Login

Tag Archives: Mark Maunder

16 Jan 2024

Wordfence Didn’t Make Sure Vulnerability in WooCommerce Had Been Fixed (Or That It Even Existed)

Late last week, Wordfence created a mess by claiming there was an unfixed vulnerability in WooCommerce. What that situation showed is they are not doing the work that people clearly believe they are doing. That includes not checking if vulnerabilities have actually been fixed or if they even existed, before widely making claims about supposed vulnerabilities. We will get in to more detail about that in a few moments, but first we will take a look at a couple of other recent examples, which show that wasn’t a one-off fluke.

We should note at the outset that the CEO of Wordfence, Mark Maunder, recently claimed their “data is impeccable” when we brought up the well-known problems with it. [Read more]

15 Dec 2023

Wordfence Call CSRF Vulnerabilities “Low Risk” While Criticizing Competitor After Previously Calling Them “High Severity”

Recently, the CEO of the WordPress security provider Wordfence, Mark Maunder, was criticizing a competitor over a bug bounty program that caused cross-site request forgery (CSRF) vulnerabilities to be found, while he was promoting Wordfence’s own bug bounty program. He said that an “extremely high number of low risk and low quality vulnerabilities [are] being submitted to databases like Patchstack” and specifically cited CSRF vulnerabilities as example of that, “vulnerabilities that involve a Cross-Site Request Forgery are an example of this.” What shouldn’t be surprising to others in the WordPress security space who have the misfortune of running across this guy, he was criticizing someone else for something his own company has done.

It’s absolutely true that CSRF is a low-risk issue. That involves causing someone else to take an action they are allowed to do, but didn’t intend to. For example, if there is a reset capability for a plugin’s settings that lacks CSRF protection, getting someone to click a link you generated while they are logged in to WordPress could cause the settings to be reset. While it is possible that this could be being used in targeted attacks, we are not aware of anyone even claiming that it is being used on a wider scale. Considering how often there are false claims about types of attacks happening, that strongly suggests that this issue isn’t something that is happening at any scale. [Read more]

6 Nov 2023

Wordfence’s False Claim of Vulnerability in WordPress Plugin Everest Backup Leads to Serious Real Vulnerability

Recently the CEO of Wordfence, Mark Maunder, claimed that their data on vulnerabilities in WordPress plugins is “impeccable”. That is disputed by, among other things, Wordfence’s attempts to cover up mention of the problems with that very data. It’s unclear if the CEO is unaware of what is going on with the employees of his company or he is, as he often does, lying in a way that makes Wordfence sound like it is doing amazing things it isn’t doing. Whatever the case, another recent instance of their inaccuracy led to finding a real vulnerability in the plugin Everest Backup.

We recently reviewed a claim by Wordfence from earlier this year of a vulnerability in the plugin, where what was claimed to be a vulnerability was still possible in the version that was supposed to fix it. We were reviewing that because one of our customers started using the plugin. What we found was that the plugin actually still is rather insecure, but not in the way that Wordfence had claimed. Considering the potential security risk posed by backup plugins, you would hope they are thoroughly checked for security issues, but this plugin clearly hasn’t been. [Read more]

29 Jun 2023

Inaccurate Claims About Security Impact of Changing WordPress Database Prefix Highlighted With Exploited Zero Day

A basic rule of security is that if you know a lot, you don’t know much. Those knowledgeable about security try to be careful about what they say, as they realize they might not know everything. A lot of WordPress security providers don’t have much knowledge and therefore don’t understand how little they know, leading to unqualified and inaccurate security advice that gets repeated widely without much pushback.

One example of that is with claims that changing the WordPress database prefix has no impact on security. Here was how a new entrant in the WordPress security space, Snicco, put that, while criticizing other security providers: [Read more]

16 Aug 2021

Wordfence Security Performance Penalty Much Higher Than Other WordPress Firewall Plugins

As part of developing our upcoming WordPress firewall plugin, we have tested out WordPress security plugins against real vulnerabilities in other plugins to see what, if any, protection they offer. The results so far have been bad, but not surprising based on previous testing we did in 2016, as back then and now we found that most plugins provided no protection. In the testing now, only 2 plugins, in addition to ours, have provided much protection. Those being NinjaFirewall and Wordfence Security.

Having the capability to protect against vulnerabilities is the most important aspect for a firewall plugin, but it isn’t the only one. With one of the other plugins, Wordfence Security, it isn’t hard to find claims that it creates performance problems. Take this recent topic in the plugins’ support forum on wordpress.org: [Read more]

9 Nov 2018

Wordfence Security and Wordfence Premium Fail To Protect Websites, But Defiant Is Happy to Lie and Tell You Otherwise

Over at our main business we have a steady stream of people contacting us to ask if we offer a service that will stop their websites from being hacked, a not insignificant number of them mention that they are currently using a service that claimed to do that and there website got hacked anyway. That second item obviously tells you that these service don’t necessarily work, but what seems more relevant to the poor state of security is that even when one of these doesn’t work these people are often sure that they can and do work, just the one they used didn’t. That probably goes a long way to explaining why the complete lack of evidence that these services are effective at all hasn’t been an impediment to people using them. The problem with that is not only do they end up not working well or at all, but the money spent on them could have been spent on services that actually improve security of these websites (and everyone else’s website if there services is anything like ours), but are not sold on false promises.

Seeing as there are lots of people that still haven’t gotten the message about these services should be avoided if there isn’t evidence that shows effectiveness, we thought it would be worth emphasizing and expanding on something we mentioned in a post yesterday where websites could have been protected by doing one of the basics of security, keeping WordPress plugins up to date, while a security service failed to protect them while being promoted as being able to do that. [Read more]