In September, the WP Tavern covered a backlog for those submitting new WordPress plugins to the WordPress Plugin Directory this way: WordPress’ Plugin Review Team continues to dig out from under a massive backlog that has grown to 1,260 plugins Continue reading WordPress Plugin Developers Still Have to Wait Nearly Two Months for Review When Submitting New Plugin
It’s common for critics of the Wordfence Security plugin to claim it isn’t useful unless you are using the companion Wordfence Premium service because new rules for the firewall are only provided to paying customers for the first 30 days Continue reading Wordfence Premium Adding Firewall Rules for Vulnerabilities in Under 10 Plugins a Month
In October 2022, after a very questionable action taken by the team running the WordPress’ Plugin Directory that was alleged by some to have been done to the benefit of the for-profit company from head of WordPress, we noted that Continue reading WordPress Stops Disclosing if Plugin Directory Team Works for Automattic After at Least Two Employees Secretly Joined Team
A short time ago, we looked at how a feature of SiteGround’s recently rebranded WordPress plugin, Security Optimizer, didn’t really provide the advanced protection against cross-site scripting (XSS) promised, or any protection for that matter. While looking in to their Continue reading SiteGround Recommends Against Using WordPress Security Plugins That Actually Protect Against Vulnerabilities
One method we have for monitoring what vulnerabilities in WordPress plugins hackers are trying to exploit, is allowing users of our firewall plugin to report hacking attempts blocked by our firewall that we haven’t already logged as being known about. Continue reading Hacker Tries to Exploit Fake Vulnerability 11 Years After It Was Falsely Claimed to Exist
Last Friday, we noted that a major web host, SiteGround, was using their two 1+ million install WordPress plugins to collect data on websites using them in violation of the guidelines of the WordPress Plugin Directory by doing that without Continue reading SiteGround’s Response to Their WordPress Plugins’ Tracking in Violation of WordPress Guidelines is to Continue Doing It
There is lots of advice out there on dealing with the security risk posed by WordPress plugins, much of it is written by people who likely don’t have your best interest at heart when providing it. Take one example we Continue reading Many Reputable WordPress Security Plugins Won’t Protect Your Website From a Vulnerable Plugin
We recently looked at yet another example of the limited value that rules written for specific WordPress plugin vulnerabilities offered with the Wordfence Security plugin. But what about the other firewall plugin that has rules being written for it, NinjaFirewall? Continue reading NinjaFirewall’s Rule For Vulnerability Doesn’t Really Add Much Protection
On Friday, we noted the web host SiteGrounds 1+ million install WordPress plugins Security Optimizer and Speed Optimizer are collecting a lot of website data from those installing the plugin without consent. That is in violation of the guidelines of Continue reading SiteGround’s 1+ Million Install WordPress Plugins Also Contain Apparently Inadvertent Tracking
Two weeks ago we looked at how a feature of web host SiteGround’s recently rebranded WordPress plugin, Security Optimizer, didn’t really provide the advanced protection against cross-site scripting (XSS) promised, or any protection for that matter. Their response to that Continue reading Developer of 1+ Million Install Security WordPress Plugin Lacks Conceptual or Practical Understanding of WordPress Security
Guideline 7 of the WordPress Plugin Directory’s Detailed Plugin Guidelines, “Plugins may not track users without their consent”, states that an example of a violation would be “Automated collection of user data without explicit confirmation from the user.” That is Continue reading Two 1+ Million WordPress Plugins From SiteGround, Sponsor of Plugin Review Team Rep, Collecting Website Data Without Consent
Guideline 7 of the WordPress Plugin Directory’s Detailed Plugin Guidelines, “Plugins may not track users without their consent”, states that an example of a violation would be “Automated collection of user data without explicit confirmation from the user.” That is Continue reading Two 1+ Million WordPress Plugins From SiteGround, Sponsor of Plugin Review Team Rep, Collecting Website Data Without Consent
Recently, the CEO of the WordPress security provider Wordfence, Mark Maunder, was criticizing a competitor over a bug bounty program that caused cross-site request forgery (CSRF) vulnerabilities to be found, while he was promoting Wordfence’s own bug bounty program. He Continue reading Wordfence Call CSRF Vulnerabilities “Low Risk” While Criticizing Competitor After Previously Calling Them “High Severity”
When it comes to testing the protection offered by WordPress security plugins, we seem to be alone in doing that, which isn’t good. We had someone contact us not that long ago who was complaining about our the accuracy of Continue reading NinTechNet’s Website Security Scanner Isn’t a Good Option for Testing the Security Provided by WordPress Firewall Plugins
When it comes to the WordPress Plugin Directory, security isn’t being handled well. Earlier this week we noted how a plugin was allowed back in to that despite not having come close to properly resolving a serious security vulnerability that Continue reading SiteGround Labels Their WordPress Security Plugin as Web Application Firewall (WAF) Despite Not Having One
Last month we wrote about how one of our competitors in providing data on vulnerabilities in WordPress plugins was copying inaccurate data from another provider. That involved a vulnerability in a plugin named Auto Affiliate Links, which hadn’t been fully Continue reading WordPress Plugin Developers Continue to Make Additional Attempts to Fix Vulnerabilities Without Disclosing It
In October 2021, we found that the Wordfence Security plugin for WordPress more than double the peak memory usage over WordPress by itself. That compared to a minimal memory increase by the two WordPress firewall plugins that provided more protection Continue reading Wordfence Security Still More Than Doubles Peak Memory Usage Over WordPress By Itself
Recently the CEO of Wordfence, Mark Maunder, responded to us noting that Wordfence’s data on WordPress plugin vulnerabilities is “often quite inaccurate and not a reliable source” by saying that their “data is impeccable.” To claim that their data is Continue reading Despite Having “Impeccable” WordPress Plugin Vulnerability Data, Wordfence Deletes False Claim of Unfixed Vulnerability in Gutenberg