13 Sep

Wordfence Would Rather Promote Their Plugin Than Address Important Issues Putting WordPress Websites at Risk

When it comes to improving the security of WordPress it often times seems that security companies more interested in promoting themselves than actually improving security. One company that comes to mind is Wordfence, so it wasn’t surprising to see when they discussed the recent malicious takeover of the Display Widgets plugin it was devoid of any discussion of the real problems this situation highlighted and that need to be fixed, instead it was largely a rather explicit ad for people being reliant on their plugin, when the average WordPress website shouldn’t even need any security plugin if security was being handled right.

Advertising over Proper Security of WordPress

It only takes getting to third paragraph to get to them promoting their plugin: [Read more]

12 Sep

More of WordPress’ Poor Handling of Plugin Security as Seen Through Malicious Takeover of Display Widgets

Yesterday we looked at what happened when a popular plugin, Display Widgets, was purchased by someone (or someones) with malicious intent and people on the WordPress side of things handle things poorly. In a link included in one of the comments on that post we found another piece of the what happened that makes WordPress’ handling of this seem worse, while also providing yet another reminder of how even basic improvements are not happening to the process of handling vulnerabilities in plugins.

Part of one of the comments reads: [Read more]

11 Sep

Not Everyone Doing Security Vulnerability Testing of WordPress Plugins Knows What They Are Doing

We often say that a lot of the people in the security industry don’t know and or care much about security, and we unfortunately keep coming across examples of that. The latest example involves a really bad vulnerability assessment that we ran across while looking in to what recently happened with the plugin Display Widgets, which involved the new owner of the plugin placing malicious code in to it. While looking into that situation we noticed that the changelog entry for version 2.6.3 of the plugin said:

Fixed a vulnerability highlighted by one of our users. I encourage all my users to upgrade as soon as possible. [Read more]

11 Sep

WordPress’ Poor Handling of Plugin Security Exacerbates Malicious Takeover of Display Widgets

Recently there has been a fair amount of coverage of popular Chrome extensions being modified to include malicious code after the login credentials used to control them in the Chrome Web Store had been compromised through phishing. In the past extensions have been purchased and then malicious code added to them as well. There is no reason that the same thing can’t happen with WordPress plugins and recent similar situation with the plugin Display Widgets shows that the people on the WordPress side of things are not currently up to task of handling this type of situation properly. Unfortunately, this isn’t at all surprising because elements of the failure with this situation are things that we have been seeing and discussing for some time.

What we also found interesting about the situation is that it was made worse by the people on the WordPress side alienating someone who actually did the work they should have done. The cause of that is also something that we have experienced and fixing it was one of things we laid out as something that needed to be worked on being corrected before we would started notifying the Plugin Directory about plugins with publicly known vulnerabilities in the current version of the plugin again. We will discuss that further in a follow up post, but first let’s take a look at what happened with the plugin that lead to malicious code being introduced to many websites. [Read more]