Yesterday, we released the results of a security review we did of a WordPress plugin. What we found while reviewing the changes made to address the problems we had found is a good reminder that security fixes need to be Continue reading WordPress Plugin Developers Need to Make Sure There Nonce Checks Both Work if a Nonce Isn’t Sent or if the Nonce is Wrong
We recently noted that the developer of the 1+ million install WordPress security plugin Security Optimizer, SiteGround, was saying that you shouldn’t use the Wordfence Security plugin and instead use their plugin. They didn’t cite any evidence that their plugin Continue reading Security Optimizer vs Wordfence Security
We recently looked at several of the top results when you search Google for the “best WordPress security plugins 2024.” Several things stood out about those. The most important thing that stood out is that these posts were biased in Continue reading 10 Best WordPress Security Plugins in 2024
A couple of weeks ago, the Bleeping Computer ran a story claiming that over 150,000 websites were vulnerable due to a vulnerability that had been in a WordPress plugin. That count was based in part in believing that all previous Continue reading Many CVE Records Are Listing the Wrong Versions of Software as Being Affected
In May of last year, the 5+ million install WordPress plugin Really Simple SSL added a feature for detection of known vulnerabilities in WordPress plugins. That seems to be unrelated to what is supposed to be the focus on the Continue reading Eight Months In, Really Simple SSL’s Plugin Vulnerability Data is Claiming That Unfixed Vulnerabilities Have Been Fixed
Those looking for useful security advice for WordPress websites are often running across biased information, where the bias isn’t disclosed. While looking for some information for a post we were writing, we ran across what was claimed to be a Continue reading Malcare’s Review of Wordfence Recommends Malcare Instead Without Disclosing They Make It
Recently, a high-profile security provider now owned by Google, Mandiant, had their Twitter account taken control by a hacker, while this should probably be a big deal, it isn’t all that surprising consider what Mandiant has become high-profile for. They Continue reading The Security Industry Isn’t All That Interested in Security
In looking at lists of the best WordPress security plugins recently, the Sucuri Security plugin has been repeatedly listed first. That is not because it is the best security plugin and doesn’t even have anything to do with the plugin. Continue reading Sucuri Security vs Wordfence Security
While doing research for a post, we found that the much maligned Awesome Motive was giving out, no surprise, highly misleading advice to make money for themselves. On one of their websites, they claimed that the Sucuri plugin is the Continue reading Awesome Motive Is Claiming That Sucuri Is the Best WordPress Security in 2024 Based on Features It Doesn’t Contain
Whether intentionally or not, part of the business model of the developer of the Wordfence Security plugin involves scaring people in to buying their services by overstating the risk posed by security issues. The overstated risk was on display in Continue reading Wordfence Is Warning That Vulnerabilities Are Critical When They Are Not
Late last week, Wordfence created a mess by claiming there was an unfixed vulnerability in WooCommerce. What that situation showed is they are not doing the work that people clearly believe they are doing. That includes not checking if vulnerabilities Continue reading Wordfence Didn’t Make Sure Vulnerability in WooCommerce Had Been Fixed (Or That It Even Existed)
As we warned our customers about last week, a recent update to a WordPress plugin that extends WooCommerce, with 300,000+ installs, tried to fix a SQL injection vulnerability. The developer failed to accomplish that, in part because they were using Continue reading The WordPress Function sanitize_text_field() Function Doesn’t Sanitize User Input for SQL Statements
Google’s search results have a reputation for being bad these days and for good reason, they are bad. Take the results we got when doing a search for “best wordpress security plugins 2024”. We got this information directly on the Continue reading Google’s Search Results for The Best WordPress Security Plugins in 2024 is as Bad As You Would Expect
Last week we looked at a situation where very popular security plugins are using a security function in a way that the documentation explicitly states it shouldn’t be used. That turns out to not be a one-off problem. WordPress’ documentation Continue reading WordPress Nonces Can Not Be Used for Authentication
This past week there was a spate of security stories claiming a high-profile attack had occurred because of a weak password. Take the headline of an Ars Technica story by Dan Goodin, ‘A “ridiculously weak” password causes disaster for Spain’s Continue reading Password Strength Doesn’t Matter if a Hacker Knows The Password Because It Was Compromised Through Malware
While working on a security review of a WordPress plugin, we ran across miss-usage of a WordPress security function, esc_url_raw(). While looking to see if this was a wider issue, we found that a 5+ million install security plugin is Continue reading Confusion Over Proper Usage of esc_url_raw() Includes Developers of 1+ and 5+ Million Install WordPress Security Plugins
When looking for security advice on WordPress websites, one of the problems you face is the number of affiliate marketers posing as your friend. One recent example we ran across of this involved a YouTuber, WPress Doctor. They released a Continue reading YouTuber Falsely Claims You Can Easily Prevent WordPress Websites From Getting Hacked With Solid Security
When it comes to the developers of WordPress security plugins, they shouldn’t be creating the insecurity they are supposed to be protecting against. That unfortunately is true of the current and former developers of the very popular All-In-One Security (AIOS) Continue reading All-In-One Security (AIOS) vs Wordfence Security
Recently, we looked at one inaccurate recommendation by a major web host, SiteGround, suggesting that you shouldn’t use WordPress security plugins that can actually protect against vulnerabilities. Along those same lines, they have some troubling advice when it comes to Continue reading Effective WordPress Security Plugins Can Not Be Replaced With Something You Can Do Manually
Like the developers of lots of WordPress security plugins, the developer of Wordfence Security makes a lot of impressive sounding claims about their plugin and the protection it offers, but notably doesn’t present any evidence to back the claims up. Continue reading Wordfence Security Firewall Review: Missing a Lot of Protection that Better Options Offer