Recently the CEO of Wordfence, Mark Maunder, claimed that their data on vulnerabilities in WordPress plugins is “impeccable”. That is disputed by, among other things, Wordfence’s attempts to cover up mention of the problems with that very data. It’s unclear if the CEO is unaware of what is going on with the employees of his company or he is, as he often does, lying in a way that makes Wordfence sound like it is doing amazing things it isn’t doing. Whatever the case, another recent instance of their inaccuracy led to finding a real vulnerability in the plugin Everest Backup.

We recently reviewed a claim by Wordfence from earlier this year of a vulnerability in the plugin, where what was claimed to be a vulnerability was still possible in the version that was supposed to fix it. We were reviewing that because one of our customers started using the plugin. What we found was that the plugin actually still is rather insecure, but not in the way that Wordfence had claimed. Considering the potential security risk posed by backup plugins, you would hope they are thoroughly checked for security issues, but this plugin clearly hasn’t been. [Read more]