Wordfence – Page 3

Demystifying the WordPress Vulnerability Landscape: 2023 Mid-Year Wordfence Intelligence WordPress Vulnerability Review Leveraging ChatGPT

Posted on 7 August 2023 by

In the first 6 months of 2023, our team has already added 2,471[1] individual vulnerability records to the Wordfence Intelligence WordPress Vulnerability Database. These vulnerabilities affected 1,680[2] WordPress software components. This means we have already surpassed the total number of Continue reading Demystifying the WordPress Vulnerability Landscape: 2023 Mid-Year Wordfence Intelligence WordPress Vulnerability Review Leveraging ChatGPT→

Wordfence Has Also Been Falsely Claiming That WordPress Plugins Contain Vulnerabilities

Posted on 27 July 2023 by

Yesterday and today we have been documenting an absolute mess in the WordPress security space. The developer of the Freemius library, which is widely used in WordPress plugins, was warned by us in February of last year of a security Continue reading Wordfence Has Also Been Falsely Claiming That WordPress Plugins Contain Vulnerabilities→

Wordfence Doesn’t Admit That WordPress Had Already Provided Protection for “Massive Exploit Campaign” Before Them

Posted on 19 July 2023 by

Where WordPress firewall plugins are really useful is for providing protection before a vulnerability is known about, as at that point they can offer protection that other solutions can’t. That was on display with a recent widely exploited zero-day that Continue reading Wordfence Doesn’t Admit That WordPress Had Already Provided Protection for “Massive Exploit Campaign” Before Them→

NinjaFirewall and Plugin Vulnerabilities Firewall Are Only WordPress Security Plugins That Protected Against Recent Zero Day

Posted on 30 June 2023 by

Among the common, but inaccurate, security advice you will hear is that WordPress won’t get hacked if you take basic security measures, including keeping plugins up to date. While doing the basics is really important, the reality is that keeping Continue reading NinjaFirewall and Plugin Vulnerabilities Firewall Are Only WordPress Security Plugins That Protected Against Recent Zero Day→

Inaccurate Claims About Security Impact of Changing WordPress Database Prefix Highlighted With Exploited Zero Day

Posted on 29 June 2023 by

A basic rule of security is that if you know a lot, you don’t know much. Those knowledgeable about security try to be careful about what they say, as they realize they might not know everything. A lot of WordPress Continue reading Inaccurate Claims About Security Impact of Changing WordPress Database Prefix Highlighted With Exploited Zero Day→

Wordfence 7.10.0 Released!

Posted on 21 June 2023 by

Wordfence remains the number one security plugin of choice for website owners serious about protecting their investment and their customers. Our Threat Intelligence team and engineering team stay abreast of the newest threats and ensure that Wordfence is able to Continue reading Wordfence 7.10.0 Released!→

Automattic’s WPScan, Wordfence, and Patchstack Don’t Appear to Have a Basic Grasp of What Vulnerabilities Are

Posted on 9 June 2023 by

Recently Automattic’s WPScan claimed that there had been what is normally a fairly serious type of vulnerability in a WordPress plugin. That being, as they put it, an “unauthenticated stored XSS” vulnerability or, as we would put it, a persistent Continue reading Automattic’s WPScan, Wordfence, and Patchstack Don’t Appear to Have a Basic Grasp of What Vulnerabilities Are→

Wordfence Security Returns to Third Place in May Test of WordPress Security Plugins’ Zero-Day Protection

Posted on 1 May 2023 by

While developing our WordPress firewall plugin, we created regression testing software to make sure that, as we updated that; we didn’t break existing protection, which is something at least one other developer hasn’t done. What we realized once we started Continue reading Wordfence Security Returns to Third Place in May Test of WordPress Security Plugins’ Zero-Day Protection→

Not Really a WordPress Plugin Vulnerability, Week of April 28

Posted on 28 April 2023 by

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of April 28→

Wordfence Security Improperly Blocks WordPress Users From Uploading Files

Posted on 25 April 2023 by

When considering WordPress firewall plugins, it is important to consider not only the protection they can provide, but also whether they cause unnecessary problems. On both counts, the most popular security-only WordPress plugin, Wordfence Security, does worse than other options. Continue reading Wordfence Security Improperly Blocks WordPress Users From Uploading Files→

Hacker Targeting Unfixed WordPress Plugin Vulnerability That CVE and Others Claim Has Been Fixed

Posted on 20 April 2023 by

For some time, we have been seeing a hacker probing for the usage of various WordPress plugins with known vulnerabilities across numerous websites. Earlier this month, we noted that the hacker was targeting a plugin that had an unfixed known Continue reading Hacker Targeting Unfixed WordPress Plugin Vulnerability That CVE and Others Claim Has Been Fixed→

Post Action Report: Bad Firewall Rule Released to WPEngine Customers Wednesday

Posted on 14 April 2023 by

On Wednesday afternoon a small percentage of WPEngine websites using a paid version of Wordfence experienced a 500 Internal Server Error or white screen on their sites due to an erroneous firewall rule that we released. If you have experienced Continue reading Post Action Report: Bad Firewall Rule Released to WPEngine Customers Wednesday→

Wordfence’s Idea of Responsible Disclosure Involves Leaving Very Vulnerable Plugins in WordPress Plugin Directory

Posted on 10 April 2023 by

A week ago, we wrote about how a WordPress plugin being targeted by a hacker had remained in the WordPress Plugin Directory despite having an unfixed vulnerability that hackers would target. We had noted that the WordPress security provider Wordfence Continue reading Wordfence’s Idea of Responsible Disclosure Involves Leaving Very Vulnerable Plugins in WordPress Plugin Directory→

WordPress Plugin With Unfixed Vulnerability Targeted by Hacker Remains in Plugin Directory

Posted on 3 April 2023 by

For some time, we have been seeing a hacker probing for the usage of various WordPress plugins with known vulnerabilities across numerous websites. Many of those vulnerabilities have been SQL injection vulnerabilities. Over the weekend we saw them looking for Continue reading WordPress Plugin With Unfixed Vulnerability Targeted by Hacker Remains in Plugin Directory→

Patchstack is Falsely Claiming a “High Severity” Vulnerability Exists in a WP Plugin Based on Inaccurately Copied Info From Wordfence

Posted on 15 March 2023 by

Providing accurate information on vulnerabilities in WordPress plugins can require a lot of work, but doing the work avoids causing false alarms for users of plugins and for the developers of them. Unfortunately, security companies can cut corners, claim to Continue reading Patchstack is Falsely Claiming a “High Severity” Vulnerability Exists in a WP Plugin Based on Inaccurately Copied Info From Wordfence→

Wordfence’s Solution to Their Firewall Incorrectly Blocking Legitimate Request is to Disable Needed Protection

Posted on 14 March 2023 by

In our testing, the most popular security-only WordPress security plugin Wordfence Security fails to provide as much protection as other much less popular security plugins. Making the situation worse is that it introduces a significant performance penalty over security plugins Continue reading Wordfence’s Solution to Their Firewall Incorrectly Blocking Legitimate Request is to Disable Needed Protection→

Only 25% of WordPress Security Plugins Protected Against Widely Exploited Plugin Vulnerability

Posted on 13 March 2023 by

In late January, an unfixed vulnerability in a WordPress plugin with 40,000+ installs started to receive widespread exploitation attempts and many websites were hacked. The hacking was in part caused by multiple WordPress security providers, including Wordfence, WPScan, and Patchstack, Continue reading Only 25% of WordPress Security Plugins Protected Against Widely Exploited Plugin Vulnerability→

Wordfence Intelligence: Because Community Created Vulnerabilities Are Community Property

Posted on 7 March 2023 by

Last year in August, at Black Hat 2022 in Las Vegas, we launched Wordfence Intelligence, a product designed to provide large enterprise customers with rich IP threat data, malware signatures, malware hashes, and vulnerability data to help keep enterprise customers and Continue reading Wordfence Intelligence: Because Community Created Vulnerabilities Are Community Property→

Here Are the 4 WordPress Security Plugins That Protected Against a Vulnerability Wordfence Failed to Protect Against Despite Having Discovered It

Posted on 6 March 2023 by

Last week, Wordfence disclosed the details of an authenticated persistent cross-site scripting (XSS) vulnerability they had found in a popular WordPress plugin with 3+ million installs (as well as something else that wasn’t really a vulnerability). There were some things Continue reading Here Are the 4 WordPress Security Plugins That Protected Against a Vulnerability Wordfence Failed to Protect Against Despite Having Discovered It→

Wordfence WooCommerce 2FA: Set Up This New Feature To Protect Your Customers

Posted on 1 March 2023 by

On February 15, we made the exciting announcement that the latest release of Wordfence, version 7.9.0, includes a new feature: WooCommerce 2FA (two-factor authentication) for customer level users. What does this mean for you as an e-commerce store operator? And Continue reading Wordfence WooCommerce 2FA: Set Up This New Feature To Protect Your Customers→