Login

Tag Archives: Defiant

29 Apr 2019

Security Journalists Odd Treatment of Proof of Concepts for WordPress Plugin Vulnerabilities

We think that good security journalism is something that could greatly help to improve the poor state of not just the security surrounding WordPress plugins, but security in general. Unfortunately what we have found is that security journalists seem to almost uniformly seem to do a very bad job. As a less serious example of that, recently we have seen odd responses from security journalists to us including proof of concepts with vulnerabilities we are disclosing.

Some of that seems like it could originating with the security company behind the Wordfence Security plugin, Defiant, who make claims like this (while waiting until after vulnerabilities are widely exploited to warn people that they are using plugins likely to be exploited, which is too late): [Read more]

11 Apr 2019

Why Are Journalist Spreading Wordfence’s (aka Defiant’s) Lies About Us?

Here’s a timeline of the recent situation with the WordPress plugin Related Posts (Yuzo Related Posts):

Yet here was Lawrence Abrams at the Bleeping Computer yesterday: [Read more]

19 Nov 2018

The Data in the WPScan Vulnerability Database Is Definitely Not Confirmed/Validated

Among the many lies told by the company behind the very popular WordPress security plugin Wordfence Security, Defiant, one that really stands out to us personally is a lie they told that relates to something that as far as we are aware we uniquely do when it comes to collecting data on vulnerabilities in WordPress plugins. In response to a complaint about the data they use in trying to tell people if an update to a plugin is a security update they claimed to rely on “confirmed/validated” data for that. In truth their source, the WPScan Vulnerability Database, explicitly notes that they haven’t verified the vulnerabilities in their data set. As far as we are aware we are the only ones that actually do the work it takes to confirm and validate vulnerabilities, which provides our customer with higher quality data and doesn’t leave them unaware that vulnerabilities haven’t actually been fixed. We recently ran across an instance of where the WPScan Vulnerability Database clearly didn’t do that work, where we had at first thought that maybe we had missed something that we should have noticed.

Back on October 29 we wrote a post detailing an authenticated persistent cross-site scripting (XSS) vulnerability in the plugin AMP for WP – Accelerated Mobile Pages, which had been fixed, but the plugin was closed on the Plugin Directory, so it wouldn’t have been easy to update to a fixed version (though we were available to help our customer do that). Then on November 5 we noted that hackers look to have already started probing for usage of the plugin, which was a concern since the plugin still had not been restored to the Plugin Directory. [Read more]

16 Nov 2018

No Ninja Forms, Wordfence Security is Not Trustworthy and Blacklisting IP Addresses Doesn’t Provide Effective Protection

When it comes to choosing security products and services what is lacking is nearly any evidence that they are effective, while at the same time there is plenty that shows that many of them are not. For example, over at our main business we regularly have people asking if we offer one that will really protect their website from being hacked after the one they were using didn’t prevent their website from being hacked. So why would people being using those if there isn’t evidence that they work? One of the reasons we have heard from people we have dealt with that have had their websites hacked is that they are using products and services based on recommendation of others. Since those are not going to be based on evidence, since there is a dearth of that, not surprisingly a lot of that advice is quite bad. Take as an example of that bad advice, the most recent post on the blog of the Ninja Forms plugin, which is used on 1+ million websites. We ran across that while looking if they had released a post on the vulnerability fixed a couple of days ago, when were detailing that.

Right off the bat the post, 5 WordPress Security Plugins to Keep You Safe, puts forward the proposition that the Wordfence Security plugin is trustworthy, which seems to be disputed by reality. The post claims the Wordfence Security plugin is “one of the most trusted security plugins for WordPress”. They provide no evidence that it is trusted at all, much less one of the most trusted. Maybe by that they mean that it is tied for most popular and therefore it is trusted due to that, but that doesn’t mean it actually works at all or should be trusted (the security plugin it is tied for most popular with currently contains a vulnerability and is not needed). Near the end of their discussion of the plugin they again refer to it as “trustworthy”. [Read more]

9 Nov 2018

Wordfence Security and Wordfence Premium Fail To Protect Websites, But Defiant Is Happy to Lie and Tell You Otherwise

Over at our main business we have a steady stream of people contacting us to ask if we offer a service that will stop their websites from being hacked, a not insignificant number of them mention that they are currently using a service that claimed to do that and there website got hacked anyway. That second item obviously tells you that these service don’t necessarily work, but what seems more relevant to the poor state of security is that even when one of these doesn’t work these people are often sure that they can and do work, just the one they used didn’t. That probably goes a long way to explaining why the complete lack of evidence that these services are effective at all hasn’t been an impediment to people using them. The problem with that is not only do they end up not working well or at all, but the money spent on them could have been spent on services that actually improve security of these websites (and everyone else’s website if there services is anything like ours), but are not sold on false promises.

Seeing as there are lots of people that still haven’t gotten the message about these services should be avoided if there isn’t evidence that shows effectiveness, we thought it would be worth emphasizing and expanding on something we mentioned in a post yesterday where websites could have been protected by doing one of the basics of security, keeping WordPress plugins up to date, while a security service failed to protect them while being promoted as being able to do that. [Read more]

24 Sep 2018

ZDNet’s Zero Day Blog Claims to Have Revealed Something That We Had Already Discussed Well Beforehand

When it comes to actually trying to improve the poor state of web security one of the big impediments are security journalists, who often act not as journalists, but as stenographers repeating claims made by security companies with little concern for their accuracy or actual significance. A case in point with that comes from  a post from ZDNet’s Zero Day blog (which at least in the past was run by people that didn’t even understand what a zero-day is), titled “Thousands of WordPress sites backdoored with malicious code”, which we got notified due to a Google alert we have set related to WordPress plugin vulnerabilities.

It is not clear exactly how many websites are running WordPress, but one figure put out by Forbes was 75 million, so thousands of websites running it being hacked seems less than significant. In fact there doesn’t really seem to be anything significant about what is being described in the post. The problem with covering things like that is that it gives an inaccurate picture of security of WordPress, since certainly many more than thousands of website not running WordPress are also hacked each month and this can cause people to choose less secure software to use on their website because of skewed coverage. There are also plenty of issues surrounding the security WordPress that could be covered instead of this type of thing, but journalists don’t seem to be interested in covering more significant issues. [Read more]