Lawrence Abrams

19 Jul 2023

Wordfence Doesn’t Admit That WordPress Had Already Provided Protection for “Massive Exploit Campaign” Before Them

Where WordPress firewall plugins are really useful is for providing protection before a vulnerability is known about, as at that point they can offer protection that other solutions can’t. That was on display with a recent widely exploited zero-day that web application firewalls (WAFs) didn’t protect against, but two firewall plugins did.

Notably, though, the most popular WordPress firewall plugin Wordfence Security didn’t provide protection in that situation. That is a reoccurring situation. That isn’t surprising considering that the business model associated with the plugin is based on selling firewall rules for vulnerabilities once they are already known about (and more troublingly selling hack cleanups despite claiming their firewall “stops you from getting hacked”). If they provided the type of protection the two best firewall plugins do, it would largely remove the need for those rules. Incredibly, they refer to their belated rule based protection in their Wordfence Premium service as being “real-time” protection. [Read more]

11 Apr 2019

Why Are Journalist Spreading Wordfence’s (aka Defiant’s) Lies About Us?

Here’s a timeline of the recent situation with the WordPress plugin Related Posts (Yuzo Related Posts):

March 30 – The plugin was closed on the WordPress Plugin Directory.
March 30 – We notice the closure and find that the plugin contains an exploitable vulnerability.
March 30 – We put out post warning about that vulnerability and pointed out the problem with closing plugins with undisclosed vulnerabilities.
March 30 – We notify the developer of the plugin about the vulnerability through the WordPress Support Forum.
April 2 – Developer submits new version of plugin that appears to be intended to fix a different vulnerability and seemingly unintentionally fixes another one.
Approximately April 9 or 10 – Vulnerability we warned about is widely exploited.

Yet here was Lawrence Abrams at the Bleeping Computer yesterday: [Read more]

7 Nov 2018

RIPS Technologies and BleepingComputer Creator Claim That Plugin’s Functionality Not Working When Disabled is WordPress “Design Flaw”

We generally avoid security journalism as it frequently involves widely misleading to flat-out falsehoods, one example of that being something we discussed just a couple of weeks ago. One of the security journalism outlets we mentioned in that post was the BleepingComputer, so when a Google news alert let us know of another story related to the security of WordPress plugins from them it wasn’t surprising that it might not be totally accurate. The title of the story is WordPress Design Flaw + WooCommerce Vulnerability Leads to Site Takeover, though there doesn’t appear to be a design flaw in WordPress or a site takeover that actually occurred.

The “design flaw” is first described as one with the “WordPress permission system” and then as: [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Lawrence Abrams

Wordfence Doesn’t Admit That WordPress Had Already Provided Protection for “Massive Exploit Campaign” Before Them

RIPS Technologies and BleepingComputer Creator Claim That Plugin’s Functionality Not Working When Disabled is WordPress “Design Flaw”