We were recently contacted by someone asking if we provided an alternative for the WordPress security service Wordfence Care for a WooCommerce website. Specifically, we asked if we provide something that would include a firewall, the setup of the firewall, Continue reading Is Wordfence Care a Good Option For WooCommerce Websites?
Recently the CEO of Wordfence, Mark Maunder, responded to us noting that Wordfence’s data on WordPress plugin vulnerabilities is “often quite inaccurate and not a reliable source” by saying that their “data is impeccable.” To claim that their data is Continue reading Despite Having “Impeccable” WordPress Plugin Vulnerability Data, Wordfence Deletes False Claim of Unfixed Vulnerability in Gutenberg
For years, the handling of security of the WordPress Plugin Directory has been rather poor, caused by a multitude of issues. In addition to the problems with their handling of security, there hasn’t been a willingness to work with the Continue reading Hacker Targeted WordPress Plugin Returns to Plugin Directory Without Update For Exploitable Vulnerability
Yesterday, we covered a security fix issued for the 5+ million install WordPress plugin Elementor for authenticated arbitrary file upload vulnerability. That happened in version 3.18.1. Today, a second fix was released in the next version, 3.18.2. The changelog acknowledges Continue reading Elementor Issues Second Fix for Authenticated Arbitrary File Upload Vulnerability
Last week, we looked at so-called Advanced XSS Protection offered by a 1+ million install WordPress plugin, which turned out to not provide protection, advanced or otherwise. That involved, in part, the security header X-XSS-Protection, which it seems worth going Continue reading The X-XSS-Protection Security Header Won’t Provide Protection Against XSS Attacks on Your WordPress Website
Recently there have been conversations popping up over a claim made by the WordPress security provider Wordfence that claims the Gutenberg plugin contains an authenticated persistent cross-site scripting (XSS) vulnerability. On Reddit there were a couple of recent conversations, where Continue reading Contrary to Claims by Patchstack and Wordfence the Gutenberg Plugin Doesn’t Contain an Authenticated XSS Vulnerability
Recently SiteGround rebranded their SiteGround Security plugin as Security Optimizer. Along with that new name came new marketing. While the new marketing text for it on the WordPress Plugin Directory doesn’t mention that it contains a firewall, it wouldn’t be Continue reading WordPress Security Optimizer Firewall Review: It Doesn’t Actually Contain One
Last week we noted how the WordPress security provider Wordfence was criticizing another provider of WordPress plugin vulnerability data for doing something they also do. That situation involved them mislabeling a security issue as a vulnerability in the very popular Continue reading Wordfence’s “Highly Credentialed and Industry-Leading Vulnerability Researchers and Analysts” Don’t Understand Local File Inclusion
A recent phishing campaign is targeting administrators of WordPress websites, trying to get them to install malicious code on websites. The phishing campaign was reported to be using the domain name en-gb-wordpress.org. The domain name servers for that belong to Continue reading Security Provider CloudFlare Providing Service for Phishing Campaign Targeting WordPress Websites
In the middle of August, we publicly warned that the WordPress plugin WooODT Lite contained an authenticated option update vulnerability, which would allow logged-in attackers to change arbitrary WordPress options (settings). The possibility of the vulnerability was flagged by proactive Continue reading Wordfence Premium Added “Real-Time Firewall Protection” for Plugin Vulnerability Over Two Months After It Was Disclosed
One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities Continue reading Disabled Protection in WordPress Firewall Plugin With Only 10+ Installs Provides 5th Best Zero-Day Protection
Recently, the WordPress security provider Wordfence was criticizing another provider, Patchstack, for incentivizing low quality claims of vulnerabilities in WordPress plugins: There are an extremely high number of low risk and low quality vulnerabilities being submitted to databases like Patchstack,” Continue reading Latest Release of Contact Form 7 Didn’t Actually Fix Authenticated (Editor+) Arbitrary File Upload Vulnerability
This week we have covered plenty of questionable behavior by the developer of the 900,000+ install WordPress security plugin Solid Security. From focusing their plugin on a non-existent threat to responding to the plugin failing to prevent an infection by Continue reading Developer of Solid Security Thinks That Their Plugin Shouldn’t Be Easier To Secure Than Chrome Web Browser
The most important thing to know about WordPress firewall plugins is the amount of protection they offer against real threats, but we are somehow the only ones that do testing that would measure that. A lot of the claimed threats Continue reading Solid Security vs Wordfence
SiteGround recently rebranded their SiteGround Security plugin for WordPress to Security Optimizer. That plugin has 1+ million installs according to WordPress.org stats. Like a lot of security plugins, the developer makes strong claims about what it offers. They start their Continue reading Siteground’s Security Plugin’s Advanced XSS Protection Isn’t Protection, Advanced or Otherwise
A recent negative review of the WordPress security plugin Solid Security claimed that the reviewer was using the Pro version and “my website was infected while this plugin was installed, so it was not really helpful to prevent the infection.” Continue reading Developer Responds to Solid Security Pro Not Preventing Infection by Claiming It is Focused on Malware Prevention
Recently, the iThemes Security plugin was rebranded as Solid Security. Alongside that came new misleading marketing about what protection it offers. Among those is the claim that “Solid Security shields your site from cyberattacks and prevents security vulnerabilities.” They also Continue reading Solid Security Firewall Review: It Doesn’t Contain One and Doesn’t Prevent Exploitation of Plugin Vulnerabilities
On the forum for the WordPress security plugin BulletProof Security Pro, someone asked if the plugin can protect against zero-days: I’m wondering if BPS Pro can protect us against zero-day vulnerabilities discovered in plugins. [Read more] ShareTweetSharePostSharePin It!
The developer of the WordPress security plugin Shield Security has long made strange claims about their plugin and how it compares to other plugins. Currently, they market it in part with this claim: Shield is the only security plugin for Continue reading Shield Security Firewall Review: It’s Been Broken For a Year and a Half