via pluginvulnerabilities.com => original post link
When it comes to the WordPress Plugin Directory, security isn’t being handled well. Earlier this week we noted how a plugin was allowed back in to that despite not having come close to properly resolving a serious security vulnerability that hackers were likely targeting. That is the kind of thing that would likely lead to more in the WordPress community looking for security plugins to help protect them. In looking into how some popular WordPress security plugins are being marketed in WordPress’ plugin directory recently, we saw that developers are often making efficacy claims that are far from reality. They are making those without presenting any evidence to back them up. That seems like something that WordPress could better handle, by requiring evidence to back up any efficacy claims being made about those plugins on the plugin directory.
One of the plugins that we looked at, which is being marketed outside of what it delivers, is the web host SiteGround’s security plugin. SiteGround recently rebranded that from SiteGround Security to Security Optimizer. As we documented recently, that has what they call Advanced XSS Protection, which doesn’t offer protection, much less advanced protection. Something else we noticed while looking into that plugin is that they have that plugin tagged on the plugin directory as a web application firewall (WAF): [Read more]