Earlier this week we discussed the fact that Wordfence doesn’t actually check plugin vulnerabilities before claiming they are fixed, while writing up that post we noticed a feature of their service that looks like it doesn’t live up to their claims by a mile. Since the average webmaster isn’t going to have the knowledge to see through this, we though it would be good idea to make others aware of this.

As part of the marketing material on their homepage they have a section about their Real-Time Threat Defense Feed. Just with that name it sounds impressive,  but their description makes it sound more impressive: [Read more]

Wordfence is a security company that we don’t think to highly off, due to things like fact that security vulnerabilities have been found in their security plugin numerous times and them not seeming to not have any clue what they are talking about. The problem is that a lot of people who don’t know have the security knowledge we have, have been tricked into thinking they have a clue what they are doing. To give you an example of this lets look at something we ran across recently.

Before we get into the details you really should read the comments of their blog post we are going to discuss part of in a second. It consist of lots of people thanking them for what the information they provided. What isn’t mention in those comments is that Wordfence is telling them things that they don’t actually have any idea as to whether they are actually true. This can be spotted in this part of the post discussing a plugin that they claimed had vulnerabilites that had been fixed: [Read more]

While there are many problems when it comes to website security, unfortunately we often find that security companies still feel the need to embellish minor security issues to make them in to much more than they are. This makes it harder to properly address security issues because the public doesn’t have the proper perspective as to the threats out there. It also leads to overhyped news article, since many security journalist simple repeat the claims of security companies without doing any verification.

To show that at work, lets look at something from a recent post from Wordfence. They disclosed that the plugin Caledera Form had a vulnerability that allowed “an attacker to gain access to potentially sensitive data that has been captured by a Caldera Form.”  No details were provided as to what the attacker would need to do that, which is really important. If they had, it would be clear that this isn’t a threat for most websites using the plugin. [Read more]

When it comes to security companies in general we don’t think to highly of them, while the company Wordfence isn’t an excerption. There are not as bad as, say, SiteLock, but we keep bumping in to bad stuff involving them. Like a month ago when we noticed them again falsely flagging plugins for suspected malware due to a quite bad false positive. The latest incident involves their security research, which now twice we have found putting websites at risks either seemingly because of the lack of expertise or from trying to profit off of exposing vulnerabilities.

Missed Vulnerabilities

This began about three weeks ago when they had released partial details of a fairly minor vulnerability in the plugin Yoast SEO. The vulnerability would allow Subscriber level and above users on a website to export the plugin’s settings and some other data. While reviewing this report to add the vulnerability to our data set we noticed several issues. [Read more]

One of the major problems with anti-virus software for computers is that the signatures they use to detect malicious code can falsely detect non-malicious code as being the malicious code they are supposed to be identifying. In more serious cases that can cause critical operating system files to be removed and the computer to no longer be functional.

Security products for websites, instead of learning from the mistakes of the computer based counterparts, have carried on this tradition, causing problems for developers of WordPress plugins. We have personal experience with that through our plugin connected with this service. On several instances we had people reporting that our plugin contained malicious files, one example is in a review of the plugin. The only in thing in the supposedly malicious files was the data on vulnerabilities like this: [Read more]