WordPress.org Support Forum Disappearing Our Replies

As part of the work we do for our Plugin Vulnerabilities service we monitor the WordPress.org support forum for threads about security issues in plugins, to help make sure that we can provide the best data on plugin vulnerabilities to our customers. That also causes us to run across an assortment of related topics. When we can provide some insight we also will reply to threads we run acrros. In the past few days we have been finding some of our recent replies have started to disappear (if you were to go to the relevant threads you wouldn’t even known they had been there) without explanation. We really don’t know why that might be, the more concerning possibility is that they didn’t like that in one thread we had corrected some inaccurate information in regards to the state of handling of plugin vulnerabilities by the Plugin Directory, but since there is no explanation we have no idea what the cause iss. These disappearance don’t just impact us, it has also caused others to be left without useful information.

Take for instances a thread we responded to yesterday. Someone started a thread looking for help identifying an arbitrary file upload vulnerability in some software running on their website. Seeing as arbitrary file upload vulnerabilities are probably the most serious vulnerability out there in plugins, since it is the most likely to be exploited of commonly found vulnerabilities, we thought it would be a good idea to see if we could find any in the plugins they indicated they were using since we would want to make sure that is in the data our Plugin Vulnerabilities service. In checking over the plugins we couldn’t find any of that type of vulnerability.

While we were already looking over things we thought we might as well see if we could take a look at the Suffusion theme they were using as well. The theme used to be available on the wordpress.org Theme Directory, but was removed a month ago. Since it still remains in the underlying repository we were able to get a copy of the last version, 4.4.9, of that and found that was in all likely hood the source of the issue the original poster was having, as the AJAX accessible function suffusion_admin_upload_file() in the theme allows anyone logged to upload files through the WordPress function wp_handle_upload(). That function only allows certain types of files to be uploaded, so it wouldn’t be an arbitrary file upload vulnerability, but the logging included with their post showed that files that were uploaded are types that are allowed by that. Notably the logging included with the post did not show any .php files being uploaded, which is what an arbitrary file upload vulnerability would normally be used to upload. The request for doing the uploads through theme would be handled through a POST request to /wp-admin/admin-ajax.php, several of which are shown in the logging that was included in the post.

We posted reply explaining that and it then quickly disappeared. In the meantime the only other person that responded was a forum moderator, who was sending the original poster off in the wrong direction by telling them to contact their web host about server issues. None of the evidence provided looks to match a server issue to us, so we are not sure why they would suggest that. Making the whole thing more aggravating, after we had already posted what the actual cause was (and then having it disappear) the forum moderator posted that beyond what they told the person about focusing on a server issue, “There is little else anyone can say.”, which clearly isn’t true.

Posted in WordPress | Tagged | Leave a comment

A Good Example of What is Wrong With The Management of the WordPress.org Plugin Directory

Through the work we do for our Plugin Vulnerabilities service we spend a lot of time on the Plugin Directory, dealing with issues in plugins on it (mostly security issues), and interacting with the people running it. Our experience is that things are not really handled well by the people running it. Something we ran across today seems like a good example of the poor state of the people managing it, which we thought would be good to share to help expose the bad state of things.

Since we have several plugins in the Plugin Directory, prior to the release of a new version of WordPress we get an email asking us to test our plugins with compatibility with the new version of WordPress and then update them to indicate they are compatible with the new version. Here is the email we got prior to 4.5 (the plugin listed as only being tested up to 3.6 is due to the fact that the plugin’s functionality was integrated into the next version of WordPress):

Hello, WhiteFirDesign!

WordPress 4.5 is scheduled to be released on April 12. Are your plugins ready?

After testing your plugins and ensuring compatibility, it only takes a few moments to change the readme “Tested up to:” value to 4.5. This information provides peace of mind to users and helps encourage them to update to the latest version.

Here are the current “tested” values for each of your plugins:

* https://wordpress.org/plugins/automatic-plugin-updates/ (tested up to 4.5)
* https://wordpress.org/plugins/https-updates/ (tested up to 3.6)
* https://wordpress.org/plugins/no-longer-in-directory/ (tested up to 4.4)
* https://wordpress.org/plugins/plugin-vulnerabilities/ (tested up to 4.5)

For each plugin that is compatible, you don’t need to release a new version — just change the stable version’s readme value.

Looking to get more familiar with 4.5? Check out this roundup post on the core development blog: https://make.wordpress.org/core/2016/03/30/wordpress-4-5-field-guide/

Thank you for all you do for the WordPress community, and we hope you will enjoy 4.5 as much as we do.
WordPress core contributors

So clearly the Plugin Directory wants people to be testing their plugins for compatibility and then updating the compatibility information.

Based on that you would think that the person described as the “WordPress.org Tech Dude”, who is involved in managing the Plugin Directory, would be setting an example by making sure to do that, but as we noticed today that isn’t the case. For one of their plugins PHP Code Widget, which has 100,000+ active installs, it is still only listed as being compatible up to WordPress 4.4. WordPress 4.5 was released in April and WordPress 4.6 getting closer to release, with the third beta released a week ago.

It isn’t a situation where the plugin is no longer supported, hasn’t been tested, or the developer just forgot to update the compatibility. As a couple of forum threads show, the developer is instead just refusing to update the compatibility listing. If that sounds strange to you, you are no alone, but that is inline with the type of attitude we have seen when dealing with those people.

Posted in WordPress Plugins | Tagged | Leave a comment

Sucuri Security Doesn’t Like the Truth To Be Exposed

When it comes to bad security companies Sucuri Security is certainly up their for a variety things we have seen them do over the years. In just a few of those cases we have written up blog post about those. The company clearly don’t like that we exposed some of their bad practices, as something we just ran across today shows. Someone had posted a review for one of their WordPress plugins, which linked to several of our posts. The review has now been edited, but from the Google cached version you can see what was there and response from Sucuri’s CEO:

sucuri-security-innacurate-claims

The part relevant to our previous posts was (our emphasis added):

Those articles have absolutely nothing to do with the issue you experienced or this ability of this plugin, they are inflammatory and now you’re crossing into the line of social harassment unnecessarily. It’s a shame, seeing your social presence that you’d stoop so low. They are also inaccurate and completely out of context.

So what were these articles they claim are inaccurate and inflammatory.

The third article linked to discussed the poor state of Sucuri’s scanner several years ago, which was accurate then and based on what we have seen more recently the scanner still seems to be quite poor.

The second article discussed an attempt by Sucuri to astroturf a comment on that third article, which they admitted to in the comments of the second article. That comment came from the same person now claiming that the articles are inaccurate, but in his attempt at astroturfing he didn’t actually point out any real inaccuracy in the third article (if any of are articles actually contained inaccuracies we would want to correct them as soon as possible).

The first article discussed how Sucuri uses bad data to try scare people into using their service, so that would make them, not us, the inaccurate ones and probably inflammatory as well.

Posted in Bad Security, Sucuri Security | Tagged | Leave a comment

Your Website Probably Wasn’t Hacked Through A Backdoor

When it comes to dealing with hacked websites our experience is that information coming from web hosts often isn’t great. When you consider how terrible many security companies dealing with websites are, it isn’t very surprising that companies that don’t claim that expertise would be bad as well.

Last week over on the blog for our Plugin Vulnerabilities service we discussed one issue that comes up from time to time, which is web hosts claiming that the source of a hack is whatever software that happens to be located where a hacker placed a malicious file. Often times the hacker just randomly place their malicious files, making the location of the file a weak piece of evidence as to the source of the hack in most cases.

Another recent example of this involved someone who contacted about a website that was hacked, cleaned, and then was getting re-infected everyday. In that situation our first question is always if the person that cleaned up the website determine how it was hacked. Seeing as someone doing a cleanup should attempt to determine how a website was hacked, that will tell you if the person doing the cleanup was doing things properly (the response almost always indicates they haven’t). It also important since the re-hacking could indicate that the security vulnerability that allowed the website has not been fixed and knowing what was believed was the cause would provide a better understanding of the situation.

In this case they said that there web host had been hacked through a backdoor (apparently the person that did the cleanup did not determine how the website was hacked). For those not familiar a backdoor would be code that allows a hacker remote access to the website internals. In most cases a backdoor could not be source of a hack since the backdoor would have to have gotten on the website. Usually the hacker will exploit a vulnerability to allow them to place a backdoor on a website and then use the backdoor to perform further actions on the website, so the backdoor isn’t the source of the hacking, only a result of it.

The main exception to this is that occasionally a malicious individual will be able to plant a backdoor into non-malicious code, say sneaking it in to an otherwise legitimate WordPress plugin in the Plugin Directory. That is by no means a common occurrence though.

If your web host or someone else is telling you your website was hacked through a backdoor, you should ask them how it got there to understand if they are correct about the source of if they failed to understand the actual source.

Posted in Website Hacked | Leave a comment

Trend Micro Running Outdated and Insecure Version of WordPress on Their Blog

When it comes to the problems with cyber security one of the issues we see is that the wrong people are often getting the blame for its poor state.

WordPress frequently gets unfairly criticized in a security context, while in a lot of ways they are really at the forefront of improving security of web software. Take for example the automatic background updates feature that was released back in WordPress 3.7, which allows for security fixes to be applied million of websites quickly without requiring any user interaction.

On the other side are security companies that seem to in a lot of cases care little for security and in some cases seem to peddling false hoods to increase their profits. One such recent example where a security company didn’t seem care about security was with Trend Micro, which had a password manager included with their antivirus software that had incredibly severe security issues.

When bring these to two examples up because they come to together with something we noticed recently. Trend Micro’s blog recently is running an outdated and insecure version of WordPress:

The Trend Micro blog is running WordPress 4.5

WordPress 4.5.1 was released on April 26 and 4.5.2, which fixed two security issue, was released on May 6.

Seeing as those versions would normally have been applied automatically within hours of their release due to the automatic background updates feature, either Trend Micro unwisely disabled that feature or some bug is stopping that from happening in their case. If it is the later then Trend Micro could actually help to improve the security of WordPress websites by working the WordPress developers to resolve that, so that others impacted by the issue could also start getting updates.

Looking at the source code of the blog homepage’s you can see that at least one of their plugins is also not up to date:

<!– This site is optimized with the Yoast SEO plugin v3.2.3 – https://yoast.com/wordpress/plugins/seo/ –>

The latest version of the Yoast SEO plugin is 3.2.5 and that version fixed a very low severity security issue (the current version of that plugin has at least one other security issue that is fairly obvious if look into the vulnerability that was fixed).

Posted in Bad Security, Outdated Web Software | Tagged | 3 Comments

It Looks Like SiteLock is Scamming People

Over the past couple of years we have run across a lot of bad stuff involving the security company SiteLock, from not doing basic security checks to not doing basic parts of hack cleanups to breaking websites they are supposed to be cleaning to labeling a website that is very dangerous for visitors as being “secure”. Unfortunately those kinds of things are really par for the course when it comes to security companies (it is a really sleazy industry in general). But recently we have started to see and hear more that indicates that SiteLock has gone past that and moved to more egregiously cheating their customers. Making this more of  a problem, is that they now have partnerships with many web hosts, which gives them additional legitimacy that they shouldn’t have considering the multitude of problems we have see involving them.

One of the issues that we see coming up a lot involves SiteLock charging a monthly fee to protect websites and then when the website gets hacked they want a much larger amount to clean up the website. If the website is getting hacked then the protection being paid for doesn’t seem to be actually happening or isn’t very good. There also seems to be an incentive for the protection they provide to not actually protect, since they can actually make even more money if it doesn’t work.

The other that comes up is fairly frequently is them contacting people claiming that a website has been hacked and that they can clean it, without SiteLock actually checking to see if the website is actually hacked. One example of that we were contacted about involved a website that had been actually hacked, for which the person who took over resolving that decided to start fresh, only reusing the domain name. So the website would have been clean at the point that SiteLock contacted them, which didn’t stop SiteLock from charging them for a cleanup:

When the site was hacked, the domain was blacklisted by every major blacklister, however,since I built the new site from scratch, it was clean when it went live. In spite of that, Sitelock contacted me the day after bringing the new site live that they were in the process of cleaning malware from the site and to contact them as it was going to involve manual removal and additional costs above what the plan that came with WordPress covers. They offered me two options, 300 to clean the site and submit to the blacklisters for review or 299 (in three installments) to clean the site and provide manual removal coverage for three months, after which I could continue with the scan and removal tool and add manual removal coverage for 49.00 per month from then on.

Beyond the fact that SiteLock was charging them for an unneeded cleanup, a website shouldn’t need continuing removals of malicious code. If that is the case, that would usually indicate that the original hack cleanup wasn’t done properly and the hacker could get back in, in that case the person who did the original hack cleanup should go back in and get the issue fixed for free (we certainly would want to do that for a client).

What SiteLock then did for that monthly fee doesn’t sound great either:

I have not been able to make it even a week (in two months) without Sitelock sending me some scary critical security warning email concerning the site. One of them said that they were cleaning malware, which I had a hard time believing since I had really good passwords, 2 step verification and login limiting onthe site. It turned out, the “malware” was a file that was created when I installed the Ithemes security plugin.All the other warnings were the result of them constantly not being able to connect and access the files in ordder to scan, which I don’t understand since I had not changed the passwords and each time, the problem ended up being resolved without a clear explanation as to how or why it happened in the first place.

Based on what we are seeing we have some recommendations if you are contacted by SiteLock or if your web hosts is recommending using them:

Get a Second Opinion

Based on what we are seeing it sounds like SiteLock sometimes is claiming that websites have been hacked that haven’t actually been hacked, so it would be a good idea to get a second opinion as to whether you have been hacked when you are contacted by them.

This is a good idea in other instances as well, since we sometimes see web hosts claiming a website has been hacked due to issues that were caused by something that was actually unrelated to a hack or them not double checking results of antivirus scanners (which can produce some bad false positives).

We are happy to do a free check to see if a website is actually hacked (we always will do that before taking on the clean up of a hacked website), so we are happy provide you with a second opinion from.

Hire Someone Who Properly Cleans Up Hacked Websites

If your website has in fact been hacked it is important to make sure you are hire someone that does a proper hack cleanup. You don’t want to be like many of our clients who hire to us to re-clean their hacked website after the first company they hired didn’t do those things.

The three main components of a proper hack cleanup are:

  • Cleaning up the malicious code and other material added by the hacker.
  • Securing the website (that often means getting the software on the website up to date).
  • Attempting to determine how the website was hacked.

While determining how the website was hacked is often not possible to do due largely to web hosts failure to store log files on a long term basis (something that we found SiteLock had not rectified with at least one of their hosting partners), we have found going through the process is important to get a hacked website fully cleaned. If the source of hack hasn’t been determined then that increases the chances that the security issue hasn’t been resolved and that the website will get hacked again.

We would recommend asking the companies what there hack cleanup service involves and if they don’t mention that they do those things, then you probably should look elsewhere.

Securing Your Website

One really important thing to understand it isn’t naturally for websites to get hacked. For that to happen something must have gone wrong. So the solution to keeping your website secure is to make sure you are taking the proper security measures with your website, instead of going with a security product or service that doesn’t do those things and instead make bold claims that it will keep you secure some other way.

It also important to understand that the chances of a website being hacked are pretty small, so when you see people saying that they use a service and haven’t been hacked, it is entirely possible that the service had nothing to do with them not being hacked.

Posted in Bad Security, Website Security | Tagged | 3 Comments

SiteGuarding.com’s WordPress Security Plugin Touts Its Use For Those That Pirate Software, While Charging For Its Services

When it comes to security plugins for WordPress, we don’t think to highly of most of them. But we have continued to be surprised how low things can go with them. Take for example the WP Antivirus Site Protection (by SiteGuarding.com) plugin, which on it’s description page on the Plugin Directory it states near the top:

This plugin will be especially useful for everybody who downloads WP themes and plugins from torrents and websites with free stuff instead of purchase the original copies from the developers. You will be shocked, how many free gifts they have inside 🙂

Their touting its use for those that pirate WordPress themes and plugins is kind of incredible on its own (note the lack of past tense in terms of downloading that software or lack of suggestion not to do that). But more incredible is the fact that at the same time the plugin is really just a connection for a mostly paid service, so they think you should pay them, but are okay with people not paying the developers of software.

What makes that dichotomy more striking is the comments from the developer on some of the negative reviews of the plugins.

One review reads:

If your website contains a file larger than 25MB, the plugin will abort and ask you to upgrade rather than just skipping it and warning you. The plugin is just a leadgen ploy. Uninstalled. Further more, of all the wordpress hacks I’ve ever seen, files affected are NEVER large or over a few kb.

That seems like reasonable complaint, which gets this response from the developer:

free version has limits. if you are not ready to pay for the security enjoy and live with the viruses.

As part of their response to another review the developer wrote in part:

If you installed it again. It means plugin is good, you just dont want to pay for good plugins and services and want everything for free.

It is also worth noting that there are a lot of rather fake looking reviews for the plugin.

Posted in Bad Security, WordPress Plugins | Tagged , | 1 Comment

The Fact That Wordfence Couldn’t Clean Up a Hacked Website Doesn’t Stop People From Suggesting That It Will Clean It

When it comes to improving the security of websites one of the biggest problems we see if the shear amount of bad information, including lots of bad advice, that is being put out there. We frequently see people suggesting using the Wordfence plugin for WordPress, which we have hard time believing somebody who is knowledgable about security would recommend due to a number of issues. Those issues include the fact that broad based security plugins like that are not all that useful against real threats, that more than a few security vulnerabilities have been found in the Wordfence plugin itself, that the developers don’t seem to have a good grasp of security, and that the plugin produces some really bad false positives. Usually you have no way of knowing if somebody giving out that advice has a different opinion in regards to those types of things or they are giving advice without really being informed about the situation. In some cases you can see that advice is being handed out uniformed, though.

As part of keeping track of security issues in WordPress plugins for our Plugin Vulnerabilities service, we monitor the wordpress.org forum for threads related to plugin vulnerabilities. In addition to helping to find some more vulnerabilities to include in our data, we run across threads about other security issues related to WordPress and WordPress plugins. In one of those we saw when the use of Wordfence being suggested as a solution, when that clearly wasn’t helpful advice.

The original poster in the thread described the problem they were having cleaning up a hacked website. After trying numerous things, including reverting to a backup copy, malicious files were continuing to be added to the website. At the end of the post they mentioned that they have three WordPress security plugins installed, but that they hadn’t been any help:

Protections plugins I’m currently using (and which can’t find anything wrong with the website)

Despite that one those plugins was Wordfence, the second and third responses suggested that Wordfence could deal with the issue:

Yes, those are not default files. WordFence is the best for scanning once you are already infected.

and

I had the same issue, so far WordFence has done a great job. Two days and no wp-checking.php has showed up. Yet!

In this type of situation what we would recommend, and did later in the thread, is to see if you can determine if the hacker still has some sort of access to the website, which is allowing them to continue to modify the website, and if that is the case, close off that access.

Incidentally, one of the other plugins they were using, AntiVirus, was one that we found was flagging a fresh install of WordPress as having virus back in 2012.

Posted in Bad Security, WordPress Plugins | Tagged | Leave a comment

Google Needs to Improve the Review Process for Websites Labeled “This site may be hacked”

Early last year Google changed some of the underlying technology used in their process of of handling websites they suspect of being hacked (which leads to a “This site may be hacked” message being added to listings for the websites on Google’s search results). More than a year later we are still finding that the review process for getting the”This site may be hacked” message removed after cleaning up such a website is in poor shape and likely lead leading to a lot of confusion for people trying to navigate it if they don’t deal with it’s problems on regular basis (like we do). While we think that what Google is doing by warning about these situations is a good thing, the current state of the review process is not acceptable.

To give you an idea of what are people are dealing with lets take a look at what we just dealt with while getting Google to clear a website we had cleaned up.

Once you have cleaned a website with the “This site may be hacked” message, you need to add the website to Google’s Search Console and then you can request a review in the Security Issues section of that. That section will also give you information on what Google detected:

security-issues-page-1

 

In this case Google detected that spam pages were being added to the website, which they refer to as an URL injection.

Before requesting a review last Monday, we doubled checked that the spam pages no longer existed using the Fetch as Google tool in the Search Console, which allows you to see that what is served when a page is requested by Google. The URL they listed on the Security Issues page was “Not found” when we used the tool, indicating that the spam page was no longer being served to Google.

On Tuesday a message was left in Google’s Search Console for the non-www version of the website’s domain indicating that hacked content had been detected:

seach-console-message-non-www

Considering that Google was already listing the website as having a security issue for several days you might think this was a new detection, but it wasn’t. In the security issues section it still listed the old last detected date:

security-issues-page-2

Using the Fetch as Google tool in the Search Console we requested the URL again and it was still “Not found”:

fetch-as-google-4-19-2016

Then on Wednesday the same message was left for the www version of the domain:

seach-console-message-www

Again the last detected date in the Security Issues section hadn’t been changed and the using the Fetch as Google too the URL was still “Not found”:

fetch-as-google-4-20-2016

Then on Saturday the Security Issues page indicated that URL injection had been detected as of that day:

security-issues-page-3

We again used the Fetch as Google tool and it was still “Not found”:

fetch-as-google-4-23-2016

At this point we also checked the website over to make sure the malicious code hadn’t returned and it hadn’t.

Then this morning the warning was gone from the search results and the Security Issues page was clear:

security-issues-page-4

Considering that nothing changed between Saturday and today, that detection on Saturday would seem to be some kind of a mistake. Seeing at the page wasn’t even being found this doesn’t seem like an understandable false positive, but something seriously wrong with their system. If you weren’t aware of that how problematic the process is, you might have been very concerned upon seeing the new false detection.

The fact that it took them a week to finally clear the website also doesn’t seem to be an acceptable in this case.

 

Posted in Bad Security, Google | Tagged | 1 Comment

iThemes Security Plugin Has “One-Click Secure” Button That Does Nothing Except Claim The Website Has Been “Secured”

We are frequently asked what about various broad based WordPress security plugins and which ones should be used. Our answer to the second part of that is none of them. These plugins generally provide little protection against actual threats and have been found to have security vulnerabilities themselves fairly often. That second part might sound odd, you would think that someone developing a security related plugin would be very careful about the security of their plugin, but people that actually know about security would be unlikely to be involved in developing one of these due to the first part of that, that they don’t provide much protection against actual threats.

So what you are left with is products generally developed by people that don’t have much concern for real security and in a lot of cases seem to be mainly interested in making money by taking advantage of the public that understandably lacks strong security knowledge. That results in lots of plugins and related services that end up scaring people based on bad or false information and that collect information from users under false pretense.

If you are looking for some particular security feature you would be better off finding a plugin that doesn’t also include a kitchen sink of other features with it, since that reduces amount of code that could be harboring security vulnerabilities. The important things you need to do to keep your website secure are listed here.

The iThemes Security Plugin And Trust

That all brings us to something we just ran across with one of those plugins, iThemes Security (formerly Better WP Security), which is listed as having 700,000+ active installs.

One important element of any security product is trust, since the average user can’t verify that a product does what it says, they are trusting the developers in a major way. Any abuse of that trust should be a major red flag. That trust is something the developers of the iThemes Security plugin don’t seem to care about.

When you install and activate the iThemes Security plugin a notice is displayed at the top of the page with a button to “Secure Your Site Now”:

ithemes-security-1

Clicking on that brings up this page:

ithemes-security-2

The most important part of that would seem to be the section Titled “Secure Your Site”:

Use the button below to enable default settings. This feature will enable all settings that cannot conflict with other plugins or themes.

When you click on the One-Click Secure button, you get a message that it is “Working…” for a moment:

ithemes-security-4

Then it will tell you that “Site Secured. Check the dashboard for further suggestions on securing your site.”:

ithemes-security-5

Based on that you would think that the website has been secured in some way after doing that. It turns out that nothing actually has happened, something we found about when ran across a post on a thread on the WordPress.org support forum for the plugin that stated

Please note that since the 5.2.0 release (5.2.1 included) clicking on the One-Click Secure button in the First Important Steps modal window will not do anything despite the fact that it still reports:

Site Secured. Check the dashboard for further suggestions on securing your site.

which is also kind of lame as there is no longer a Security Status section on the Dashboard page …

Note this is not a bug, since iThemes knowingly removed the code that was normally executed behind this button …

If you want to see that for yourself you can see the changes made in version 5.2.o here (doing a search on the page for “Register one-click settings” will take you to parts of the page where that is shown). What makes this even more incredible is how long ago this happened, version 5.2.0 was release on January 18 and the post pointing that out is now two months old, and yet it is still that way now.

When they don’t care about misleading people with something that visible, then you have to wonder what else they might be misleading people about. We already spotted one other thing, but you will have to wait for a future post to hear about that.

Posted in Bad Security, WordPress Plugins | Tagged | Leave a comment