In addition to the service we provide, which we will get in to in a bit, we play a critical role in protecting the WordPress ecosystem from plugin vulnerabilities.
That role starts with our monitoring for vulnerabilities that are in the current version of plugins, which hackers look to have discovered and are already exploiting. As we started ramping that up we were surprised how many of theses vulnerabilities had been out there for a long time, as just one example, we found that hackers look to have been aware of an arbitrary file upload vulnerability in one plugin, which is almost guaranteed to exploited, for more than a year, without it being fixed and the plugin remaining in the Plugin Directory. A week and half after we notified the developer of that vulnerability it was finally fixed.
If you are using considering or using other WordPress security services that claim that protect your WordPress websites, consider the fact that they have been completely unaware of these vulnerabilities even as they are being exploited for months or more. If you were to trust their marketing materials that would be surprise. Take Wordfence for example, with their paid service they claim to provide “Protection from the latest threats” through their “unmatched access to information about how hackers compromise sites”, but we found they are not catching these vulnerabilities.
With those vulnerabilities and vulnerabilities being disclosed by other we make sure the developers of the plugins are aware of them so they can fix and in some cases we even assist them in doing that. When developers don’t take action to fix the vulnerability we then report the vulnerabilities to the Plugin Directory, which will remove them pending a fix. That often will then get the developer to fix the vulnerability rather quickly.
Another step that we take, which it looks like no one else does, is that we test out each disclosed vulnerability that is claimed to have been fixed to make sure it has actually been fixed, in many cases they vulnerabilities have not actually been fixed (in some cases they have remained unfixed for years). We then get in touch with the developer and or the Plugin Directory to help get the vulnerability properly fixed.
We also use information we gleam from those vulnerabilities to discover other plugins that contain the same type of vulnerabilities, as part of our own looking for vulnerabilities.
Providing You The Best Plugin Vulnerability Protection
While you have other options (though almost all of the other options use the same data source), we believe that the Plugin Vulnerabilities service provides you the best protection from vulnerabilities in WordPress plugins for a number of reasons:
On a daily basis we monitor vulnerability disclosures on a variety vulnerability aggregation websites and security researchers websites, as well as plugin exploitation attempts on live websites, so we our adding more vulnerabilities and adding them faster. You can see what vulnerabilities we have added recently in our monthly service updates posts.
We Test the Vulnerabilities
Adding more vulnerability data and doing faster isn’t much good if the data is of low quality. We don’t just assume that reports of a vulnerability are accurate and therefore we test out each purported vulnerability to determine that it actually existed, that it has actually been fixed, and what versions are vulnerable. What that means for you is that only get alerted if you the version you are using is actually vulnerable (you can see what vulnerabilities have existed in other version of your installed plugins on our plugin’s page) and we are making sure you are aware that you are vulnerable when a vulnerability isn’t actually fixed (which isn’t the case with other similar services).
We Help Get Vulnerabilities Fixed
While notifying you that one of your plugins has vulnerability is useful, if there isn’t a fix available then you either have the option of hoping the vulnerability isn’t exploited or removing it (and losing its functionality). For that reason upon finding a vulnerability that hasn’t been fixed we immediately attempt to notify the developer of the plugin of the issue and offer to help them get it fixed. If we can not get a hold of them or if the discoverer has already attempted to notify them, we will contact the WordPress.org Plugin Directory about the issue, which will lead to them, in most cases, pulling the plugin and that in turn often leads to the plugin being quickly fixed.
We Help You Understand The Risk Vulnerabilities Pose
When it comes to security vulnerabilities, far to often security companies unintentionally or intentionally portray the vulnerability as being a much larger threat than it really is. To help you to be understand the risk vulnerabilities pose we include an estimate of how likely each vulnerability is to be exploited with the data presented to you on vulnerabilities in the plugins you use.
Many vulnerabilities are fixed without any report on the issue being released, we provide the details of many of those vulnerabilities to our customers, which is something you won’t find elsewhere, so they can understand what the risk from them.
Let’s say you have a question about a vulnerability that is or was in one of your installed plugins, now you don’t have to hope you will get accurate answer in a forum. When you contact us you will get a response from someone who is knowledgeable about the vulnerability and help you to best understand what is going on and what can be done to resolve any issues.
You Select Plugins To Get Security Reviews
As part of the service we are now doing bi-weekly security reviews of plugins that have been selected by the customers of the service.
You have the option of having your installed plugins checked for known vulnerabilities every hour, every 12 hours, or every day.