Wordfence

16 Nov 2022

CISA Provides No Explanation for Sponsoring Program That Directs Vulnerability Report Info to Hackers

CVE is a program that is supposed to provide unique identifiers for vulnerabilities and as we will get to shortly, it also is a path for directing software vulnerability reports away from developers to at least one security company selling non-public information on vulnerabilities to any hackers willing to pay them.

The footer of the website for the CVE program claims that it is sponsored by the US Deparment of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA): [Read more]

7 Nov 2022

Wordfence Falsely Claims WordPress Plugin Contains a “Critical” Vulnerability Because It Confused it With Another Plugin

Recently, we have covered multiple instances where the WordPress security provider Wordfence was falsely claiming that WordPress plugins contain “critical” vulnerabilities, despite there being no vulnerability. That is despite them marketing one of their services, Wordfence Intelligence, partly based on providing high-quality data of that type:

Wordfence Intelligence includes a comprehensive and extremely current vulnerability database for WordPress that contains nearly 7,000 unique vulnerability records. This database is actively maintained by some of the top WordPress vulnerability researchers in the industry. [Read more]

2 Nov 2022

How to Avoid Wordfence Premium Price Increase While Getting Better Real-Time Protection for Free

Last week, the WordPress security provider Wordfence announced a significant price increase for their Wordfence Premium service. What they didn’t provide was any explanation of what was causing their cost for the service to increase, which they needed to pass on to customers. Instead, they said this:

It has been over 6 years since we last raised our prices. Since then our team has more than doubled in size and we have introduced significant improvements to the core Wordfence product, launched a range of free and paid products, and introduced new services that include 24 hour incident response. [Read more]

1 Nov 2022

Wordfence Isn’t Disclosing They Are Copying (Possibly Inaccurate) Plugin Vulnerability Information From Competitor Patchstack

Less than a month ago, we noted that one provider of data on vulnerabilities in WordPress plugins, Automattic’s WPScan, was copying information from competing providers, including Wordfence, without credit. It turns out that Wordfence is doing the same with another competitor.

Yesterday a topic was started on the support forum for a plugin about a warning of a vulnerability from the Wordfence Security plugin. The users of Wordfence Security were not given helpful information on the claimed issue by Wordfence, as can be seen by this comment from one of them: [Read more]

28 Oct 2022

Wordfence’s Alarmism on Display With “Exploit Atttempts”, Which Are Not Really Exploit Attempts

Last week we looked into a false claim made by WordPress security provider Wordfence that a plugin had contained a “critical” security vulnerability. In discussing that, we mentioned someone’s concern related to another situation about Wordfence issuing alarmist warnings:

This is demonstrably alarmist, and poor advice considering that they have conceded to several different people that it is not a critical issue. So course this damages Wordfence’s reputation for me. How do I know that they are not issuing alarmist warnings about other issues? [Read more]

26 Oct 2022

Wordfence Is Failing to Provide Information That Would Help Protect Their Customers Unless Web Hosts Pay Them as Well

Two days ago, we detailed multiple issues with a recently launched service from the WordPress security provider Wordfence, Wordfence Intelligence. There was something we ran across while researching that, which we felt was worth separating out for its own post because it seems so problematic. One promoted reason to sign up for that service is so that web hosts can get information on servers in their infrastructure that are launching attacks. Here is how Wordfence describes that:

Compromised Host Identification
Many cloud hosting providers and security operations teams do not have access to the operating system of servers they are responsible for securing. Wordfence defends over 4 million websites globally. We have excellent visibility on which servers are infected for a hosting provider, cloud provider, or geographic area, which helps indicate when these servers may be launching attacks against other web services. If you are a network defender responsible for securing a large network, we can help you identify which hosts on your network are compromised and need to be mitigated. Securing these infected hosts helps reduce attacks across the global Internet and helps keep the online community safer. [Read more]

25 Oct 2022

Wordfence Intelligence Vulnerability Data Feed Keeps Looking Worse

Yesterday, we detailed significant discrepancies between the way the WordPress security provider Wordfence marketed their Wordfence Intelligence service and the actual results they are delivering with that. Much of that affects those also relying on their Wordfence Security plugin as well. One aspect that affects users of their plugin, as well as other plugin developers, is Wordfence’s information on vulnerabilities in WordPress plugins. As of yesterday, they marketed that part of Wordfence Intelligence this way:

Vulnerability Detection at Scale [Read more]

24 Oct 2022

Wordfence Intelligence Doesn’t Deliver on Its Promises

In August, the WordPress security provider Wordfence announced a new service named Wordfence Intelligence with a lot of lofty claims about the service and what they were already providing. What was lacking is evidence that it delivers on the promises being made. That should be a big concern for any security service, considering the really poor results that the security industry has been providing for the billions of dollars they are being paid, but Wordfence has a history of making easily checked false claims, so evidence is even more important. In some instances, their employees have admitted the claims are not true, while the company continues to make those claims. In looking over some of the underlying data connected with that service, we have found that what they are promising doesn’t come close to matching with what they actually deliver.

Bad Plugin Vulnerability Data

You can get a good sense of the strong claims they make about what they are delivering with just a couple of sentences of the marketing of the service: [Read more]

13 Oct 2022

Wordfence is Claiming That WordPress Plugin Has Vulnerability Despite Having No Idea if That is True

In our monitoring of the WordPress Support Forum for discussions possibly discussing WordPress plugin vulnerabilities, we have recently been seeing a lot of topics involving vague claims coming from the WordPress security provider Wordfence, through their Wordfence Security plugin, that other WordPress plugins contain vulnerabilities. Here is one such message coming from Wordfence, mentioned in a topic:

The Plugin “WP Affiliate Platform” has a security vulnerability.
Type: Plugin Vulnerable
Critical
Details:
Plugin Name: WP Affiliate Platform
Current Plugin Version: 6.3.8 [Read more]

12 Oct 2022

Wordfence is Still Selling Non-Public Information on Unfixed Vulnerabilities to Hackers

The WordPress security provider Wordfence claims to engage in responsible disclosure of vulnerabilities:

Wordfence has been performing successful vulnerability research and responsible disclosure for over a decade. [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Wordfence News