In our testing of WordPress firewall plugins, the NinjaFirewall plugin has been the best free option. It turns out it does something else where it isn’t so good. That would be warning about vulnerable plugins. We recently noticed the developer Continue reading NinjaFirewall is Providing Misleading Information on Vulnerable WordPress Plugins
We recently had a strange interaction with the team running the WordPress Plugin Directory over their failure to make sure a likely exploited vulnerability was fixed. It was yet another example of their poor handling of security. That runs counter Continue reading WordPress Plugin Team Appears to Not Understand Proper Use of SQL Escaping Function esc_sql()
For a couple of months now, a phishing email campaign has been sending emails warning of a vulnerability on WordPress websites and telling people to download a plugin for that. That email has this format: Dear user [Read more] ShareTweetSharePostSharePin Continue reading Cloudflare Still Providing DNS Service for WordPress Security Team Impersonation Scam
As we warned our customers on Friday, the latest version of the WordPress plugin Easy Digital Downloads incompletely fixed a vulnerability. That is something we ran across while preparing to see if another security fix made in it fixed a Continue reading Wordfence Claims It Is a Vulnerability For Users With the unfiltered_html Capability to Use Unfiltered HTML
It would be rather notable if the 200,000+ install WordPress plugin from the security provider Cloudflare contained a vulnerability. And that was just the claim made recently by a couple of WordPress security providers. Here was one of them, Patchstack, Continue reading WordPress Security Providers Falsely Claimed Cloudflare’s Plugin Contained Vulnerability
The latest version of WordPress, 6.4.3, has created a lot of headaches for the WordPress community, as installing plugins by uploading most zipped copies of plugins that have been compressed on Macs are not working (and possibly zipped in some Continue reading Bug Introduced in WordPress 6.4.3 Highlights a Problem With Fixing Vulnerabilities That Are Not Really Vulnerabilities
We are currently in the process of reviewing a partially disclosed possible vulnerability in a 200,000+ install WordPress plugin that extends the 5+ million install plugin Elementor. One issue we found with the possible vulnerability is that the developer is Continue reading Elementor is Still Providing Access to Security Nonces to WordPress Users Who Shouldn’t Have Them
Are you concerned a WordPress plugin you use is insecure? Maybe there is a claim that it contains a vulnerability? Let’s walk through some important elements of understanding what you need to know about the possible insecurity and how it Continue reading How To Secure a WordPress Plugin You Use
We recently ran across a WordPress support service that was making some extraordinary claims about their handling of security. They were not close to true, considering we were visiting their website to try to notify them that they had failed Continue reading Cloudflare Only Added One Firewall Rule for a WordPress Plugin Vulnerability Last Year and It Was Eight Months Late
Having accurate data on vulnerabilities in WordPress plugins is important. Lots of people trust one provider of WordPress plugin vulnerability data, Wordfence. It seems like their data should be trusted considering the CEO of Wordfence, Mark Maunder, has claimed their Continue reading Wordfence Claims Unfixed WordPress Plugin Vulnerability Has Been Fixed in Version That Doesn’t Even Exist
Yesterday, the Bleeping Computer ran a story headlined “Hackers target WordPress database plugin active on 1 million sites,” written by Bill Toulas. The plugin being referenced was Better Search Replace, which had a security change in the latest version. There Continue reading Contrary to Bleeping Computer Story, Hackers Don’t Seem to Have Targeted Security Issue in Better Search Replace
One of the tools we have to try to help make WordPress plugins more secure is our Plugin Security Checker, which flags possible security issues in WordPress plugins. From time to time, we spot check the results of plugins from Continue reading Catching a Future Vulnerability in a WordPress Plugin With Our Plugin Security Checker
Recently someone left a message on the support forum of the WordPress plugin WP Child Theme Generator writing about their concern about continuing to use the plugin based on Wordfence claiming it contains a “critical vulnerability:” This critical vulnerability has Continue reading Wordfence is Claiming It Is a Critical Vulnerability for WordPress Administrators to Upload Arbitrary Files
WordPress plugin developers are not always great about actually fixing vulnerabilities in their plugins. That problem is on display with the 300,000+ install plugin PDF Invoices & Packing Slips for WooCommerce. As we warned our customers on January 11, the Continue reading WPScan Still Isn’t Making Sure That “Fixed” WordPress Plugin Vulnerabilities Have Actually Been Fixed
In 2022, the WordPress security plugin All In One WP Security & Firewall was rebranded as All-In-One Security (AIOS). The removal of emphasis on a firewall is probably fitting, as the plugin’s firewall capability is rather limited and the developers Continue reading All-In-One Security (AIOS) Firewall Review: It Doesn’t Deliver Great Results
Patchstack claims there had been an authenticated remote code execution (RCE) vulnerability in the WordPress plugin Dynamic Content for Elementor, which at least one of our customers started using recently. Trying to figure out what is going on there showed Continue reading Trying to Decipher a Vulnerability Claim for a WordPress Plugin
We recently noted that a post that ranks highly when searching Google for the best WordPress security plugins in 2024 is saying that Sucuri Security is the best. It is pretty common to see that listed as the best. The Continue reading Sucurity Security WordPress Plugin Firewall Review: It Doesn’t Actually Contain One
Yesterday, we released the results of a security review we did of a WordPress plugin. What we found while reviewing the changes made to address the problems we had found is a good reminder that security fixes need to be Continue reading WordPress Plugin Developers Need to Make Sure There Nonce Checks Both Work if a Nonce Isn’t Sent or if the Nonce is Wrong
We recently noted that the developer of the 1+ million install WordPress security plugin Security Optimizer, SiteGround, was saying that you shouldn’t use the Wordfence Security plugin and instead use their plugin. They didn’t cite any evidence that their plugin Continue reading Security Optimizer vs Wordfence Security
We recently looked at several of the top results when you search Google for the “best WordPress security plugins 2024.” Several things stood out about those. The most important thing that stood out is that these posts were biased in Continue reading 10 Best WordPress Security Plugins in 2024