Login

Tag Archives: SiteLock

10 Sep 2019

SiteLock is Making the WPScan Vulnerability Database’s Low Quality Data Worse

One of the things that we believe leads to the poor state of security of WordPress, as well more generally, is the amount of inaccurate and outright false information spread by those involved in security. That also creates unnecessary hassle for others. When it comes to our area of focus, the security of WordPress plugins that is a constant issue. While we properly vet claimed vulnerabilities before adding them to our data set, if you are getting data elsewhere it likely comes from the WPScan Vulnerability Database, which is data source where the people behind it don’t seem to be concerned about the accuracy of their data (or other things that seem important for providing what they claim to provide).

If they were even a little concerned about that it seems hard to believe what has happened with the plugin WooCommerce PayPal Checkout Payment Gateway would have occurred. They are currently claiming that plugin, which has 800,000+ installs according to wordpress.org, contains an unfixed vulnerability: [Read more]

5 Sep 2018

Hackers Will Try To Exploit Vulnerabilities in WordPress Plugins in Ways That Will Never Succeed

One the things we find rather telling about the security industry is that they seem to find various statistics valuable, but ones they seem to be totally uninterested in are any that would actually show that their products and services are actually effective at protecting websites (despite that seeming like it should be a prerequisite before using so many of them). One type of statistic that we have seen them focus on instead is supposed measures of how many attacks the average website is facing. Earlier this year one company promoting their service with such a statistic, seemed to make a case that they are not really valuable, as they promoted the increase in attacks as being a concern and then when it when it went down they claimed that was also a bad sign:

“A decrease in attacks does not mean that websites are safer. In fact, it may even be the opposite,” says Neill Feather, president of SiteLock. “Hackers are constantly trying new avenues and even leveraging older tactics that continue to be successful. As our research shows, cybercriminals are now able to successfully breach a site with fewer, more targeted attacks. Now more than ever, businesses need to evaluate their current security posture and ensure they have both the right technology and a response plan in place should a hack occur.” [Read more]

1 Sep 2017

SiteLock, Kasperky Lab, and Wordfence Mislead Public on Threat from Vulnerability in WordPress Plugin

Yesterday over at our main blog we noted how the web security company SiteLock and their web hosting partner 123 Reg, a GoDaddy brand, are making baseless claims as to the likelihood of websites being hacked to try scare customers in to purchasing SiteLock security services. In the meantime they and others in the security industry were also taking a minor security vulnerability discovered by SiteLock in a WordPress plugin that is used with WooCommerce and using misleading information to make it sound like a much bigger threat.

To see what happened let’s start with an article on the Threatpost, which is Kaspersky Lab’s news website. The article is titled Reflected XSS Bug Patched in Popular WooCommerce WordPress Plugin. No where in the post is there anything to backup up the claim this plugin is all that popular, instead the article makes a confusing mention of the claimed usage of WooCommerce: [Read more]