Login

Tag Archives: Really Simple Security

25 Apr 2025

Developers of Popular WordPress Security Plugins Make False Claim About Who Created Another Popular Plugin

Recently there was a change made with the WordPress Plugin Directory that should shed more light on who is actually behind WordPress plugins. There are problems with that, which led us to noticing a clearly wrong claim made about who is the creator of a WordPress plugin with 300,000 installs.

With the even more popular Really Simple Security plugin, which has 4+ million installs, the plugin is listed on the plugin directory as being by Really Simple Plugins: [Read more]

23 Apr 2025

Developer of Really Simple Security WordPress Plugin Failed to Fully Address CSRF Vulnerability

In January, the developers of the 4+ million install WordPress plugin Really Simple Security vaguely disclosed they had attempted to fix a vulnerability in the plugin. That was done through one of the changelog entries for version 9.2.0, “Fix: Added nonce check to certificate re-check button.” That is a reference to addressing a cross-site request forgery (CSRF) vulnerability. Checking on that months later, we found that the fix had been incomplete and that competing vulnerability data sources had failed to properly vet this and claimed that the issue was fully addressed. That includes the data source used by Really Simple Security, so their own users have not been warned the plugin is still vulnerable.

Looking at the changes made in that version, the changelog references a change made in the file /class-admin.php. That file is run during admin_init, which makes it accessible to anyone: [Read more]

21 Nov 2024

WordPress All-In-One Security and 2FA Plugins Can Get Your Website Hacked

A major source of security vulnerabilities in WordPress websites is insecure WordPress plugins. In response to that, far too many WordPress security providers push installing more plugins instead of taking steps to actually fix the insecurity of plugins. You will often see them pushing all-in-one security plugins and plugins to add two-factor authentication (2FA) despite the lack of protection they often offer and the security issues they can introduce. A prime offender in doing that is Wordfence. In the face of that leading to a serious problem recently, they didn’t change course. Instead, they used it to market themselves. Before we get in to that, we will take a step back to our warnings last year about a popular security plugin.

Back in 2017, we did a security review of a plugin named Really Simple SSL and found no issues with what checking on at that time. Last year the plugin was radically changed to move away from a focus on providing really simple SSL, to being an all-in one security plugin. Alongside that, the developer showed a clear lack of concern for security. As we wrote about in July of last year, they were falsely claiming that plugins contained vulnerabilities because they were using a known unreliable source for vulnerability data. They didn’t address that by moving to a reliable source and in January we noted a much more concerning situation, where they were falsely claiming unfixed vulnerabilities had been fixed. [Read more]

18 Nov 2024

Wordfence and “Security News” Outlets Falsely Claim 4 Million WordPress Websites Were Affected by Vulnerability

For reasons we have never understood, various websites portraying them as security news outlets are treated a reliable news outlets, despite not really being news outlets. They are also included in Google News, despite a long history of publishing misleading to outright false claims related to WordPress security. One of those is the Bleeping Computer. In the latest incident related to WordPress, one of their writers, Bill Toulas, wrote a post a titled “Security plugin flaw in millions of WordPress sites gives admin access.” At the end of his post, he gave a more specific figure for the number of websites impacted, 3.5 million:

As of yesterday, the WordPress.org stats site, which monitors installs of the free version of the plugin, showed approximately 450,000 downloads, leaving 3,500,000 sites potentially exposed to the flaw. [Read more]