ManageWP Shows Lack of Concern for Security by Running Insecure Version of WordPress

When it comes to the security of websites, what we see over and over is that the basics are not even being handled by people that shouldn’t have a problem doing it. If you are running a WordPress website then part of Security 101 is keeping WordPress up to date, as it prevents your website from being hacked due to a known vulnerability in an older version of WordPress. Unfortunately, that isn’t being done in many cases as can been seen in the fact that only 40 percent of WordPress websites were running the latest series of WordPress in the data set we looked at in March.

You would think that providing better management tools would help this situation, though the example of one of the providers of such a tool would say otherwise. ManageWP describes its services as providing you the ability to “Manage all your WordPress sites from one place – including updates, backups, security and more.” You would certainly expect they would be keeping the WordPress installation powering their website up to date, but they’re not:

ManageWP is Running WordPress 3.5.2WordPress 3.5.2 is over ten months out of date and there have two subsequent releases with security updates (3.6.1 and 3.8.2).

ManageWP’s failure to take handle a basic security task is sharp contrast to their claims of security. For example, they claim

Securing ManageWP and the sites we interact with has always been our highest priority. We use state-of-the-art encryption and security standards that go above and beyond what WordPress, itself, offers, to ensure that your sites are protected.

On another page they make a series of claims about their security:

How ManageWP Is Secure

  • We have a full-time security specialist
  • We regularly perform penetration testing
  • No credit card information stored
  • No WordPress passwords stored
  • OpenSSL encryption
  • ManageWP is built on top of WordPress
  • Account password encryption
  • White hat reward program

If you are security specialist who fails to make sure such a basic security measure is taken then you probably should find another profession.

Another bad sign for their concern for security is their integration of Sucuri.net’s deeply flawed malware scanning into their service.

 

 

Related posts:

  1. DreamHost Does Store Non-Hashed Passwords
  2. Automattic Helping Security Companies Peddle False Narrative of Brute Force Attacks Against WordPress Admin Passwords
  3. Unreliable Claim That 1.5 Million WordPress Pages Defaced Is Reminder of the Terribleness of Security Companies/Journalists
  4. StudioPress Sites And Sucuri Didn’t Properly Deal With a Hacked Website

2 thoughts on “ManageWP Shows Lack of Concern for Security by Running Insecure Version of WordPress”

  1. Thank you for this analysis.

    However it is inaccurate on several levels. The version number reported trivially by the browser is in no way representable of the actual version and state of the code that runs on the server. In fact a security aware company might purposefully alter this information to confuse potential attackers.

    ManageWP is indeed very security aware. We stand by our promise and go above and beyond industry stands in security. We did not have a single security incident in the three years that the service runs, serving over 200,000 websites.

    Among other things, this is also thanks to a public white hat security reward program at https://managewp.com/white-hat-reward so if you feel like you’d be able to contribute to the security of the service we invite you to do so, in the way it was meant.

    Finally, I do not want to speak for sucuri.net, but I am afraid that your observation about their flawed malware scanning, even if it was true, does not imply in any way, anything about the security of our own service.

    In addition, my suggestion to the author would be to try and gain publicity by contributing good things to the world, in the same way you claim to do pro bono work. ManageWP is a fruit of labor of many years of passionate work of a bunch of people, and while I do not mind doing what I did just here (taking time to explain why a superficial “security” analysis is, well, superficial), I’d rather be spending my time with family or improving our product.

    Best regards,
    Vladimir Prelovac
    Founder, ManageWP

    Reply

    1. It is unfortunate that you are continuing to try to mislead the public about your security. While it is true that it is trivial to alter the WordPress version number reported, in the case of your website you have actually removed it from the obvious places instead of altering it. In that case our tool does not rely on the reported version number, so another method was used to determine the version and that is reliable even if you were to alter the version number. We also double checked that the version number it reported was accurate because we wouldn’t want to make false claims, as you do about your security. It is telling that your response doesn’t actually dispute that you are not keeping WordPress up to date, which is our central claim.

      A security aware company would not alter or hide the WordPress version number since that doesn’t provide any actual security, as we discussed a number of years ago, instead they would keep the software up to date, which you are not doing.

      As for the rest of your message, we feel it is important to let the public know when companies are trying to mislead them about their security practices. Not only do your misleading security claims give your customers a false sense of security, but they also make it harder for the public to trust companies that don’t lie about their security.

      Reply

Leave a Reply

Your email address will not be published.