11 Sep

Wordfence Security and Wordfence Premium Failed to Protect Against Widely Exploited Vulnerability

A month ago we noted an instance of us running across the Wordfence Security plugin, despite being marketed with the claim that it “stops you from getting hacked”, failing to protect against exploitation of a vulnerability in a WordPress plugin that was being widely exploited. That has happened again. In a post earlier today we mentioned a topic on the WordPress Support Forum discussing websites being exploited due an already fixed arbitrary file viewing vulnerability in the plugin Advanced Access Manager, which we had warned customers of our service about the same day it was fixed. In that topic there was a claim that the Wordfence Security plugin failed to protect against that:

It happened to me. I cleaned up but it came again one day later, even websites with last version of WP, with Wordfence, Block Bad Queries, etc.
Does somene knows where it comes from ? Is it an injection ? [Read more]

09 Aug

NinjaFirewall WP Edition’s Option Update Protection Is Embarrassingly Easy to Bypass

From what we have seen from testing WordPress security plugins against real vulnerabilities in other WordPress plugins as well other things, many of them don’t provide any protection against the types of threats they should be able to protect against. For the few that do provide some protection it is hard to recommend them because the developers greatly overstate the protection they provide, either because they don’t understand the limitations of them, they are lying about the capabilities, or a combination of both. In the real world that has led to websites being unnecessarily hacked.

One example of overstated protection is the plugin NinjaFirewall WP Edition. Nearly three years ago the developers of that had come across a vulnerability in a plugin and when disclosing that vulnerability they made this claim: [Read more]

16 Dec

No WordPress Security Plugin Prevented Exploitation of Unfixed Arbitrary File Upload Vulnerability in Popular Plugin

When it comes to the chances of vulnerabilities being exploited the reality is that many types of vulnerabilities are highly unlikely to have anyone even try to exploit them. Unfortunately far too often we see security companies and the press making a big deal of vulnerabilities that are are of little to no threat, while ignoring vulnerabilities and broader security issues that are leading to websites being hacked (that lead us to providing information on likelihood that a vulnerability is to be exploited to the data for our service). When it comes to types that are likely to be exploited, the arbitrary file upload vulnerability, which allows a hacker to upload files of any kind to a website, is probably the one with the most exploit attempts and also then ends up leading to the most websites being hacked. So if a WordPress security plugin is going to protect against any type of vulnerability this seems like this is the one you would most want it to be able protect against.

Back in September we tested out security plugins against this type of vulnerability and the results were not good. Of the 12 plugins tested only 3 provided any protection. The protections 2 of them provide was easily bypassed for this particular vulnerability and the remaining plugin’s protection also meant that Editor level and below users could not upload files either. [Read more]

28 Sep

The Tradeoff That Comes With a WordPress Security Plugin’s Ability to Prevent a Vulnerability From Being Exploited

We have now done three tests to see what protection WordPress security plugins provide against a real threat to WordPress websites, vulnerabilities in other plugins. We can find little in the way of similar testing having been done in the past, which should be troubling when you consider how often people are recommending these plugins. But it is in line what we find on wider basis when it comes to security products and services, a lack of evidence back claims about them, many of those claims being rather extraordinary to anyone who has a good understanding of security and therefore really need strong evidence to back them.

The results of the test haven’t been good for those claiming that these plugins will protect your website. In the first test, of a persistent cross-site scripting (XSS) vulnerability, only 2 of the 11 plugins tested any protection and that protection was easily bypassed. In the second test, of arbitrary file upload vulnerability, only 3 of the 12 test plugins provide any protection and the protection 2 of the 3 provided was easily bypassed. In the third test, of an information disclosure vulnerability, none of the 12 plugins provided any protection. [Read more]

26 Sep

No WordPress Security Plugins Protected Against Recently Disclosed Vulnerability That Exposes WooCommerce Order Data

Recently we started testing to see what protection WordPress security plugins provide against vulnerabilities in other plugins (since plugins vulnerabilities are an actual source of websites being hacked, unlike some other things that these plugins make a big deal or providing protection against). The first vulnerability we tested could be used for serving up malware on a website and the second could give an attacker control over the website. Both of those are types of vulnerabilities that are the kind that are often thought of when discussing the security of websites, for example the very popular Wordfence plugin is advertised as “protecting your website from hacks and malware”. Not every security issue though falls into those categories. As you can guess from the name, an information disclosure vulnerability involves the disclosure of information that isn’t intended to be public and those can be a serious issue. For example, if you run an eCommerce you wouldn’t want your customers’ details to be accessible by the public.

WooCommerce is an popular eCommerce plugin for WordPress, which has over 1+ million active installs according to wordpress.org (we use it on this website). There are numerous plugins that expand on its functionality. The security of those isn’t always good. Among the issue we have found in some of those plugins this year were two arbitrary file upload vulnerabilities and a vulnerability that allowed changing the price of products. Recently David Peltier discovered that the plugin Order / Coupon / Subscription Export Import Plugin for WooCommerce (BASIC) had an information disclosure vulnerability that allowed anyone to get a copy of the orders made through WooCommerce on the website. Including in that is not only the details of the order, but the customer’s details, including address and email adress. That vulnerability has now been fixed. [Read more]

22 Sep

Only One WordPress Security Plugin Fully Protected Against a Recently Disclosed Arbitrary File Upload Vulnerability

Last week we did our first test to see what protection that WordPress security plugins can provide against the exploitation of the vulnerabilities in plugins. The results for a persistent cross-site scripting (XSS) vulnerability were not good, with only 2 of the 11 plugins tested providing any protection and even the protection in those two was easily bypassed.

Earlier this week we disclosed a set of arbitrary file upload vulnerabilities in four plugins by the same developer. While these vulnerabilities are of the type that are likely to be exploited (you can now know how likely vulnerabilities are to be exploited with our service), after we contacted the developer, they took two weeks to fix one and the other three have yet to be fixed two months later. That shows a couple of the problems with being able to protect against plugin vulnerabilities at this time, one being that vulnerabilities are not fixed in a timely manner and the other being that simply keeping you plugins up to date will not protect you. [Read more]

12 Sep

WordPress Security Plugins Provide Little to No Protection Against Recently Discovered Persistent XSS Vulnerability

In the past few months we have done several one off tests of WordPress security plugins to see if they could prevent exploitation of a vulnerability in a plugin. We tested an extraordinary claim by Wordfence that their plugin could prevent persistent cross-site scripting (XSS) and found that it failed both with a vulnerability that required authentication and one that didn’t. We also tested the iThemes Security security plugin against an arbitrary file upload vulnerability that we have found was being exploited in another plugin by one that plugin’s developers and it also failed to prevent exploitation.

That these plugins failed to prevent these vulnerabilities from being exploited wasn’t all that surprising considering the poor state of the security community overall and in particular the one surrounding WordPress. Whether it is security companies making up threats, not understanding the difference between vulnerabilities, or spreading false information about WordPress installations being vulnerable due to not understanding how WordPress handles security updates, it is clear that there isn’t a good understanding of security by the people and companies in the security community. [Read more]