A recent review for the WordPress plugin Protect uploads claimed the plugin was a virus and recently had malicious code added to it: Do not download. The plugin has been changed not too long ago and it now infects your Continue reading Avoid Confusing the Cause and Effect of a Hacked WordPress Website by Having It Properly Cleaned
Last week, we wrote about confusion over whether a claimed vulnerability in a WordPress plugin exists if it hasn’t been mentioned by a particular data source. That was in the context of a developer claiming there wasn’t a vulnerability in Continue reading New WordPress Plugin Vulnerability Data Sources Are Just Copies of Existing Inaccurate Sources
Recently, we have covered multiple instances where the WordPress security provider Wordfence was falsely claiming that WordPress plugins contain “critical” vulnerabilities, despite there being no vulnerability. That is despite them marketing one of their services, Wordfence Intelligence, partly based on Continue reading Wordfence Falsely Claims WordPress Plugin Contains a “Critical” Vulnerability Because It Confused it With Another Plugin
When WordPress plugins are closed on the WordPress Plugin Directory, unfortunately, those using the plugin and others are not informed of what caused the closure. So while the people running that would know if the plugins contain vulnerabilities, everyone is Continue reading Two of the Most Popular WordPress Plugins Contain Vulnerabilities and Were Closed Since Last Week
When it comes to vulnerabilities in WordPress plugins, one of the most serious types is an arbitrary file upload vulnerability. That type of vulnerability would allow anyone to upload any type of file to the website. Hackers usually exploit that Continue reading What Causes WordPress Plugins to Have Arbitrary File Upload Vulnerabilities and How They Can Be Avoided
In August 2020, NinTechNet, the developers of the WordPress plugin NinjaFirewall, disclosed vulnerabilities that had been in the plugin CMP – Coming Soon & Maintenance Plugin. That plugin had 100,000+ installs at the time and is now up to 200,000+ Continue reading Security Issue Remains in 200,000+ Install WordPress Plugin Over Two Years After Vulnerabilities Were “Fixed”
Recently WordPress changed their policy on discussing vulnerabilities in plugins on their forum, that is leading to public discussions of the kind that we are frequently party to in private. Among the issues that we have run across are plugin Continue reading If WPScan Isn’t Reporting a Vulnerability in a WordPress Plugin It Doesn’t Mean It Doesn’t Exist
Last week, the WordPress security provider Wordfence announced a significant price increase for their Wordfence Premium service. What they didn’t provide was any explanation of what was causing their cost for the service to increase, which they needed to pass Continue reading How to Avoid Wordfence Premium Price Increase While Getting Better Real-Time Protection for Free
Less than a month ago, we noted that one provider of data on vulnerabilities in WordPress plugins, Automattic’s WPScan, was copying information from competing providers, including Wordfence, without credit. It turns out that Wordfence is doing the same with another Continue reading Wordfence Isn’t Disclosing They Are Copying (Possibly Inaccurate) Plugin Vulnerability Information From Competitor Patchstack
During the summer, one arm of the company closely associated with WordPress, Automattic, WPScan disclosed a vulnerability in plugin, Co-Authors Plus, maintained by another arm of Automattic. WPScan and others in Automattic appear to have failed to look all that Continue reading Automattic’s WPScan Failed to Catch That WordPress VIP’s Co-Authors Plus Plugin is Still Disclosing Email Addresses
The moderation of the Support Forum for WordPress has long been a mess. That is particularly true when it comes to security. Part of the problem is that it isn’t possible to abide by the rules. There are stated rules Continue reading WordPress Changes Support Forum Policy on Discussing Vulnerabilities, Moderators Still Not Following Their Own Rules
Last week, we compared the WordPress firewall plugins BBQ Firewall and Wordfence Security, after noticing that Google’s Search console showed that a lot of people were coming to our website looking for that comparison, despite us not having one. The Continue reading NinjaFirewall vs Wordfence Security
Last week we looked into a false claim made by WordPress security provider Wordfence that a plugin had contained a “critical” security vulnerability. In discussing that, we mentioned someone’s concern related to another situation about Wordfence issuing alarmist warnings: This Continue reading Wordfence’s Alarmism on Display With “Exploit Atttempts”, Which Are Not Really Exploit Attempts
Earlier this week we mentioned how GoDaddy’s Sucuri security service isn’t doing basic work to properly clean up hacked WordPress websites. That involved them not trying to figure out how websites are being hacked. They are not alone in that, Continue reading WP File Manager Getting Evidence Free Blame for Hacked WordPress Websites
Two days ago, we detailed multiple issues with a recently launched service from the WordPress security provider Wordfence, Wordfence Intelligence. There was something we ran across while researching that, which we felt was worth separating out for its own post Continue reading Wordfence Is Failing to Provide Information That Would Help Protect Their Customers Unless Web Hosts Pay Them as Well
Yesterday, we detailed significant discrepancies between the way the WordPress security provider Wordfence marketed their Wordfence Intelligence service and the actual results they are delivering with that. Much of that affects those also relying on their Wordfence Security plugin as Continue reading Wordfence Intelligence Vulnerability Data Feed Keeps Looking Worse
Last year GoDaddy disclosed a massive security breach of their managed WordPress hosting service, which according to them, impacted 1.2 million of their current and previous customers. They also claimed that customers’ passwords were compromised: •The original WordPress Admin password Continue reading Sucuri Doesn’t Seem Concerned Their Customers’ Websites Keep Getting Hacked
Looking at Google’s Search Console stats for our website showed that a lot of people were coming to our website searching on “BBQ Firewall vs Wordfence”, despite us not having a page comparing the two WordPress security plugins. It doesn’t Continue reading BBQ Firewall vs Wordfence Security
In August, the WordPress security provider Wordfence announced a new service named Wordfence Intelligence with a lot of lofty claims about the service and what they were already providing. What was lacking is evidence that it delivers on the promises Continue reading Wordfence Intelligence Doesn’t Deliver on Its Promises