11 Sep

Wordfence Security and Wordfence Premium Failed to Protect Against Widely Exploited Vulnerability

A month ago we noted an instance of us running across the Wordfence Security plugin, despite being marketed with the claim that it “stops you from getting hacked”, failing to protect against exploitation of a vulnerability in a WordPress plugin that was being widely exploited. That has happened again. In a post earlier today we mentioned a topic on the WordPress Support Forum discussing websites being exploited due an already fixed arbitrary file viewing vulnerability in the plugin Advanced Access Manager, which we had warned customers of our service about the same day it was fixed. In that topic there was a claim that the Wordfence Security plugin failed to protect against that:

It happened to me. I cleaned up but it came again one day later, even websites with last version of WP, with Wordfence, Block Bad Queries, etc.
Does somene knows where it comes from ? Is it an injection ? [Read more]

22 Aug

Those Relying on Wordfence Premium Are Not Getting the Protection They Are Paying For

Among the oddities of the security industry is that so often people seem to be skeptical of the wrong things, as they are more likely to believe that security companies are lying about things where there isn’t a logical reason to do that, while being overly trusting about extraordinary claims being made about security products and services, which often turn out to be false. Last week we touched on the kind of claim that should elicit suspicion, that being that unqualified claim that the Wordfence Security plugin “stops you from getting hacked”. As we found when dealing with a website hacked due to a widely exploited vulnerability it didn’t protect the website (that is far from the first time we have seen it fail to stop a hack).

Making such a claim and not actually accomplishing that looks worse when you go to their homepage and see the first thing shown is an advertisement for them doing hack cleanups: [Read more]

31 May

Wordfence Premium Is Not Real-Time Protection

The company behind the Wordfence Security plugin is not by any means an honest company from what we have seen from over the years, so it wasn’t surprising for us torun across them advertising their payed service in a dishonest way. Yesterday we had noted that they appear to have left the public in the dark about an unfixed vulnerability in a WordPress plugin that was being exploited. After viewing Wordfence’s website while looking over that post we started getting re-targeted ads for their Wordfence Premium service and a lot of them.

By a lot, on just one page in one instance we served up five unique ads (plus multiple copies of the unique ads). What seems clearly to be key selling point is something that the security industry frequently uses to mislead people, which is promoting services as being “real-time”: [Read more]

16 Nov

No Ninja Forms, Wordfence Security is Not Trustworthy and Blacklisting IP Addresses Doesn’t Provide Effective Protection

When it comes to choosing security products and services what is lacking is nearly any evidence that they are effective, while at the same time there is plenty that shows that many of them are not. For example, over at our main business we regularly have people asking if we offer one that will really protect their website from being hacked after the one they were using didn’t prevent their website from being hacked. So why would people being using those if there isn’t evidence that they work? One of the reasons we have heard from people we have dealt with that have had their websites hacked is that they are using products and services based on recommendation of others. Since those are not going to be based on evidence, since there is a dearth of that, not surprisingly a lot of that advice is quite bad. Take as an example of that bad advice, the most recent post on the blog of the Ninja Forms plugin, which is used on 1+ million websites. We ran across that while looking if they had released a post on the vulnerability fixed a couple of days ago, when were detailing that.

Right off the bat the post, 5 WordPress Security Plugins to Keep You Safe, puts forward the proposition that the Wordfence Security plugin is trustworthy, which seems to be disputed by reality. The post claims the Wordfence Security plugin is “one of the most trusted security plugins for WordPress”. They provide no evidence that it is trusted at all, much less one of the most trusted. Maybe by that they mean that it is tied for most popular and therefore it is trusted due to that, but that doesn’t mean it actually works at all or should be trusted (the security plugin it is tied for most popular with currently contains a vulnerability and is not needed). Near the end of their discussion of the plugin they again refer to it as “trustworthy”. [Read more]

09 Nov

Wordfence Security and Wordfence Premium Fail To Protect Websites, But Defiant Is Happy to Lie and Tell You Otherwise

Over at our main business we have a steady stream of people contacting us to ask if we offer a service that will stop their websites from being hacked, a not insignificant number of them mention that they are currently using a service that claimed to do that and there website got hacked anyway. That second item obviously tells you that these service don’t necessarily work, but what seems more relevant to the poor state of security is that even when one of these doesn’t work these people are often sure that they can and do work, just the one they used didn’t. That probably goes a long way to explaining why the complete lack of evidence that these services are effective at all hasn’t been an impediment to people using them. The problem with that is not only do they end up not working well or at all, but the money spent on them could have been spent on services that actually improve security of these websites (and everyone else’s website if there services is anything like ours), but are not sold on false promises.

Seeing as there are lots of people that still haven’t gotten the message about these services should be avoided if there isn’t evidence that shows effectiveness, we thought it would be worth emphasizing and expanding on something we mentioned in a post yesterday where websites could have been protected by doing one of the basics of security, keeping WordPress plugins up to date, while a security service failed to protect them while being promoted as being able to do that. [Read more]

08 Nov

Unlike Wordfence and Other Security Providers We Warned About WP GDPR Compliance Before Websites Started to Get Hacked

When it comes to protecting WordPress websites against vulnerabilities in plugins we provide a level of protection that others don’t for the simple reason that we do the work they don’t (but that they absolutely should be doing). The result can be seen with the plugin WP GDPR Compliance, which had multiple vulnerabilities fixed in version 1.4.3.

We had been warning our customers of one of those before you could even normally upgrade to that version of the plugin as the plugin was closed at the time (we warned our customers that it was at high likelihood of exploitation). At that time we could have help our customers to upgrade to 1.4.3 and then shortly after we started warning them the plugin was re-opened and they could upgrade normally. That all occurred yesterday. [Read more]

10 Nov

Don’t Assume Wordfence Premium (or Similar Services) Will Protect Your Website

We were recently looking back at some of our messages on the WordPress Support Forum in relation to some posts we have been writing related to the terrible moderation of that forum. In one of the topics we had started, there were a few things that we noticed that we thought were worth discussing as they relate to other things we have been looking at recently.

Eight months ago we had created a topic on the forum of a plugin, letting people know that there were some unfixed minor security issues in the plugin: [Read more]