Login

Tag Archives: Wordfence Premium

3 Jan 2024

Wordfence Premium Adding Firewall Rules for Vulnerabilities in Under 10 Plugins a Month

It’s common for critics of the Wordfence Security plugin to claim it isn’t useful unless you are using the companion Wordfence Premium service because new rules for the firewall are only provided to paying customers for the first 30 days after they are created, so free users won’t be protected against getting hacked. Like so much security advice, that isn’t backed with evidence supporting it. There turn out to be multiple serious problems with that claim.

One problem being that the plugin provides a fair amount of protection through what we refer to as general protection, which doesn’t require a rule written for a specific vulnerability. It doesn’t provide as much as the best WordPress firewall plugins do, though. [Read more]

5 Dec 2023

Wordfence Premium Added “Real-Time Firewall Protection” for Plugin Vulnerability Over Two Months After It Was Disclosed

In the middle of August, we publicly warned that the WordPress plugin WooODT Lite contained an authenticated option update vulnerability, which would allow logged-in attackers to change arbitrary WordPress options (settings). The possibility of the vulnerability was flagged by proactive monitoring we have to try to catch serious vulnerabilities as they are introduced in to plugins. It wasn’t a new issue, though. It had been in the plugin’s code for 13 months.

Based on earlier testing, two WordPress security plugins could have protected against common exploitation of that type of vulnerability even before we had warned about it. Those were our own Plugin Vulnerabilities Firewall and NinjaFirewall. [Read more]

19 Jul 2023

Wordfence Doesn’t Admit That WordPress Had Already Provided Protection for “Massive Exploit Campaign” Before Them

Where WordPress firewall plugins are really useful is for providing protection before a vulnerability is known about, as at that point they can offer protection that other solutions can’t. That was on display with a recent widely exploited zero-day that web application firewalls (WAFs) didn’t protect against, but two firewall plugins did.

Notably, though, the most popular WordPress firewall plugin Wordfence Security didn’t provide protection in that situation. That is a reoccurring situation. That isn’t surprising considering that the business model associated with the plugin is based on selling firewall rules for vulnerabilities once they are already known about (and more troublingly selling hack cleanups despite claiming their firewall “stops you from getting hacked”). If they provided the type of protection the two best firewall plugins do, it would largely remove the need for those rules. Incredibly, they refer to their belated rule based protection in their Wordfence Premium service as being “real-time” protection. [Read more]

30 Jun 2023

NinjaFirewall and Plugin Vulnerabilities Firewall Are Only WordPress Security Plugins That Protected Against Recent Zero Day

Among the common, but inaccurate, security advice you will hear is that WordPress won’t get hacked if you take basic security measures, including keeping plugins up to date. While doing the basics is really important, the reality is that keeping plugins up to date does nothing to stop a zero-day, a vulnerability being exploited before the developer is aware of it. That is an area where a security plugin could provide additional protection. But just because they could, it doesn’t mean they will. More problematically, WordPress security plugin developers have for years claimed to provide zero-day protection when they don’t. The solution is to do testing to see which plugins really provide protection against zero-days.

Recently, a zero-day role change vulnerability in the 200,000+ install WordPress plugin Ultimate Member was spotted being exploited by the web host Tiger Technologies. That vulnerability was being exploited to create a new WordPress user and then change the user’s role to Administrator, which gives them full access to the website. [Read more]

13 Mar 2023

Only 25% of WordPress Security Plugins Protected Against Widely Exploited Plugin Vulnerability

In late January, an unfixed vulnerability in a WordPress plugin with 40,000+ installs started to receive widespread exploitation attempts and many websites were hacked. The hacking was in part caused by multiple WordPress security providers, including Wordfence, WPScan, and Patchstack, who all claim to have teams of experts reviewing vulnerabilities in WordPress plugins, claiming that the vulnerability had been fixed three months before that. The moderators of the WordPress Support Forum made the situation worse by deleting an early indication of the problem in the form a message complaining about a website being hacked because of the plugin.

The developer of the plugin promptly fixed the vulnerability once we advised them that it still existed. They then went further than other plugin developers usually do when a plugin has had an exploited vulnerability and got a security review done to ensure the plugin was now properly secured. [Read more]

6 Mar 2023

Here Are the 4 WordPress Security Plugins That Protected Against a Vulnerability Wordfence Failed to Protect Against Despite Having Discovered It

Last week, Wordfence disclosed the details of an authenticated persistent cross-site scripting (XSS) vulnerability they had found in a popular WordPress plugin with 3+ million installs (as well as something else that wasn’t really a vulnerability). There were some things they said in their post that are rather problematic.

One of them was that they were claiming to have responsibly disclosed the vulnerability, while also contradicting that. According to their post, the day before they notified the developer of the plugin about the vulnerability, they were already selling access to information about exploiting the vulnerability through their Wordfence Premium service. That isn’t responsible disclosure and any hacker willing to pay for the service could have started exploiting this before the developer was even notified about it. Wordfence’s paying customers would have been protected from it at the time, but others would not without having some other security in place. [Read more]

8 Feb 2023

WordPress Security Plugins Don’t Prevent Disclosure of One-Time Password Through Exploited Plugin Vulnerability

A month ago, we saw a hacker looking to exploit a vulnerability that had recently been fixed in the WordPress plugin User Verification. That vulnerability discovered by Lana Codes involved the plugin’s functionality to email a one-time password for logging in to WordPress. The problem with the functionality is that it didn’t just email the password, it also sent it back as part of the response from the request to have it emailed. So an attacker could submit the request to have that emailed for a WordPress user’s account, get the password that was only supposed to be emailed, and then log in to that account.

Trying to prevent an information disclosure issue like this would be difficult for a WordPress security plugin without being aware of the particular vulnerability, as it would have to realize that something that shouldn’t be disclosed is being disclosed, so it would be unlikely that a security plugin would provide protection. Our own firewall plugin, Plugin Vulnerabilities Firewall, doesn’t have protection against such a situation, but we are always looking to see how we might be able to expand its protection, so we were curious to see if any other plugins provided protection. [Read more]

11 Jan 2023

Wordfence Sold Non-Public Information on Unfixed Vulnerability in Competing Security Plugins to Hackers

On Reddit this week, a hacker suggested that the website of the WordPress security provider Wordfence is a good place to get information on hacking WordPress websites. A recent blog post on their website highlights how they are helping hackers while also trying to profit off of those hacks.

With a vulnerability found by a competitor, Patchstack, Wordfence explained how to exploit the vulnerability. The explanation for doing that seems to be missing a good reason for doing that: [Read more]

2 Jan 2023

Wordfence Security and Wordfence Premium Fail to Provide Protection Against Privilege Escalation Vulnerability in Targeted Plugin

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

8 Dec 2022

Even Wordfence Competitor Has Been Fooled by Untruthful Marketing of Wordfence Premium

We recently tried to add a WordPress firewall plugin named BitFire in to our automated testing system of WordPress security plugins, but found that the plugin wasn’t working properly and then an update totally broke it. We also noticed that the plugin’s marketing continued rather inaccurate information, which is, unfortunately, not a unique situation from a WordPress security provider. But it turns out that some of the inaccurate information makes it sound like a competitor of theirs provides much better results than they do. Here is how they talked up the Wordfence Premium service from Wordfence while saying why you shouldn’t use it:

If you use WordFence, you should only use the paid version. WordFence has a team monitoring emerging WordPress vulnerabilities and writing custom rules to block specific exploits. They are very good at it and run a great blog on their work. Paying customers receive these virtual patches as soon as they are available. Free customers receive the patches 30 days later. If your website is vulnerable, it is almost guaranteed to be hacked before the patch is available to free customers. Don’t leave your site at risk. [Read more]