Analysis – Page 13

How to Replace Overpriced and Ineffective WPScan Based Penetration Testing of WordPress Websites With Cheaper and Better Automated Testing

Posted on 20 September 2022 by

Last week Bloomberg’s Katrina Manson covered a recommendation from the US Cybersecurity and Infrastructure Security Agency that urged companies to automate threat testing. The story touched on one of the realities of the poor state of security that doesn’t get Continue reading How to Replace Overpriced and Ineffective WPScan Based Penetration Testing of WordPress Websites With Cheaper and Better Automated Testing→

Wordfence and Security Journalists Are Again Creating FUD About the Security of WordPress Websites

Posted on 19 September 2022 by

Last week numerous news outlets ran scary sounding stories about a claimed security issue in a WordPress plugin. Here are some of the headlines of stories that were included in Google News: WordPress zero-day vulnerability compromised more than 280000 websites: Continue reading Wordfence and Security Journalists Are Again Creating FUD About the Security of WordPress Websites→

Unlike WP Sec, Our Service Actually Determines if Your Site is Using a Known Vulnerable WordPress Plugin

Posted on 12 September 2022 by

One of the things we do to be able to provide customers of our service with the best information about known vulnerabilities in WordPress plugins is by monitoring the WordPress Support Forum for possibly relevant topics. Along with the information Continue reading Unlike WP Sec, Our Service Actually Determines if Your Site is Using a Known Vulnerable WordPress Plugin→

Cloudways is Still Storing Non-Hashed Passwords

Posted on 8 August 2022 by

Last November GoDaddy, which heavily markets themselves to the WordPress community, disclosed a massive breach of the data on customers using the managed WordPress hosting service. A stunning element of that was that they were still storing customers’ passwords in Continue reading Cloudways is Still Storing Non-Hashed Passwords→

Even People Claiming Wordfence Security Will Protect Your Website Don’t Believe That

Posted on 21 June 2022 by

Recently someone posted on Reddit looking for a better alternative to the Wordfence Security plugin: For years I used Wordfence and it was okay(ish), but I would like to try something different with better security. [Read more] ShareTweetSharePostSharePin It!

7G Firewall Tested: It Doesn’t Provide “Powerful” or “Super Strong” Protection

Posted on 9 June 2022 by

Yesterday, we compared the claims the developer of WordPress security plugin BBQ Firewall makes about its protection to the reality of the very limited protection in provides. The developer of the plugin is also the developer of a set of Continue reading 7G Firewall Tested: It Doesn’t Provide “Powerful” or “Super Strong” Protection→

The BBQ Firewall Plugin for WordPress Isn’t a “Powerful WAF”

Posted on 8 June 2022 by

One of the most recent reviews for the BBQ firewall plugin for WordPress is titled “Not a real firewall..” and the author makes this claim: I had the PRO version and it doesn’t stop the real hacks. [Read more] ShareTweetSharePostSharePin Continue reading The BBQ Firewall Plugin for WordPress Isn’t a “Powerful WAF”→

Cloudflare Isn’t Adding New Firewall Rules to Protect Against Vulnerabilities in WordPress Plugins

Posted on 25 May 2022 by

It isn’t hard to find people citing the Cloudflare service as a good security solution for WordPress websites. What is lacking is any of those people citing evidence that Cloudflare provides effective protection for WordPress websites. If it was an Continue reading Cloudflare Isn’t Adding New Firewall Rules to Protect Against Vulnerabilities in WordPress Plugins→

Hackers Probably Already Targeting Vulnerability Wordfence Disclosed Despite Fix Not Being Generally Available

Posted on 18 May 2022 by

Earlier today, Wordfence released an odd post on their blog. In the post they disclosed an incredibly easy to exploit a vulnerability in a WordPress plugin named Jupiter X Core, which allows anyone logged in to WordPress to change their Continue reading Hackers Probably Already Targeting Vulnerability Wordfence Disclosed Despite Fix Not Being Generally Available→

WordPress Support Forum Moderator Falsely Claims That There Are Not Plugins With Known Unfixed Vulnerabilities in WordPress Plugin Directory

Posted on 25 April 2022 by

One of the ways we are able to provide our customers with better information on vulnerabilities in WordPress plugins than our competitors is by monitoring the WordPress Support Forum for topics related to that. In addition to information useful for Continue reading WordPress Support Forum Moderator Falsely Claims That There Are Not Plugins With Known Unfixed Vulnerabilities in WordPress Plugin Directory→

Developers of 1+ Million Install WordPress Security Plugin All In One WP Security & Firewall Not Disclosing Change in Ownership

Posted on 20 April 2022 by

The latest version of the WordPress security plugin All In One WP Security & Firewall fixed a minor security vulnerability. While there is an extensive changelog for that version, there doesn’t appear to be any mention of that. Take a Continue reading Developers of 1+ Million Install WordPress Security Plugin All In One WP Security & Firewall Not Disclosing Change in Ownership→

A Month Later, WordPress Still Hasn’t Taken Action for Websites With Backdoored Plugin They Distributed

Posted on 31 March 2022 by

On Februrary 28, we publicly warned that the WordPress plugin Mistape had what appeared to have a backdoor added in its latest release. Part of the code would contact the developer’s website and let them know if the plugin was Continue reading A Month Later, WordPress Still Hasn’t Taken Action for Websites With Backdoored Plugin They Distributed→

WordPress Continues to Distribute Plugins They Know Contain Serious Unfixed Vulnerabilities

Posted on 29 March 2022 by

A week ago we had what look to be a hacker probing for the WordPress plugin Press Elements on one of our websites through a request for the following file. /wp-content/plugins/press-elements/package.json [Read more] ShareTweetSharePostSharePin It!

WPScan Issues Two CVE IDs for Same Vulnerability While Failing to Warn for 7 Months That It Was Unfixed

Posted on 24 March 2022 by

On August 9, 2021, a security update was released for the WordPress plugin Favicon by RealFaviconGenerator, which has 200,000+ installs. The changelog for that was: Fix XSS security issue, reported by WPSpan.com. See https://wpscan.com/vulnerability/ed9d26be-cc96-4274-a05b-0b7ad9d8cfd9?fbclid=IwAR2aRMXRjbGm9ppoI9tM-OHm26Q0ax4yt0MkcP5sp0-pz9D4eVIEHQwvG1Y [Read more] ShareTweetSharePostSharePin It!

Security Vulnerability Data Providers Didn’t Actually Check if WordPress Plugin Vulnerability Was Fixed

Posted on 18 March 2022 by

Two months ago, a review of the WordPress plugin Category Specific RSS feed Subscription was made with the title “Exploit?” with this information provided: Lot’s of bots are looking for this file used with this plugin: [Read more] ShareTweetSharePostSharePin It!

Patchstack, cPanel, and Plesk Falsely Claimed Fixed Vulnerability in WordPress Plugin Hadn’t Been Fixed

Posted on 3 January 2022 by

Among the many problems caused by the WordPress security industry is plugin developers having to deal with false claims that plugins are vulnerable. An example of that involved not just a WordPress security player, but two major names in the Continue reading Patchstack, cPanel, and Plesk Falsely Claimed Fixed Vulnerability in WordPress Plugin Hadn’t Been Fixed→

GoDaddy (Though Sucuri) Spreads Misinformation About Recently Fixed Vulnerabilities in All in One SEO

Posted on 23 December 2021 by

A month ago, GoDaddy was in the news after announcing a data breach of information for customers using their managed WordPress hosting service. What was lacking in the coverage of that is that GoDaddy owns a major web security provider, Continue reading GoDaddy (Though Sucuri) Spreads Misinformation About Recently Fixed Vulnerabilities in All in One SEO→

Our Firewall Plugin Provides What Malcare Claims Isn’t Available in a WordPress Security Plugin

Posted on 23 December 2021 by

Malcare is like a lot of providers in the WordPress security space, they make extraordinary claims that don’t really make a lot of sense if you have a basic grasp of security. Either the people behind those providers don’t understand Continue reading Our Firewall Plugin Provides What Malcare Claims Isn’t Available in a WordPress Security Plugin→