The company behind the Wordfence Security plugin is not by any means an honest company from what we have seen from over the years, so it wasn’t surprising for us torun across them advertising their payed service in a dishonest way. Yesterday we had noted that they appear to have left the public in the dark about an unfixed vulnerability in a WordPress plugin that was being exploited. After viewing Wordfence’s website while looking over that post we started getting re-targeted ads for their Wordfence Premium service and a lot of them.
We often find that the information provided about vulnerabilities in WordPress plugins presented by security companies and developers of the plugins is not telling the full story. Take a vulnerability that Wordfence disclosed yesterday. They don’t provide any explanation of how they came across it:
In our previous post we mentioned how Wordfence was lying about us related to a vulnerability in the plugin Related Posts (Yuzo Related Posts), but they also got something else wrong that is worth noting. One section of their post titled “is_admin() Strikes Again”. In that they write this:
When we announced a protest of the continued inappropriate behavior of the WordPress Support Forum moderators, one of the changes we suggested to resolve that was:
When it comes to trying to improve security surrounding WordPress two of the big problems are inaccurate information being spread by security companies and journalists, and often they are combined. As an example of that, an article popped up the other day for the Google News alert we have set to keep track of coverage of plugin vulnerabilities (which we previously mentioned in the context of another inaccurate claim, that 90 percent of websites hacked last year were running WordPress). Part of that article, which quotes someone from the company behind the most popular WordPress security plugin, Wordfence Security is as follows:
Over at our main business we have a steady stream of people contacting us to ask if we offer a service that will stop their websites from being hacked, a not insignificant number of them mention that they are currently using a service that claimed to do that and there website got hacked anyway. That second item obviously tells you that these service don’t necessarily work, but what seems more relevant to the poor state of security is that even when one of these doesn’t work these people are often sure that they can and do work, just the one they used didn’t. That probably goes a long way to explaining why the complete lack of evidence that these services are effective at all hasn’t been an impediment to people using them. The problem with that is not only do they end up not working well or at all, but the money spent on them could have been spent on services that actually improve security of these websites (and everyone else’s website if there services is anything like ours), but are not sold on false promises.
When it comes to protecting WordPress websites against vulnerabilities in plugins we provide a level of protection that others don’t for the simple reason that we do the work they don’t (but that they absolutely should be doing). The result can be seen with the plugin WP GDPR Compliance, which had multiple vulnerabilities fixed in version 1.4.3.
When it comes to explaining how so much money is spent on security while the results of that spending don’t seem to be appearing, a lot of the explanation seems like it can be found in the almost complete lack of evidence that those products and services marketed as providing protection provide effective protection. Considering that those are often promoted with extraordinary claims of their capabilities that seems to indicate those claims are baseless or that the developers actually know that they are false since if they actually had evidence to support them it seems unlikely they wouldn’t present that.