From dealing with a lot of hacked website we see the damage the security industry often causes. One of the problems we have run into over and over is that people are not interested in doing the basics of security and instead trying to rely on security products and services to protect them. Doing that has leads to website being hacked that shouldn’t, that even includes the website of a security company. It isn’t hard to understand why this happens since these security products and services are often promoted as being a magical bullet, while in reality some are somewhat useful and others are of little use to no use.
In some cases security companies are explicitly promoting using their products instead of doing the basics even when they would have provided better results. Case in point a post by the WordPress focused security company Wordfence today.
They claim that websites are being infected with a particular malware through two vectors:
So far the Wordfence Security Services Team has seen two infection vectors (methods of infection). The first is websites that are infected because they left the searchreplacedb2.php script lying around. This is a relatively uncommon infection vector. We wrote about this risk a few weeks ago.
The second vector is by far the most common. The attackers are exploiting a vulnerability in the WordPress ‘Newspaper’ theme. This vulnerability allows them to inject malicious code into the WordPress ‘wp_options’ table which then redirects your traffic to malicious websites or ad campaigns. Our Security Services Team has seen several other themes that are based on the Newspaper WordPress theme that suffer from the same vulnerability.
What isn’t noted in their post is that according to discoverer of the vulnerability in the theme, the vulnerability was fixed four days after the developer was notified and the fix was put on in April of last year. Why not note that, well one reason might be the next paragraph in their post:
Wordfence released a Premium firewall rule about 40 days ago which prevents these attackers from exploiting the Newspaper theme. Even if you had a vulnerable theme, you would have been protected. About 10 days ago, that rule became available to our free customers too.
So simply keeping the theme up to date would have protected those using it long before Wordfence ever got around to protecting against the vulnerability. Wordfence didn’t mention the importance of keeping software updated in those parts of the post, but surely they would do that in a section “What to Do To Protect Yourself” since updating the theme would in fact be the best protection against the vulnerability in the older version from being exploited. It turns otu that isn’t the case:
What to Do To Protect Yourself
As always we recommend running Wordfence Premium. In this case, our Premium customers have been protected for over 40 days from TrafficTrade by a Premium firewall rule that was deployed by our team in real-time.
The firewall rule became available to our free community users about 10 days ago. Both Wordfence free and Premium are now protecting your sites from these attacks.
Because this infection is so wide-spread, we have released additional detection in the Wordfence malware scan to detect a newer variant of TrafficTrade. We are seeing attackers modify your wp_options table to inject the malicious code into that table. A Wordfence scan will now detect this.
This new feature is immediately available for free and Premium Wordfence customerswith Wordfence version 6.3.16 which was released this morning. Simply install Wordfence or update to 6.3.16 and run a scan.
We mentioned earlier that security companies promote their products as being magic bullets, Wordfence is a perfect example. They promote their plugin with the blanket claim that its “Web Application Firewall stops you from getting hacked” despite the obvious counter example here that they only started protecting against the theme vulnerability more than a year after it was disclosed.