One of the biggest impediments to improving the security of WordPress is the sheer amount of misleading and outright false information that exists out there. Take the most popular security specific WordPress plugin, Wordfence Security, which, as we noted on Friday, is promoted by its developer and by others with the unqualified claim that it stops websites from being hacked. Not only could it not provide that level of protection, but testing confirms that it actually fails to provide the kind of protection it should be able to and that other security plugins do provide. If people knew the truth, they could be taking advantage of the additional security that other plugins provide. On the developer’s part, they clearly know what they are saying isn’t a true, and that statement isn’t an aberration, as we have repeatedly seen them telling lies that involve overstated claims about the capabilities of their plugin and services.

You would reasonably expect that journalists covering security would be warning the public about a company like that, but what we have found instead that those journalists often act more as a PR arm of security companies (often dishonest ones) than as journalists. In some cases that is rather literal situation, as there are multiple security journalism outlets that are publicly acknowledged to be owned by security companies (and another that is no longer acknowledged to be owned by a security company).

The PR arm element of that brings us to something else that happened on Friday, the website the WP Tavern published a post by Sarah Gooding about a “mid-year WordPress security report” coming from the aforementioned Wordfence and another company with a long track record of dishonesty. It seems like a bad idea to run with something based on a report from two companies well known to be dishonest, but the post even lacks a basic journalistic element, any perspective from a source unrelated to the people publishing the report. As such, the post reads like something that could have from the PR department of the companies. Getting an unaffiliated perspective would have been a very good idea, since the resulting post includes numerous elements that need significant qualification at best, shouldn’t be there at all, or the post shouldn’t exist at all, since the underlying information is so unreliable.

In any case, we tried to provide some balance by leaving a comment on Friday that noted a number of the issues, and that comment has not be permitted to be shown, but you can read it below.

One thing that we didn’t note, but that should be noted, comes in connection with the issue of usage of CVSS severity scores. As we noted recently, while Wordfence continues to use those scores, one of their employees publicly admitted that they are misleading. That seems like the sort of thing that should make journalist avoid sourcing things to them, but considering the PR arm element, that seems unlikely to happen.

Another explanation for the increased number of vulnerabilities is that WPScan is inflating their vulnerability count by including many false reports of vulnerabilities. That seems to be a significant number of their new listings. Even if you want to argue they are vulnerabilities, it isn’t significant when a lot of the increase in vulnerabilities are vulnerabilities that can only be exploited by Administrators. It is hard to argue that things are really getting more secure if the vulnerabilities being identified are not really a threat, if vulnerabilities at all. Especially when we are frequently running across more serious vulnerabilities that are not being discovered by someone else first. The Wordfence employee quoted should be aware of all that.

While 86 billion login attempts sounds like a lot, spread across 4+ million websites and across half a year, that works out to around slightly over 100 login attempts per day per website. That number also indicates that contrary to what they are claiming, brute force attacks are not occurring. For a password made up of numbers and letters (upper case and lower case), but no special characters, and is six characters long, there are over 56 billion combinations. A brute force attack involves trying all possible combinations, so 86 billion login attempts is not even close to the number you would see if those were occurring regularly.

Based on the number of login attempts, the advice to use strong secure passwords unique to each account is good advice. The others are probably not necessary in that situation. While extra security isn’t a bad idea, it should be balanced against the problems it can introduce. There have been many security issues, including vulnerabilities, found in plugins that implement brute force protection. Also, it should be noted that security companies can have a bias to promoting security options they offer over simpler options they can not monetize, like relying on WordPress’ password strength meter.

From what we have seen, CVSS severity scores are, at least, not a reliable measure of the severity of WordPress plugin vulnerabilities, as the scores are too high. With a recent vulnerability that couldn’t be exploited by itself and is not likely to be targeted by hackers was rated as having a score of 9.9 out of 10.

The breakdown of vulnerability exploits looks like it needs a big asterisk, as recent testing we have done has shown that the Wordfence’s Web Application Firewall doesn’t provide protection for a couple of types of vulnerabilities that have been widely targeted by hackers (you might want to cover that sort of thing), so the results are going to be significantly skewed by what they do and don’t detect. For example, directory traversal is very easy to detect, which can help to explain the prevalence in their numbers.

Finally, contrary to what the Wordfence employee has been seeing, we haven’t seen a change when it comes to plugins having “capability checks and nonce checks in all the right places along with proper file upload validation measures in place”. It would be great if that was true. In fact, we have more possible vulnerabilities to review than we have time to deal with and it is very common when we check things that we see that capability checks and nonce checks are missing.

---

Plugin Security Scorecard Grade for WPScan

Checked on April 12, 2025

See issues causing the plugin to get less than A+ grade