If you follow the news what seem pretty clear is that cybersecurity is not in good shape these days, whether it’s major credit card breaches at retailers or hacks of high profile organizations, clearly something is very wrong. It seems unlikely that is due to a lack of spending on security products and services, consider that estimates of yearly spending on cybersecurity are in the 10s of billions of dollars and expected to continue to rise. Instead part of the explanation is that much of that money is being spent on products and services from companies that know and or care little about security.
To give you one example, anti-virus software from well known companies Kaspersky Lab, Norton, McAfee, Sophos, and Trend Micro all were found by Google researcher Tavis Ormandy to have had exploitable vulnerabilities in them. When you have to be concerned that security products are increasing your security risk that indicates something is quite wrong. But what is more striking about those vulnerabilities is the ease of exploiting some of these and that they were due in part to the companies doing dumb things. For example, in the case of Norton, quite of few of their products, including enterprise products, were subject to a remote code execution vulnerability that could be exploited by sending an email (it wouldn’t have had to be opened) that was due in part to running code at a higher privilege level than was have been needed.
As we have ramped up our Plugin Vulnerabilities service for keeping track of vulnerabilities in WordPress plugins, we have run across more of what WordPress security companies are up to and what is seen is that are not the exception when it comes to the poor state of security companies. One such example is Wordfence, we have frequently seen things that showed they either didn’t know or care much about security.
What we have wondered for some time though, is it more that they don’t know about security or if they just don’t care about it. To see why that is, take their involvement in the widespread claim that brute force attacks against WordPress admin password are occurring, despite the fact the evidence from Wordfence and other security companies actual shows that they are not. Does Wordfence had no clue what they were talking about or do they know they were telling people a falsehood to help push their product and service, seeing as those wouldn’t be needed if people knew what the malicious login attempts falsely being labeled as part of brute force attacks were most likely part of, dictionary attacks, which can be protected by simply using a strong password. We really were not sure.
In another example, Wordfence made a bold claim about being able to protect against stored XSS attacks, which we found to be false with some simple testing. In that case it could have either been that they were saying something they knew wasn’t true or it could have been that they understand so little about this type of vulnerability that they didn’t understand what incredible claim they were making and that they needed to be very careful about making it without being sure about the claiming.
We think the latest false information put forward them makes it pretty likely that they are lacking a basic understanding of security, which is frightening since so much of the WordPress community is relying on them for information and protection.
In a post about what they say are the most attack plugin vulnerabilities (worth mentioning here is that we recently found that Wordfence seems to be oblivious to vulnerabilities in plugins that are actually the biggest threat) they made a claim that we and they found out surprising, that many of the vulnerabilities being targeted were local file inclusion (LFI) vulnerabilities:
The large number of local file inclusion vulnerabilities that are being exploited is surprising. I should also note that many of these LFI’s were discovered by Larry Cashdollarwho I had the pleasure of seeing speak at Defcon in Las Vegas 2 weeks ago. So I suspect that many of these are being used in an attack script of some kind which may explain their prevalence in the attacks we’re seeing.
The clustering of LFI’s together and Shell exploits together in the list order is odd, but I don’t have a theory to explain that and there is no error in the data that accounts for that. It appears to be coincidence.
Considering that everything we know from monitoring plugin vulnerabilities and dealing with lots of hacked websites is that this type of vulnerability is rarely targeted, this seemed odd. But a quick look at the data they presented showed a simply explanation, local file inclusion vulnerabilities were not actually be targeted. Instead what was being targeted were what we refer to as arbitrary file viewing vulnerabilities (they are also often referred to arbitrary file download or directory traversal vulnerabilities), which are very different.
Before we get in to what each of those type of vulnerabilities is, it is worth mentioning that Wordfence really had to go out of their way to get this wrong, as can easily seen by the fact that the first five vulnerabilities they listed as being local file inclusion vulnerabilities are actually listed in the linked to advisories as being the following types of vulnerabilities:
- Arbitrary File Download
- File Disclosure Download
- Arbitrary File Download
- Aribtrary File Download
- Arbitrary File Download
Not one of those is listed as listed local file inclusion vulnerability, so Wordfence must have thought they were all wrong.
A local file inclusion (LFI) vulnerability allows an attacker to include a file that exists on the file system of the server the website is on (a remote file inclusion (RFI) vulnerability allows the same with a file that exists somewhere else). For this type of vulnerability to useful to a hacker they either need to be able to place a file on the website or there needs to be a file thats inclusion in this way causing a security issue. Since those do not appear to be readily available in most cases it follow that this type of vulnerability is not often being exploited.
An arbitrary file viewing vulnerability allows viewing the contents of a file that exists on the website. With WordPress websites we frequently see attempts to exploit this type of vulnerability to view the contents of the wp-config.php file. If successful that would provide the attacker with the database credentials associated with the website. For that to be useful the attacker would need to be able to connect to the database, their ability to do that varies greatly depending on the hosting setup. While we see many attempts to exploit this type of vulnerability, we see it being the cause of a website being hacked much less than arbitrary file upload vulnerabilities, which we also see many exploit attempts against.
While Wordfence’s lack of understanding what each of these vulnerabilities would likely has some impact on protecting against them, it would have an even bigger impact on their properly doing hack cleanups (which they also offer) since it greatly helps to understand what security vulnerabilities have existed on the website to determine the source of the hack and the impact the exploitation of a vulnerability could have had.
If you care about security we would recommend you help us get the truth about Wordfence out to a wider audience so that together we can lessen the damage they are doing toward the security of so many websites.
A Better Alternative to Wordfence
If you have a WordPress website that needs to be cleaned up from a hack, we provide a cleanup service performed by someone who actually understands website security generally and WordPress security (which is something which Wordfence has shown in spades they don't have).
Hello,
I appreciate your passion towards this topic, but these posts are becoming repetitive. We get you guys don’t like WordFence. I think some of the issues you guys have is the terminology they use which may very well be for marketing purposes. Who knows, maybe talking to them instead of bashing them would actual improve things? From a consumers point of view do they really give a crap if it’s an arbitrary file download or a local file include? Nope. Do they care if WordFence can’t stop either, yes; I’d say that’s important. But 80% of this post was nit-picking the terminology. It’s sounds more like complaining than a legitimate threat at this point. If you could focus on technical faults in their product i think that would be more constructive.
If the public doesn’t care what each type of vulnerability is, then it doesn’t make much sense for Wordfence to use the wrong one for “marketing purposes”. It seems instead that they don’t they don’t have a basic understanding of security, which is important to highlight, as we did in this post. Considering that, it really is incumbent on Wordfence to show that their lack of security knowledge doesn’t bleed over into them not being able to protect websites, instead of us needing to show that it does.
It sounds like you are looking for a different type of content then we offer on this blog. There are plenty sources out there that discuss security in a more superficial manner where the details are not as important, so we will leave that to them and continue to delve into the details, since we feel they actually do matter and others are not already focusing on them.
It really seems that you can’t do anything else, just bashing Wordfence. I know only one thing: before using Wordfence, my WP sites got hacked every now and then (a few times per year). After adding the Wordfence plugin none of my sites got hacked anymore.
The download count on the WP Plugins library speaks volumes about how they are handling security. If they would be so ignorant as you describe them to be, they would have disappeared long ago.
There are other things: they are a company, and they always let you know, they aren’t doing all this stuff from the goodness of their heart. They are doing it for a profit. WordPress (mainly) is not for the pro developer, it is used by many (many) people who knows nuts about web development or security terminology. They are good computer users, create great stuff, write good articles, but they are not security experts or developers at all. They won’t understand what LFI or CSRF is and they don’t have the time to read about them.
So what a security professional can do about this? Write an article with a terminology that can be somehow understood by most of these people and kindly direct them to either update their software or in Wordfence case, buy their product. They provided both solutions, starting with the free one.
What if you stopped attacking each other and worked on solutions to get rid of more security issues as they are making our lives miserable, and there is no day without a handful of these popping up.
/DISCLAIMER: I don’t work for Wordfence, I’m just a happy user of the free version of their product./
Your own experience shows how security products and services can be popular even if the developers don’t what they are doing. You attributing your websites not being hacked to Wordfence, but you don’t seem to even know how they were being hacked, so you wouldn’t know if Wordfence actually did anything or if it was just coincidence that they stop getting hacked after installing it. Remember, correlation is not causation. From plenty of experience we can say that people often even attribute protection to products and services that they could not have possible provided.
It also worth noting that Wordfence actually admits to knowingly leaving people using their free plugin vulnerable to being hacked, while at the same time claiming, without any qualifications, that their plugin “stops you from getting hacked”. When a company is willing to lie so blatantly then it isn’t surprising that their plugin is very popular (and more popular than plugins that are honestly promoted).
We actual do a lot of work to fix security issues when it comes to WordPress. Wordfence makes it harder do that because they push fake threats, which make it harder to get real issues focused on, and they claim to do some of the work we do, while not doing it, so they get credit and business based on work they don’t do. If more people were using our service instead of theirs then we could be doing even more.