In what appears to be a significant setback for Wordfence, but promoted as “a gift to the community”, they announced they are now giving away data on vulnerabilities in WordPress plugins they have been trying to sell access to since Continue reading Wordfence Intelligence Community Edition Data Falsely Claims That Unfixed Plugin Vulnerability Was Fixed Twice
When it comes to determining if a WordPress plugin is secure or not, there is a lot of bad advice out there, much of it coming from security companies you should be able to trust to give good advice. For Continue reading How to Check if WordPress Plugins Are Secure
The website of the WordPress focused company Awesome Motive paints them in an incredibly positive light. For example, one of their five core values is “We Do The Right Thing every time.”, which they explain this way: When it’s right Continue reading Awesome Motive’s Not So Awesome Five for the Future Sponsorship of Plugin Security Reviewer for WordPress
We recently tried to add a WordPress firewall plugin named BitFire in to our automated testing system of WordPress security plugins, but found that the plugin wasn’t working properly and then an update totally broke it. We also noticed that Continue reading Even Wordfence Competitor Has Been Fooled by Untruthful Marketing of Wordfence Premium
Last week we discussed an example of WordPress security providers often make marketing claims that don’t match up with what they deliver involving Patchstack, but they are certainly not alone in that. We ran across another example of that involving Continue reading WPScan’s Dedicated Team of Security Experts Are Actually Random Unpaid People on the Internet
Recently, we mentioned that the moderation of the WordPress Support Forum seemed to be moving in a better direction, but things still were not in great shape. We noted yet another problem last week. In the latest instance, we noticed Continue reading WordPress Deletes Negative Review of Wordfence Security Mentioning “Horrific” Wordfence Response Experience
Two weeks ago, we looked at inaccurate information about claimed vulnerabilities in WordPress plugins, where a journalist was citing information from the National Vulnerability Database (NVD): The U.S government National Vulnerability Database (NVD) published warnings of vulnerabilities in five WooCommerce Continue reading Severity Scores From NIST’s National Vulnerability Database (NVD) Are Not Reliable
WordPress security providers often make extraordinary claims about their services, which not only couldn’t be true, but even to the extent they could deliver something reasonably close to it, they fail to do that. The service Patchstack makes this claim Continue reading Patchstack Didn’t Provide Early Alert and Protection For Vulnerability Likely Being Targeted by Hacker
Currently, in our dataset of vulnerabilities in WordPress plugins, there are plugins with at least 8.16 million active installs that are still available through the WordPress Plugin Directory despite the plugins being known to contain security vulnerabilities. That is a Continue reading WordPress Plugin Returns to Plugin Directory Without Vulnerability Being Resolved
There is often a wide gap between the claims of WordPress security providers and reality. That has often been the case with Patchstack going back to its precursors, WebARX and ThreatPress. This week Patchstack started promoting that it is providing Continue reading Patchstack’s Early Alert For WordPress Plugin Vulnerability is Actually Public Info Copied From Competitor
During the weekend, third-party data we monitor recorded what appeared to be a hacker probing for usage of the WordPress plugin ContentStudio. The requests are looking for the plugin’s readme.txt file: /wp-content/plugins/contentstudio/readme.txt [Read more] ShareTweetSharePostSharePin It!
When reviewing security changes being made in WordPress plugins used by our customers, it isn’t uncommon for us to find that developers have failed to fully fix the vulnerabilities, or as was the case recently with a plugin with 300,000+ Continue reading WordPress Plugins Failing to Include Needed Capabilities Check for AJAX Accessible Functionality
The CVE program, which claims to be sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) (we tried to confirm that with CISA, but got no reply), is supposed to provide a unique identifier Continue reading CVE’s CNA Program Is Causing Them to Fail in Their Stated Mission
CVE is a program that is supposed to provide unique identifiers for vulnerabilities and as we will get to shortly, it also is a path for directing software vulnerability reports away from developers to at least one security company selling Continue reading CISA Provides No Explanation for Sponsoring Program That Directs Vulnerability Report Info to Hackers
Earlier today someone posted on the support forum for the 200,000+ active install WordPress plugin Activity Log with the subject “Critical Exploit: Disable plugin Immediately!” and wrote this: As reposted by CISA and NIST, NVD this plugin has a critical Continue reading VulDB’s Alarmism on Display With False Claim of “Critical” Vulnerability in WordPress Plugin Activity Log
A frequent source of news media misinformation on vulnerabilities in WordPress plugins is someone named Roger Montti, who writes for the Search Engine Journal. Why someone that describes themselves as a “search marketer” writing for a news outlet unrelated to Continue reading Search Engine Journal’s Roger Montti Spreads Patchstack’s Misinformation About the Security of WooCommerce Plugin
The 100,000+ active install WordPress plugin Custom Permalinks has been phoning home to the developer with information about the websites it is installed on for over two years, despite it being in violation of the rules for the WordPress Plugin Continue reading 100,000+ Install WordPress Plugin Custom Permalinks Has Been Phoning Home to Developer for Over Two Years
With the security of WordPress plugins, those that extend the functionality of the ecommerce plugin WooCommerce would seem like they would be more secure than the average plugin, seeing as security should be important for software on websites handling money Continue reading WooCommerce Fraud Prevention Plugin’s Functionality Can Be Disabled by Anyone Logged in to WordPress
To get to a better place when it comes to the security of WordPress websites, as well as security more broadly, a critical element would be good security journalism. That isn’t happening. Take this clickbaity headline from The Register two Continue reading Cyber Insurance Isn’t the Solution for the Insecurity of WordPress Websites
A recent review for the WordPress plugin Protect uploads claimed the plugin was a virus and recently had malicious code added to it: Do not download. The plugin has been changed not too long ago and it now infects your Continue reading Avoid Confusing the Cause and Effect of a Hacked WordPress Website by Having It Properly Cleaned