20 Nov

CEO of Security Company Alertot Claims the Company Left Websites Running WP GDPR Compliance to Be Hacked

When it comes to the response from the security industry to the exploitation of a vulnerability in the WordPress plugin WP GDPR Compliance things keep getting worse. You would think that telling people to update the plugin after it was already widely exploited instead telling them truth they should be keeping their plugins up to date at all times (which would lessen the need for their services) or lying and telling people that your service covered them when it didn’t, would be bad enough. But while looking into something related to another possibility vulnerability that had been in that plugin we came across as post from the CEO, Claudio Salazar, of a security company we had not heard of before, Alertot, who claimed this about the other serious vulnerability that definitely had had been in the plugin:

[Read more]

09 Nov

Wordfence Security and Wordfence Premium Fail To Protect Websites, But Defiant Is Happy to Lie and Tell You Otherwise

Over at our main business we have a steady stream of people contacting us to ask if we offer a service that will stop their websites from being hacked, a not insignificant number of them mention that they are currently using a service that claimed to do that and there website got hacked anyway. That second item obviously tells you that these service don’t necessarily work, but what seems more relevant to the poor state of security is that even when one of these doesn’t work these people are often sure that they can and do work, just the one they used didn’t. That probably goes a long way to explaining why the complete lack of evidence that these services are effective at all hasn’t been an impediment to people using them. The problem with that is not only do they end up not working well or at all, but the money spent on them could have been spent on services that actually improve security of these websites (and everyone else’s website if there services is anything like ours), but are not sold on false promises.

[Read more]

08 Nov

Unlike Wordfence and Other Security Providers We Warned About WP GDPR Compliance Before Websites Started to Get Hacked

When it comes to protecting WordPress websites against vulnerabilities in plugins we provide a level of protection that others don’t for the simple reason that we do the work they don’t (but that they absolutely should be doing). The result can be seen with the plugin WP GDPR Compliance, which had multiple vulnerabilities fixed in version 1.4.3.

[Read more]

08 Nov

Vulnerability Details: Option Update Vulnerability in WP GDPR Compliance

This post provides the details of a vulnerability in the WordPress plugin WP GDPR Compliance not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service to help protect your website for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website is vulnerable due to it.

[Read more]

07 Nov

Vulnerability Details: PHP Object Injection Vulnerability in WP GDPR Compliance

This post provides the details of a vulnerability in the WordPress plugin WP GDPR Compliance not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data set for our service, so its contents are limited to subscribers of our service. If you are not currently a subscriber, you can try out the service to help protect your website for free and then you can view the contents of the post. There are a lot of other reason that you will want to sign up beyond access to posts like this one, including that you would have already been warned about this vulnerability if your website is vulnerable due to it.

[Read more]