Login

Tag Archives: Wordfence Premium

2 Nov 2022

How to Avoid Wordfence Premium Price Increase While Getting Better Real-Time Protection for Free

Last week, the WordPress security provider Wordfence announced a significant price increase for their Wordfence Premium service. What they didn’t provide was any explanation of what was causing their cost for the service to increase, which they needed to pass on to customers. Instead, they said this:

It has been over 6 years since we last raised our prices. Since then our team has more than doubled in size and we have introduced significant improvements to the core Wordfence product, launched a range of free and paid products, and introduced new services that include 24 hour incident response. [Read more]

22 Dec 2021

Wordfence Security and Wordfence Premium Fail to Provide Protection Against Possibly Exploited Plugin Vulnerability

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

24 Nov 2021

Wordfence Security and Wordfence Premium Fail to Provide Protection Against Exploited Plugin Vulnerability

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

10 Nov 2021

Wordfence Premium Fails to Protect Against Another “Critical” Privilege Escalation Vulnerability

On Monday we noted finding that the Wordfence Security plugin and the Wordfence Premium service failed to provide protection against a “critical” privilege escalation vulnerability, running contrary to Wordfence’s marketing.

In response to that, someone on Reddit said this of Wordfence: [Read more]

8 Nov 2021

Wordfence Security and Wordfence Premium Fail to Provide Protection Against “Critical” Vulnerability

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

1 Nov 2021

Wordfence Premium’s Protection Far From Real-Time With Exploited Vulnerability in Closed Plugin

The paid Wordfence Premium service connected with the Wordfence Security plugin is promoted with the claim that it provides “real-time protection”:

If your website is mission-critical you can’t afford the downtime, reputation challenges or SEO impact of getting hacked. That’s why so many sites rely on the real-time protection provided by Wordfence Premium. [Read more]

26 Oct 2021

Wordfence Security Fails To Protect Against Exploitation of Vulnerability Through PHP Input Stream

On September 23, exploit code for an arbitrary file upload vulnerability in the WordPress plugin 3DPrint Lite was released. That is a type of vulnerability that is highly likely to be exploited. As part of reviewing that to see if there was indeed a vulnerability that we should add to the data set for our service, we found a notable element of the underlying code that caused that. There were two ways that the file being uploaded could be sent with the request. With only one of them did we have protection against common exploitation with our then upcoming WordPress firewall plugin, Plugin Vulnerabilities Firewall. We then updated our plugin to protect against that, it turns out that the Wordfence Security plugin hasn’t been.

The vulnerable code in the plugin is in the function p3dlite_handle_upload(), which was made accessible through WordPress’ AJAX functionality to those logged in to WordPress as well as those not logged in: [Read more]

22 Oct 2021

Wordfence Falsely Claimed Their Wordfence Premium Service Provided Rule to Protect Against Vulnerability

Two days ago, the WordPress security company Wordfence put out a blog post about a PHP object injection vulnerability they had found in the plugin Sassy Social Share. (We had detailed that vulnerability for our customers the same day it was fixed in September.) The post heavily markets their Wordfence Premium service, as in three separate instances they claim that they first provided a rule to protect against this vulnerability to customers of their paid Wordfence Premium service, which wasn’t available to those only using their plugin:

Wordfence Premium users received a firewall rule to protect against exploits targeting this vulnerability on August 31, 2021. Sites still using the free version of Wordfence received the same protection on September 30, 2021. [Read more]