21 Sep

Threatpost Fails to Properly Vet Sources, Leading to Spreading Inaccurate Information about Vulnerability Created by Duplicator

On Monday we discussed how the security company Sucuri showed that they lack an even basic understanding of security through a post they had written about a vulnerability created by the WordPress plugin Duplicator, which they clearly didn’t understand. What we also noted is that while their lack of security knowledge isn’t some new development, it is something that doesn’t appear to be well known. Part of the reason for that is that security journalists don’t seem to be interested in doing actual journalism and instead often act as stenographers for terrible security companies, so instead of shedding light on the bad practices of Sucuri and other similar companies (there are lots of them), they are often promoting them. Shortly after we posted that, a Google alert notified us of an article by Threatpost discussing the vulnerability, which was sourced to none other than Sucuri. That article is titled “Old WordPress Plugin Being Exploited in RCE Attacks”.

What seems to be the most problematic with the Threatpost’s article is this claim, which is repeated from Sucuri: [Read more]

17 Sep

Sucuri Doesn’t Understand the Recently Disclosed Vulnerability Created by Duplicator (or Security in General)

The reputation of security companies is often very different than the reality. One company that seems to have a good reputation is Sucuri. That is despite everything we have seen over many years indicating they really lack even a basic understanding of security (we wish that were a gross exaggeration). We once again were reminded of that by something that popped up in the monitoring we do to keep track of vulnerabilities in WordPress plugins, which involved a repost of a recent Sucuri blog post.

The Sucuri blog post is titled “Outdated Duplicator Plugin RCE Abused”. [Read more]

07 Sep

Wordfence Security Doesn’t Protect Against Exploited Vulnerability (or Finding a Balance When it Comes To Detailing Vulnerabilities)

One of the ways we work to make sure we have the best information on vulnerabilities in WordPress plugins for our customers is to monitor the WordPress Support Forum. Through that we came across a couple of threads yesterday that involved exploitation of a vulnerability connected to the plugin Duplicator (and yet another example of the incredibly bad handling of the discussion of security by the moderators of that forum and inability for them to be willing to have a discussion to avoid those problems going forward). In looking closer at the information put out about that we noticed a couple of issues that we thought worth bringing more attention to.

Making it Easier for Hackers to Exploit Vulnerabilities

One issue that we evaluate on an ongoing basis is how we handle disclosure of vulnerabilities, since there isn’t an obvious balance to be struck. On the one hand, more information can make it easier for hackers to exploit vulnerabilities. On the other, we have often found that vulnerabilities are disclosed with a claim that they have been fixed when they only partially been fixed or not fixed at all. In those instances the more information provided makes it easier to determine that there is still an issue and work to get it fixed, before hackers figure that out and take advantage of it. [Read more]

01 Dec

What Happened With WordPress Plugin Vulnerabilities in November 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during November (and what you have been missing out on if you haven’t signed up yet): [Read more]