In version 5 of the WordPress security plugin All-In-One Security (AIOS) an update was made to its firewall functionality, which implemented “6G firewall rules in the new PHP-based firewall.” Someone posted on the support forum for the plugin requesting to Continue reading 6G Firewall Rules in All-In-One Security (AIOS) WordPress Plugin Don’t Provide Effective Protection
A zero-day is a vulnerability being exploited before the developer is aware of it. One of the implications of that is that keeping software up to date won’t protect against it. So for WordPress websites, a WordPress security plugin can Continue reading iThemes Security (Solid Security) and iThemes Security Pro Won’t Protect Against Zero-Days Contrary to Their Marketing
As we have noted in the past, the WordPress security provider Patchstack is falsely claiming to know about hundreds of zero-day vulnerabilities and claiming to be providing “early warnings” to their customers on vulnerabilities that were already public before they Continue reading Patchstack’s “Early Warning” About Vulnerability Isn’t Early and Fails to Warn It Isn’t Fixed
In March, the details of a vulnerability that had been fixed in a WordPress plugin that extends the functionality of the plugin WooCommerce were disclosed. The exploitabilty of it should have been limited as it required having access to a Continue reading Latest WooCommerce Version Fixes Security Bypass Utilized by Widely Exploited Vulnerability
One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities Continue reading WordPress Firewall Plugins Are Barely Improving the Zero-Day Protection They Offer
When new WordPress plugins are submitted to the WordPress Plugin Directory, they are supposed to go through a review first, which includes checking the security of the plugin: You will get an automated email telling you about the submission immediately. Continue reading Security Review of Brand New WordPress Plugins Still Failing at Basic Level
Recently Automattic’s WPScan claimed that there had been what is normally a fairly serious type of vulnerability in a WordPress plugin. That being, as they put it, an “unauthenticated stored XSS” vulnerability or, as we would put it, a persistent Continue reading Automattic’s WPScan, Wordfence, and Patchstack Don’t Appear to Have a Basic Grasp of What Vulnerabilities Are
So often, what passes for security journalism misses the important details in claims made by security providers that are the sole source for stories. Take, for instance, a recent story that popped up a Google News alert we have to Continue reading Akamai Warns Their Web Application Firewall (WAF) Doesn’t Protect WordPress and WooCommerce Websites
In March, the details of a vulnerability that had been fixed in a WordPress plugin that extends the functionality of the plugin WooCommerce were disclosed. The exploitabilty of it should have been limited as it required having access to a Continue reading WooCommerce Security Issue Plays Critical Role in Exploiting Serious Vulnerabilities in Other Plugins
A recent SecurityWeek headline claimed that a Ferrari website was put at risk by a WordPress plugin: “WordPress Plugin Vulnerability Exposed Ferrari Website to Hackers”. While a WordPress plugin was involved, it shouldn’t have been the focus of the headline. Continue reading Vulnerability Assessments and Penetration Testing Are Not Essential for Addressing Security Risks on WordPress Websites
In the past couple of days there have been scary sounding claims from journalists related to a recently fixed reflected cross-site scripting (XSS) vulnerability in the WordPress plugin Advanced Custom Fields (ACF), which we had detailed on May 4 after Continue reading Akamai SIG’s Advanced Custom Fields (ACF) Attack Claim Confuses Script Kiddie With Attacker
While developing our WordPress firewall plugin, we created regression testing software to make sure that, as we updated that; we didn’t break existing protection, which is something at least one other developer hasn’t done. What we realized once we started Continue reading Wordfence Security Returns to Third Place in May Test of WordPress Security Plugins’ Zero-Day Protection
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of April 28
One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when Continue reading WordPress Plugin Developer Security Advisory: Elementor
As we have noted in the past, the GoDaddy owned security provider Sucuri keeps writing blog posts about what has happened to their customers’ websites after they have been hacked. They seem uninterested in how those websites were hacked, despite Continue reading Bleeping Computer’s Bill Toulas Falsely Blames WordPress Plugin When Sucuri Fails to Protect Their Customers
When considering WordPress firewall plugins, it is important to consider not only the protection they can provide, but also whether they cause unnecessary problems. On both counts, the most popular security-only WordPress plugin, Wordfence Security, does worse than other options. Continue reading Wordfence Security Improperly Blocks WordPress Users From Uploading Files
Recently, iThemes (which is being rebranded as SolidWP) and their partner, Patchstack, have been incorrectly labeling that a 100,000+ install WordPress plugin, Download Manager, contained an unfixed vulnerability. The problem stems in part to confusion with a claim that vulnerability Continue reading iThemes (SolidWP) and Patchstack Requiring Their Customers and Plugin Developers to Fix Their Inaccurate Data
For some time, we have been seeing a hacker probing for the usage of various WordPress plugins with known vulnerabilities across numerous websites. Earlier this month, we noted that the hacker was targeting a plugin that had an unfixed known Continue reading Hacker Targeting Unfixed WordPress Plugin Vulnerability That CVE and Others Claim Has Been Fixed
A week ago, we wrote about how a WordPress plugin being targeted by a hacker had remained in the WordPress Plugin Directory despite having an unfixed vulnerability that hackers would target. We had noted that the WordPress security provider Wordfence Continue reading Wordfence’s Idea of Responsible Disclosure Involves Leaving Very Vulnerable Plugins in WordPress Plugin Directory