iThemes Security

26 Sep 2023

Sucuri Security and Solid Security Plugins Won’t Stop Websites From Being Hacked

While looking into some information for a post we were preparing recently, we ran across a promoted testimonial for a security provider named MalCare, coming from the person behind WPCrafter, which is marketed as WordPress tutorials for non-techies. The testimonial begins:

I had been running iThemes, WordFence & Sucuri, but they kept getting hacked. [Read more]

26 Jul 2023

StellarWP Hasn’t Fixed Vulnerable Plugin Their Own Security Plugin Has Warned About Since Last Week

Earlier today, we looked at a mess created by the developer of a popular library in WordPress plugins, Freemius, and WordPress security provider, Patchstack. Another company playing a supporting role in what was discussed is StellarWP (which is part of Liquid Web). On their homepage, StellarWP makes this strong claim:

The most trusted plugins and people in WordPress. [Read more]

30 Jun 2023

NinjaFirewall and Plugin Vulnerabilities Firewall Are Only WordPress Security Plugins That Protected Against Recent Zero Day

Among the common, but inaccurate, security advice you will hear is that WordPress won’t get hacked if you take basic security measures, including keeping plugins up to date. While doing the basics is really important, the reality is that keeping plugins up to date does nothing to stop a zero-day, a vulnerability being exploited before the developer is aware of it. That is an area where a security plugin could provide additional protection. But just because they could, it doesn’t mean they will. More problematically, WordPress security plugin developers have for years claimed to provide zero-day protection when they don’t. The solution is to do testing to see which plugins really provide protection against zero-days.

Recently, a zero-day role change vulnerability in the 200,000+ install WordPress plugin Ultimate Member was spotted being exploited by the web host Tiger Technologies. That vulnerability was being exploited to create a new WordPress user and then change the user’s role to Administrator, which gives them full access to the website. [Read more]

22 Jun 2023

iThemes Security (Solid Security) and iThemes Security Pro Won’t Protect Against Zero-Days Contrary to Their Marketing

A zero-day is a vulnerability being exploited before the developer is aware of it. One of the implications of that is that keeping software up to date won’t protect against it. So for WordPress websites, a WordPress security plugin can possibly provide protection beyond doing security basics like updating software. That is, if the plugin actually provides that type of protection. iThemes Security (which is being rebranded to Solid Security) is marketed as being just such a plugin. Here is how the developer starts marketing the plugin on the WordPress Plugin Directory (emphasis theirs):

The Best WordPress Security Plugin to Secure & Protect WordPress [Read more]

24 Apr 2023

iThemes (SolidWP) and Patchstack Requiring Their Customers and Plugin Developers to Fix Their Inaccurate Data

Recently, iThemes (which is being rebranded as SolidWP) and their partner, Patchstack, have been incorrectly labeling that a 100,000+ install WordPress plugin, Download Manager, contained an unfixed vulnerability. The problem stems in part to confusion with a claim that vulnerability had been in Download Manager Pro and also from Patchstack’s data not properly listing which versions of a plugin are vulnerable (this isn’t the first time recently there has been this combinations of problems). Incredibly, once this was brought to iThemes attention by one of their customers, their response was not for them to fix this, but to tell the customer that the plugin developer had to get in touch with Patchstack to address this:

Since the one you’re using is the free version (3.2.70), but it is still being flagged as vulnerable by the Site Scanner, I recommend reaching out to the plugin developers for the possibility of updating the reflected information on Patchstack. [Read more]

13 Mar 2023

Only 25% of WordPress Security Plugins Protected Against Widely Exploited Plugin Vulnerability

In late January, an unfixed vulnerability in a WordPress plugin with 40,000+ installs started to receive widespread exploitation attempts and many websites were hacked. The hacking was in part caused by multiple WordPress security providers, including Wordfence, WPScan, and Patchstack, who all claim to have teams of experts reviewing vulnerabilities in WordPress plugins, claiming that the vulnerability had been fixed three months before that. The moderators of the WordPress Support Forum made the situation worse by deleting an early indication of the problem in the form a message complaining about a website being hacked because of the plugin.

The developer of the plugin promptly fixed the vulnerability once we advised them that it still existed. They then went further than other plugin developers usually do when a plugin has had an exploited vulnerability and got a security review done to ensure the plugin was now properly secured. [Read more]

6 Mar 2023

Here Are the 4 WordPress Security Plugins That Protected Against a Vulnerability Wordfence Failed to Protect Against Despite Having Discovered It

Last week, Wordfence disclosed the details of an authenticated persistent cross-site scripting (XSS) vulnerability they had found in a popular WordPress plugin with 3+ million installs (as well as something else that wasn’t really a vulnerability). There were some things they said in their post that are rather problematic.

One of them was that they were claiming to have responsibly disclosed the vulnerability, while also contradicting that. According to their post, the day before they notified the developer of the plugin about the vulnerability, they were already selling access to information about exploiting the vulnerability through their Wordfence Premium service. That isn’t responsible disclosure and any hacker willing to pay for the service could have started exploiting this before the developer was even notified about it. Wordfence’s paying customers would have been protected from it at the time, but others would not without having some other security in place. [Read more]

8 Feb 2023

WordPress Security Plugins Don’t Prevent Disclosure of One-Time Password Through Exploited Plugin Vulnerability

A month ago, we saw a hacker looking to exploit a vulnerability that had recently been fixed in the WordPress plugin User Verification. That vulnerability discovered by Lana Codes involved the plugin’s functionality to email a one-time password for logging in to WordPress. The problem with the functionality is that it didn’t just email the password, it also sent it back as part of the response from the request to have it emailed. So an attacker could submit the request to have that emailed for a WordPress user’s account, get the password that was only supposed to be emailed, and then log in to that account.

Trying to prevent an information disclosure issue like this would be difficult for a WordPress security plugin without being aware of the particular vulnerability, as it would have to realize that something that shouldn’t be disclosed is being disclosed, so it would be unlikely that a security plugin would provide protection. Our own firewall plugin, Plugin Vulnerabilities Firewall, doesn’t have protection against such a situation, but we are always looking to see how we might be able to expand its protection, so we were curious to see if any other plugins provided protection. [Read more]

26 Oct 2022

Only Four WordPress Security Plugins Protected Against Exploitation of Serious Vulnerability in Plugin From WordPress

Earlier this month we spotted a serious vulnerability being introduced in to a WordPress plugin that comes directly from WordPress. It turned out that vulnerability had been introduced in to it by an employee of the company closely associated with WordPress, Automattic. The vulnerability would have allowed attackers to upload arbitrary files to the website, which is a type of vulnerability where it isn’t a question of if it would be exploited, but when. Usually a hacker would use that to upload PHP files and then from there they could do whatever else they want, as that would give them the ability to run arbitrary code on the website. That is a type of scenario WordPress security plugins could and should have a capability to protect against.

Whether WordPress security plugins actually provide protection against it is another story. While you can find lots of review of WordPress security plugins, the ones we run across don’t involve testing to see if they provide protection against real threats, making the reviews of limited value. Instead, the reviews focus on other things, meaning that developers of those plugins don’t necessarily have incentive to focus on security. When we did a test of a similar vulnerability six years ago, only three security plugins provided protection against the same scenario. [Read more]

13 Sep 2022

Only Six WordPress Security Plugins Protected Against Exploitation of Zero-Day Vulnerability in BackupBuddy

Last week the developer of one of the most popular WordPress security plugins, iThemes Security, disclosed that another of their plugins, BackupBuddy, had recently had a zero-day vulnerability. That is a vulnerability being exploited by a hacker before the developer is aware of it. One of the implications of that is that keeping a website’s plugins up to date won’t always protect websites from being hacked through vulnerabilities in them. So this is the type of situation where a security plugin, like iThemes Security, could provide protection beyond keeping plugins up to date. If any security plugins should be able to do that, it should be iThemes Security if you believe their marketing, as they claim it is the best: