Wordfence

1 Dec 2023

Latest Release of Contact Form 7 Didn’t Actually Fix Authenticated (Editor+) Arbitrary File Upload Vulnerability

Recently, the WordPress security provider Wordfence was criticizing another provider, Patchstack, for incentivizing low quality claims of vulnerabilities in WordPress plugins:

There are an extremely high number of low risk and low quality vulnerabilities being submitted to databases like Patchstack,” he said. “Vulnerabilities that involve a Cross-Site Request Forgery are an example of this. The incentives we are seeing out there encourage researchers to generate a a high volume of low risk vulnerabilities to get rewarded. These high numbers are then used to market security products.” [Read more]

27 Nov 2023

Patchstack vs Wordfence WordPress Plugin Vulnerability Data: It’s Largely The Same Inaccurate Data

When it comes to protecting WordPress websites from vulnerabilities in WordPress plugins, one piece of the solution involves being warned if you are using plugins with known vulnerabilities. Doing that well requires doing a lot of work. That is something that two providers, Patchstack and Wordfence, claim to do. Patchstack markets their data this way:

Hand curated, verified and enriched vulnerability information by Patchstack security experts. [Read more]

20 Nov 2023

WordPress Firewall Plugins Protect Against Vulnerability Without Rule Needed for Wordfence Security To Do That

Last week, we noted that the marketing for the Wordfence Security plugin was promoting its firewall as being the industry leader, despite that not being supported by them with anything whatsoever and objective testing showing that being far from the case. In doing that, we included a screengrab of them making that claim:

[Read more]

17 Nov 2023

Wordfence’s Plugin Vulnerability Data Copied From Competitors Continues to Not Be Impeccable

Recently the CEO of Wordfence, Mark Maunder, made this very strong claim about the quality of their (and to a lesser degree, competitor’s) data on vulnerabilities in WordPress plugins:

Our data is impeccable. Our competitors do a pretty darn good job too. [Read more]

16 Nov 2023

Wordfence Security Doesn’t Offer The Industry Leading Firewall

While looking into something for another post, we noticed that the developer of the Wordfence Security plugin is marketing their solution as having the “Industry Leading Firewall”:

[Read more]

13 Nov 2023

Wordfence Security’s Country Blocking Isn’t an Effective Measure Against Hackers

Last week, we wrote about one feature of the Wordfence Security plugin that doesn’t actually provide the protection that Wordfence has been able to convince people otherwise. Another feature that was brought up to us by the same person asking about the other feature was country blocking. That blocks requests based on the IP addresses of the request seemingly coming from a certain country. Interestingly, Wordfence’s own documentation for that feature can’t even muster an explanation for how that is supposed to protect websites. That isn’t surprising if you look at real world attacker activity.

What looked to be one recent attack on our own website involved a hacker trying to log in to our website seven times. They used a different IP address each time. Here are the locations of the IP addresses: [Read more]

8 Nov 2023

The Wordfence Security Plugin Isn’t Actually Protecting Against Brute Force Attacks

We recently had a potential customer ask if our firewall plugin protected against brute force attacks as they believed the Wordfence Security plugin is doing. They also noted that using something different than what Wordfence Security provides would seem like less protection, even if it was better protection. When it comes to brute force attacks, they have hit the nail on the head, as those are not even happening. Wordfence is pretending something that WordPress already provides effective protection against isn’t happening and instead brute force attacks are happening, which requires something that WordPress doesn’t have built-in protection against.

Here is how Wordfence describes brute force attacks: [Read more]

6 Nov 2023

Wordfence’s False Claim of Vulnerability in WordPress Plugin Everest Backup Leads to Serious Real Vulnerability

Recently the CEO of Wordfence, Mark Maunder, claimed that their data on vulnerabilities in WordPress plugins is “impeccable”. That is disputed by, among other things, Wordfence’s attempts to cover up mention of the problems with that very data. It’s unclear if the CEO is unaware of what is going on with the employees of his company or he is, as he often does, lying in a way that makes Wordfence sound like it is doing amazing things it isn’t doing. Whatever the case, another recent instance of their inaccuracy led to finding a real vulnerability in the plugin Everest Backup.

We recently reviewed a claim by Wordfence from earlier this year of a vulnerability in the plugin, where what was claimed to be a vulnerability was still possible in the version that was supposed to fix it. We were reviewing that because one of our customers started using the plugin. What we found was that the plugin actually still is rather insecure, but not in the way that Wordfence had claimed. Considering the potential security risk posed by backup plugins, you would hope they are thoroughly checked for security issues, but this plugin clearly hasn’t been. [Read more]

10 Oct 2023

Wordfence Security Increases Protection in October Test of WordPress Security Plugins’ Zero-Day Protection

One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities being exploited before the developer or others know about them, that our plugin offers isn’t broken as we make changes to the plugin. Once we started developing that, we realized that could be repurposed to test to see if other firewall plugins provide protection in the same situations. In May of last year, we started doing a monthly run of that against other firewall plugins, so we could get a better understanding of how the WordPress security landscape is changing over time.

This month saw one change, the Wordfence Security plugin increased its protection from 20.90% of the tests to 23.16%. That is notable, as after a year of testing, we had barely seen improvements among the plugins tested. [Read more]

5 Oct 2023

The WordPress Function sanitize_text_field() Isn’t Always Enough Security to Protect Against XSS

The Automattic owned WPScan recently claimed a serious persistent cross-site scripting (XSS) vulnerability had been in a WordPress plugin and had been fixed. Their report lacked the kind of information that would be needed to easily recheck things. What was included didn’t seem promising. For example, they misspelled the word unauthenticated as “Unauthitncated”, which a spellchecker would have caught. Checking over things, we found the vulnerability did exist, but was incompletely fixed and is still exploitable. WPScan claims to have a “dedicated team of WordPress security experts”, so either there is widespread misunderstanding of a basic element of securing a WordPress plugin or they don’t really have that team. Assuming the former, let’s look at what they and the developer got wrong involving usage a WordPress security function sanitize_text_field().

(Two other providers, Patchstack and Wordfence, who also claim to have experts generating their data, are also claiming this has been fixed despite the incomplete fix.) [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Wordfence News