What we have been noticing more and more is how much lying is done by the security industry. Considering that trust is an important part of security and you often have to rely on their claims about what protection their products and services might provide, that is a big issue.
One glaring example of this when it comes to WordPress related security, is a prominent claim made about the most popular security plugin, Wordfence Security. The second sentence of the description on its page on wordpress.org is:
Powered by the constantly updated Threat Defense Feed, our Web Application Firewall stops you from getting hacked.
Could a WordPress security plugin stop some hacks? Sure. Can it stop all them, as this unqualified statement by the makers of the plugin would lead to you believe? No.
People do believe that claim though, as we were recently reminded by a topic on the WordPress Support Forum that we ran across while doing monitoring for our Plugin Vulnerabilities service. The topic is titled “Hacked anyway!” and the message reads:
Well.
I installed Wordfence, and got hacked anyway.
Not sure whether or not to trust it anymore.
A defacement hack by the look of it.
Yet, when I run a full scan, it tells me all is OK.
WTF?
Any suggetions?
The reply from a Wordfence employee reads in part:
Often when we see sites get hacked despite having Wordfence, or we see them getting hacked repeatedly it’s because of a vulnerability on the server.
So they know how they promote the plugin isn’t accurate, but they continue to market it that way anyway. This is far from the only lie that we have seen from the company behind Wordfence Security. We wonder if and when the public will realize that the company behind it isn’t trustworthy?
The other thing worth noting about this situation is that it is also a reminder that Wordfence Security isn’t all that great at detecting that websites are hacked, which is also contrary to what people have been lead to believe. If it was better at that, someone could try to make an argument that while the plugin can’t stop a number of types of hack, it could provide effective mitigation against the damage caused by those hacks.
Of course Wordfence can’t sanitise a flawed server environment, but that’s because Wordfence operates on a completely different level.
Wordfence does very well what Wordfence is supposed to do: protect the CMS from known vulnerabilities. No one ever claimed that Wordfence will sort out the server security, and you clearly can’t distinguish between a server and CMS 🙂
Wordfence is still the best plugin for WordPress Security. WordPress isn’t a server mate.
If you read the post you would know that Wordfence claims that the plugin “stops you from getting hacked” without qualification on that claim, we wouldn’t have written this if they correctly qualified the claim with the major limitations, but they don’t. As the post also shows, people believe that it will in stop websites from being hacked in general, which isn’t surprising since Wordfence markets it that way, but it didn’t for that person and for plenty of others. In this case it isn’t clear how the website got hacked, so it could have been something that Wordfence Security should have been able to stop.
As for you other claim that it will “protect the CMS from known vulnerabilities”, you not are not providing any evidence to back that up and it is irresponsible of you to make that claim without evidence to support it. We have yet to see Wordfence or anyone else present that type of evidence. If you look at the testing we have done over at our Plugin Vulnerabilities service, what we have found is that either the Wordfence Security plugin didn’t provide protection or the protection was easily bypassed when vulnerabilities in other plugins were exploited, so the burden is even higher before anyone should be making claims about the protection it can provide.