While doing research for a post, we found that the much maligned Awesome Motive was giving out, no surprise, highly misleading advice to make money for themselves. On one of their websites, they claimed that the Sucuri plugin is the Continue reading Awesome Motive Is Claiming That Sucuri Is the Best WordPress Security in 2024 Based on Features It Doesn’t Contain
Whether intentionally or not, part of the business model of the developer of the Wordfence Security plugin involves scaring people in to buying their services by overstating the risk posed by security issues. The overstated risk was on display in Continue reading Wordfence Is Warning That Vulnerabilities Are Critical When They Are Not
Late last week, Wordfence created a mess by claiming there was an unfixed vulnerability in WooCommerce. What that situation showed is they are not doing the work that people clearly believe they are doing. That includes not checking if vulnerabilities Continue reading Wordfence Didn’t Make Sure Vulnerability in WooCommerce Had Been Fixed (Or That It Even Existed)
As we warned our customers about last week, a recent update to a WordPress plugin that extends WooCommerce, with 300,000+ installs, tried to fix a SQL injection vulnerability. The developer failed to accomplish that, in part because they were using Continue reading The WordPress Function sanitize_text_field() Function Doesn’t Sanitize User Input for SQL Statements
Google’s search results have a reputation for being bad these days and for good reason, they are bad. Take the results we got when doing a search for “best wordpress security plugins 2024”. We got this information directly on the Continue reading Google’s Search Results for The Best WordPress Security Plugins in 2024 is as Bad As You Would Expect
Last week we looked at a situation where very popular security plugins are using a security function in a way that the documentation explicitly states it shouldn’t be used. That turns out to not be a one-off problem. WordPress’ documentation Continue reading WordPress Nonces Can Not Be Used for Authentication
This past week there was a spate of security stories claiming a high-profile attack had occurred because of a weak password. Take the headline of an Ars Technica story by Dan Goodin, ‘A “ridiculously weak” password causes disaster for Spain’s Continue reading Password Strength Doesn’t Matter if a Hacker Knows The Password Because It Was Compromised Through Malware
While working on a security review of a WordPress plugin, we ran across miss-usage of a WordPress security function, esc_url_raw(). While looking to see if this was a wider issue, we found that a 5+ million install security plugin is Continue reading Confusion Over Proper Usage of esc_url_raw() Includes Developers of 1+ and 5+ Million Install WordPress Security Plugins
When looking for security advice on WordPress websites, one of the problems you face is the number of affiliate marketers posing as your friend. One recent example we ran across of this involved a YouTuber, WPress Doctor. They released a Continue reading YouTuber Falsely Claims You Can Easily Prevent WordPress Websites From Getting Hacked With Solid Security
When it comes to the developers of WordPress security plugins, they shouldn’t be creating the insecurity they are supposed to be protecting against. That unfortunately is true of the current and former developers of the very popular All-In-One Security (AIOS) Continue reading All-In-One Security (AIOS) vs Wordfence Security
One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when Continue reading WordPress Plugin Developer Security Advisory: Brainstorm Force
Recently, we looked at one inaccurate recommendation by a major web host, SiteGround, suggesting that you shouldn’t use WordPress security plugins that can actually protect against vulnerabilities. Along those same lines, they have some troubling advice when it comes to Continue reading Effective WordPress Security Plugins Can Not Be Replaced With Something You Can Do Manually
Like the developers of lots of WordPress security plugins, the developer of Wordfence Security makes a lot of impressive sounding claims about their plugin and the protection it offers, but notably doesn’t present any evidence to back the claims up. Continue reading Wordfence Security Firewall Review: Missing a Lot of Protection that Better Options Offer
In September, the WP Tavern covered a backlog for those submitting new WordPress plugins to the WordPress Plugin Directory this way: WordPress’ Plugin Review Team continues to dig out from under a massive backlog that has grown to 1,260 plugins Continue reading WordPress Plugin Developers Still Have to Wait Nearly Two Months for Review When Submitting New Plugin
It’s common for critics of the Wordfence Security plugin to claim it isn’t useful unless you are using the companion Wordfence Premium service because new rules for the firewall are only provided to paying customers for the first 30 days Continue reading Wordfence Premium Adding Firewall Rules for Vulnerabilities in Under 10 Plugins a Month
The most important thing to know about WordPress firewall plugins is the amount of protection they offer against real threats, but we are somehow the only ones that do testing that would measure that. A lot of the claimed threats Continue reading WP Cerber Security vs Wordfence Security
In October 2022, after a very questionable action taken by the team running the WordPress’ Plugin Directory that was alleged by some to have been done to the benefit of the for-profit company from head of WordPress, we noted that Continue reading WordPress Stops Disclosing if Plugin Directory Team Works for Automattic After at Least Two Employees Secretly Joined Team
A short time ago, we looked at how a feature of SiteGround’s recently rebranded WordPress plugin, Security Optimizer, didn’t really provide the advanced protection against cross-site scripting (XSS) promised, or any protection for that matter. While looking in to their Continue reading SiteGround Recommends Against Using WordPress Security Plugins That Actually Protect Against Vulnerabilities
One method we have for monitoring what vulnerabilities in WordPress plugins hackers are trying to exploit, is allowing users of our firewall plugin to report hacking attempts blocked by our firewall that we haven’t already logged as being known about. Continue reading Hacker Tries to Exploit Fake Vulnerability 11 Years After It Was Falsely Claimed to Exist