Yesterday, we wrote about how Automattic’s Jetpack has been telling people an authenticated SQL injection vulnerability had been fixed in a WordPress plugin, while the vulnerability still exists. In their post, they recommended that people update the plugin despite that not addressing the issue, but also to have an “established security solution” on their website:

We strongly recommend that you update affected plugins to their respective latest version, and have an established security solution on your site, such as Jetpack Security.

Considering the rather poor state of the security industry, using a security solution because it has been around for a while isn’t actually good advice. That can be highlighted by the previous employer of the author of Jetpack’s post, Sucuri. Here were a couple of recent reviews of that service:

Failed to catch malware and the things they deleted immediately propagated again. They sent us a message saying ‘All Clear’ while I was still looking at issues. Very expensive considering you’ll need to purchase someone else’s service to do their job. Rude support.

We choosed service sucuri regarding malware problem on the site – result? they crashed procduction site twice with no even single information before… not able to reproduce, lost time and money. Its a fake service, no idea what they are doing, we have contract with 6 hours fix time – 4 week without result. IS JUST FAKE SERVICE

That Jetpack hired this person despite having worked for Sucuri isn’t reassuring.

What you would actually want to look for is a service that provides protection against real threats and evidence of effectiveness of that protection. That’s were Jetpack’s post takes an odd turn at the end. The final paragraph of the post ends this way:

We recommend that you have a security plan for your site that includes malicious file scanning and backups. Jetpack Security is one great WordPress security option to ensure your site and visitors are safe.

Neither of those things would protect websites from what the unfixed authenticated SQL injection vulnerability in the plugin can be used to do. As what that could do is allow an attacker to read data stored in WordPress’ database. Scanning for malicious files and making backups won’t stop a hacker from exploiting the vulnerability or undo the impact. Making sure the vulnerability didn’t exist or stopping attacks would protect websites. Jetpack at least failed on the first front here.

Jetpack’s explanation of what could happen through this vulnerability is another example of why using an established security solution isn’t a good way to choose what to use (and a good indication that avoiding hiring Sucuri employees wouldn’t be a good idea). They wrote this:

Since shortcodes can be rendered by any logged-in users, like subscribers, this enables low-privileged attackers to leak sensitive information from the database, like usernames and hashed passwords.

The first parts of that are correct, but WordPress usernames are not considered a secret, much less sensitive. Access to hashed password isn’t a big risk unless a weak password is used, which would be a problem even without the SQL injection vulnerability. Those are things that someone working in WordPress security should know and more true of someone who is being allowed to write about it for a security provider.

Previously we quoted the end of Jetpack’s final paragraph. Here was the first part of it that we left out:

At Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities.

As already noted, they failed to even make sure the vulnerability they disclosed had been fully fixed, which is partially caused by not doing the work they should have done. Jetpack gets their plugin vulnerability data from another Automattic brand, WPScan, which has a long established record of inaccurately claiming that vulnerabilities have been fixed, which haven’t, because they don’t do the needed work. And as we already noted, the two features they cited of their solution wouldn’t protect you against this vulnerability either.