Login

Tag Archives: Mikey Veenstra

26 Aug 2019

Wordfence Keeps Hiding That Other Security Companies Are Actually Doing the Work to Keep Ahead of Hackers

On multiple occasions the team behind the Wordfence Security plugin have failed to credit us when discussing vulnerabilities we discovered. We are not alone in that it turns out and unfortunately journalists will cover them and not give any credit to other security companies that are actually doing the work to keep ahead hackers (which is how Wordfence falsely markets their Wordfence Premium service of doing).

Here is part of an article the Threatpost (which is itself secretly owned by a security company) from Friday that showed up in a Google alert we have: [Read more]

22 Mar 2019

Does Wordfence Threat Analyst Really Not Know About All The Vulnerable Plugins Still in The WordPress Plugin Directory?

When it comes to trying to improve security surrounding WordPress two of the big problems are inaccurate information being spread by security companies and journalists, and often they are combined. As an example of that, an article popped up the other day for the Google News alert we have set to keep track of coverage of plugin vulnerabilities (which we previously mentioned in the context of another inaccurate claim, that 90 percent of websites hacked last year were running WordPress). Part of that article, which quotes someone from the company behind the most popular WordPress security plugin, Wordfence Security is as follows:

All new plugins are checked by WordPress before being added to the public repository, but the same doesn’t apply to updates. [Read more]

9 Nov 2018

Wordfence Security and Wordfence Premium Fail To Protect Websites, But Defiant Is Happy to Lie and Tell You Otherwise

Over at our main business we have a steady stream of people contacting us to ask if we offer a service that will stop their websites from being hacked, a not insignificant number of them mention that they are currently using a service that claimed to do that and there website got hacked anyway. That second item obviously tells you that these service don’t necessarily work, but what seems more relevant to the poor state of security is that even when one of these doesn’t work these people are often sure that they can and do work, just the one they used didn’t. That probably goes a long way to explaining why the complete lack of evidence that these services are effective at all hasn’t been an impediment to people using them. The problem with that is not only do they end up not working well or at all, but the money spent on them could have been spent on services that actually improve security of these websites (and everyone else’s website if there services is anything like ours), but are not sold on false promises.

Seeing as there are lots of people that still haven’t gotten the message about these services should be avoided if there isn’t evidence that shows effectiveness, we thought it would be worth emphasizing and expanding on something we mentioned in a post yesterday where websites could have been protected by doing one of the basics of security, keeping WordPress plugins up to date, while a security service failed to protect them while being promoted as being able to do that. [Read more]

8 Nov 2018

Unlike Wordfence and Other Security Providers We Warned About WP GDPR Compliance Before Websites Started to Get Hacked

When it comes to protecting WordPress websites against vulnerabilities in plugins we provide a level of protection that others don’t for the simple reason that we do the work they don’t (but that they absolutely should be doing). The result can be seen with the plugin WP GDPR Compliance, which had multiple vulnerabilities fixed in version 1.4.3.

We had been warning our customers of one of those before you could even normally upgrade to that version of the plugin as the plugin was closed at the time (we warned our customers that it was at high likelihood of exploitation). At that time we could have help our customers to upgrade to 1.4.3 and then shortly after we started warning them the plugin was re-opened and they could upgrade normally. That all occurred yesterday. [Read more]