In October 2021, we found that the Wordfence Security plugin for WordPress more than double the peak memory usage over WordPress by itself. That compared to a minimal memory increase by the two WordPress firewall plugins that provided more protection Continue reading Wordfence Security Still More Than Doubles Peak Memory Usage Over WordPress By Itself
Recently the CEO of Wordfence, Mark Maunder, responded to us noting that Wordfence’s data on WordPress plugin vulnerabilities is “often quite inaccurate and not a reliable source” by saying that their “data is impeccable.” To claim that their data is Continue reading Despite Having “Impeccable” WordPress Plugin Vulnerability Data, Wordfence Deletes False Claim of Unfixed Vulnerability in Gutenberg
For years, the handling of security of the WordPress Plugin Directory has been rather poor, caused by a multitude of issues. In addition to the problems with their handling of security, there hasn’t been a willingness to work with the Continue reading Hacker Targeted WordPress Plugin Returns to Plugin Directory Without Update For Exploitable Vulnerability
Yesterday, we covered a security fix issued for the 5+ million install WordPress plugin Elementor for authenticated arbitrary file upload vulnerability. That happened in version 3.18.1. Today, a second fix was released in the next version, 3.18.2. The changelog acknowledges Continue reading Elementor Issues Second Fix for Authenticated Arbitrary File Upload Vulnerability
Last week, we looked at so-called Advanced XSS Protection offered by a 1+ million install WordPress plugin, which turned out to not provide protection, advanced or otherwise. That involved, in part, the security header X-XSS-Protection, which it seems worth going Continue reading The X-XSS-Protection Security Header Won’t Provide Protection Against XSS Attacks on Your WordPress Website
Recently there have been conversations popping up over a claim made by the WordPress security provider Wordfence that claims the Gutenberg plugin contains an authenticated persistent cross-site scripting (XSS) vulnerability. On Reddit there were a couple of recent conversations, where Continue reading Contrary to Claims by Patchstack and Wordfence the Gutenberg Plugin Doesn’t Contain an Authenticated XSS Vulnerability
Last week we noted how the WordPress security provider Wordfence was criticizing another provider of WordPress plugin vulnerability data for doing something they also do. That situation involved them mislabeling a security issue as a vulnerability in the very popular Continue reading Wordfence’s “Highly Credentialed and Industry-Leading Vulnerability Researchers and Analysts” Don’t Understand Local File Inclusion
A recent phishing campaign is targeting administrators of WordPress websites, trying to get them to install malicious code on websites. The phishing campaign was reported to be using the domain name en-gb-wordpress.org. The domain name servers for that belong to Continue reading Security Provider CloudFlare Providing Service for Phishing Campaign Targeting WordPress Websites
In the middle of August, we publicly warned that the WordPress plugin WooODT Lite contained an authenticated option update vulnerability, which would allow logged-in attackers to change arbitrary WordPress options (settings). The possibility of the vulnerability was flagged by proactive Continue reading Wordfence Premium Added “Real-Time Firewall Protection” for Plugin Vulnerability Over Two Months After It Was Disclosed
One method we have to measure the protection that WordPress firewall plugins offer is part of the regression testing software for our own firewall plugin. That software allows us to make sure the default protection against zero-days, which are vulnerabilities Continue reading Disabled Protection in WordPress Firewall Plugin With Only 10+ Installs Provides 5th Best Zero-Day Protection
Recently, the WordPress security provider Wordfence was criticizing another provider, Patchstack, for incentivizing low quality claims of vulnerabilities in WordPress plugins: There are an extremely high number of low risk and low quality vulnerabilities being submitted to databases like Patchstack,” Continue reading Latest Release of Contact Form 7 Didn’t Actually Fix Authenticated (Editor+) Arbitrary File Upload Vulnerability
This week we have covered plenty of questionable behavior by the developer of the 900,000+ install WordPress security plugin Solid Security. From focusing their plugin on a non-existent threat to responding to the plugin failing to prevent an infection by Continue reading Developer of Solid Security Thinks That Their Plugin Shouldn’t Be Easier To Secure Than Chrome Web Browser
SiteGround recently rebranded their SiteGround Security plugin for WordPress to Security Optimizer. That plugin has 1+ million installs according to WordPress.org stats. Like a lot of security plugins, the developer makes strong claims about what it offers. They start their Continue reading Siteground’s Security Plugin’s Advanced XSS Protection Isn’t Protection, Advanced or Otherwise
A recent negative review of the WordPress security plugin Solid Security claimed that the reviewer was using the Pro version and “my website was infected while this plugin was installed, so it was not really helpful to prevent the infection.” Continue reading Developer Responds to Solid Security Pro Not Preventing Infection by Claiming It is Focused on Malware Prevention
On the forum for the WordPress security plugin BulletProof Security Pro, someone asked if the plugin can protect against zero-days: I’m wondering if BPS Pro can protect us against zero-day vulnerabilities discovered in plugins. [Read more] ShareTweetSharePostSharePin It!
Recently the less popular than it used to be, but still used on at least 900,000 websites, WordPress security plugin iThemes Security was rebranded as Solid Security. Alongside that came new marketing for the plugin. The previous marketing was not Continue reading 900,000+ Install WordPress Security Plugin Solid Security Focused on Non-Existent Threat
There are many sources for data on WordPress plugin vulnerabilities. Or there appears to be. In reality, most sources are simply copying their data from the others. The results of that are often quite poor, which the providers simply deny. Continue reading Patchstack’s Plugin Vulnerability Data Continues to Not Be Impeccable Either
On the WordPress Support Forum, someone asked not that long ago if two-factor authentication (2FA) would prevent websites being hacked through security flaws in WordPress plugins? It’s a good question and another security provider didn’t really answer the question. For Continue reading What Impact Does Two-Factor Authentication (2FA) Have On Hackings Through WordPress Plugin Vulnerabilities?
Last week, we noted that the marketing for the Wordfence Security plugin was promoting its firewall as being the industry leader, despite that not being supported by them with anything whatsoever and objective testing showing that being far from the Continue reading WordPress Firewall Plugins Protect Against Vulnerability Without Rule Needed for Wordfence Security To Do That
While looking into something for another post, we noticed that the developer of the Wordfence Security plugin is marketing their solution as having the “Industry Leading Firewall”: [Read more] ShareTweetSharePostSharePin It!