Currently, in our dataset of vulnerabilities in WordPress plugins, there are plugins with at least 8.16 million active installs that are still available through the WordPress Plugin Directory despite the plugins being known to contain security vulnerabilities. That is a Continue reading WordPress Plugin Returns to Plugin Directory Without Vulnerability Being Resolved
During the weekend, third-party data we monitor recorded what appeared to be a hacker probing for usage of the WordPress plugin ContentStudio. The requests are looking for the plugin’s readme.txt file: /wp-content/plugins/contentstudio/readme.txt [Read more] ShareTweetSharePostSharePin It!
Wordfence 7.8.0 is out! A huge thanks to our quality assurance team, our team of developers and our ops team for planning, implementing and releasing Wordfence 7.8.0. This release has several fixes to make Wordfence even more robust, and includes Continue reading Wordfence 7.8.0 Is Out! Here Is What Is Included
CVE is a program that is supposed to provide unique identifiers for vulnerabilities and as we will get to shortly, it also is a path for directing software vulnerability reports away from developers to at least one security company selling Continue reading CISA Provides No Explanation for Sponsoring Program That Directs Vulnerability Report Info to Hackers
When setting up a WordPress website, it is easy to focus on the look and feel of the website, while overlooking the important aspect of security. This makes sense, because the security of a website is largely invisible until something Continue reading Not Just for the Government: Using the NIST Framework to Secure WordPress
Recently, we have covered multiple instances where the WordPress security provider Wordfence was falsely claiming that WordPress plugins contain “critical” vulnerabilities, despite there being no vulnerability. That is despite them marketing one of their services, Wordfence Intelligence, partly based on Continue reading Wordfence Falsely Claims WordPress Plugin Contains a “Critical” Vulnerability Because It Confused it With Another Plugin
Last week, the WordPress security provider Wordfence announced a significant price increase for their Wordfence Premium service. What they didn’t provide was any explanation of what was causing their cost for the service to increase, which they needed to pass Continue reading How to Avoid Wordfence Premium Price Increase While Getting Better Real-Time Protection for Free
Less than a month ago, we noted that one provider of data on vulnerabilities in WordPress plugins, Automattic’s WPScan, was copying information from competing providers, including Wordfence, without credit. It turns out that Wordfence is doing the same with another Continue reading Wordfence Isn’t Disclosing They Are Copying (Possibly Inaccurate) Plugin Vulnerability Information From Competitor Patchstack
Last week we looked into a false claim made by WordPress security provider Wordfence that a plugin had contained a “critical” security vulnerability. In discussing that, we mentioned someone’s concern related to another situation about Wordfence issuing alarmist warnings: This Continue reading Wordfence’s Alarmism on Display With “Exploit Atttempts”, Which Are Not Really Exploit Attempts
It has been over 6 years since we last raised our prices. Since then our team has more than doubled in size and we have introduced significant improvements to the core Wordfence product, launched a range of free and paid Continue reading Wordfence Premium Price Increase Coming in December – The First Since 2016
Two days ago, we detailed multiple issues with a recently launched service from the WordPress security provider Wordfence, Wordfence Intelligence. There was something we ran across while researching that, which we felt was worth separating out for its own post Continue reading Wordfence Is Failing to Provide Information That Would Help Protect Their Customers Unless Web Hosts Pay Them as Well
While performing routine security research, one of our threat analysts discovered the latest version of a Command and Control (C2) script, which is referred to as F-Automatical within the script’s code and was commonly known as FoxAuto in older versions. Continue reading What Does The Fox Hack? Breaking Down the Anonymous Fox F-Automatical Script
Yesterday, we detailed significant discrepancies between the way the WordPress security provider Wordfence marketed their Wordfence Intelligence service and the actual results they are delivering with that. Much of that affects those also relying on their Wordfence Security plugin as Continue reading Wordfence Intelligence Vulnerability Data Feed Keeps Looking Worse
In August, the WordPress security provider Wordfence announced a new service named Wordfence Intelligence with a lot of lofty claims about the service and what they were already providing. What was lacking is evidence that it delivers on the promises Continue reading Wordfence Intelligence Doesn’t Deliver on Its Promises
The Wordfence Threat Intelligence team has been monitoring exploit attempts targeting two zero-day vulnerabilities in Microsoft Exchange Server tracked as CVE-2022-41040 and CVE-2022-41082, collectively known as ProxyNotShell. These vulnerabilities are actively being exploited in the wild. At the time of Continue reading Two Weeks of Monitoring ProxyNotShell (CVE-2022-41040 & CVE-2022-41082) Threat Activity
In our monitoring of the WordPress Support Forum for discussions possibly discussing WordPress plugin vulnerabilities, we have recently been seeing a lot of topics involving vague claims coming from the WordPress security provider Wordfence, through their Wordfence Security plugin, that Continue reading Wordfence is Claiming That WordPress Plugin Has Vulnerability Despite Having No Idea if That is True
The WordPress security provider Wordfence claims to engage in responsible disclosure of vulnerabilities: Wordfence has been performing successful vulnerability research and responsible disclosure for over a decade. [Read more] ShareTweetSharePostSharePin It!
Companies operating in the WordPress space have to deal with a problematic situation. While WordPress is promoted as an open source community, the head of WordPress, Matt Mullenweg, uses his various entities to exert control and influence over the community Continue reading Automattic’s Idea of Coopetition Involves Copying Data From Competitors Without Credit
October is National Cyber Security Awareness Month in the U.S., and this year’s theme is “See Yourself in Cyber.” What is really being said by this theme is that we all have a role to play in cyber security, whether Continue reading National Cyber Security Awareness Month: You Could Be the Biggest Threat to Your WordPress Site
Wordfence 7.7.0 has just been released and as usual, it includes several awesome enhancements and updates for our security conscious WordPress publishers and e-commerce websites. This post goes into a little more detail on each change we’ve included. We don’t Continue reading Wordfence 7.7.0 Is Out! Here Are The Changes