exploited before the developer knows about them. In May, we started doing a monthly run of that against a wide range of plugins to start tracking how their protection changed over time. So far there haven’t been many notable changes, but this month had a significant change.

Up until this month, the results have been that our plugin has provided the most protection, followed by NinjaFirewall providing protection in about a third of the exploit tests, and Wordfence Security coming third with protection for a fifth of the exploit tests. That seems like a good indication of the poor state of WordPress security plugins and a lack of understanding of how much protection they provide, as NinjaFirewall only has 80,000+ installs, while Wordfence security has 4,000,000+ installs. [Read more]