Bad False Positives from Wordfence Security and Quttera Web Malware Scanner WordPress Plugins

We often have people contact us that believe that a claim that their website has been hacked is false because they ran a scanner over and it didn’t find anything. We are not really sure why they don’t ask for the evidence behind the claim and try to see if they can confirm if that is accurate or not instead of running a scanner over the website, but considering they are not doing that it might not be surprising that they are instead doing something that is likely to not produce great results.

One problem is that the even if the scanner is effective at what is attempting to scan for, it may not be able to detect the type of issue that lead to claim that the website is hacked. Let’s say a web host detects a malicious file on the website, well that probably would be be something that a scan of the website’s pages from the outside would never detect.

Another problem is lack of evidence that various scanners are actually effective at what they are attempting to scan for and from our own experience, plenty of evidence that they are not effective. One area where we have seen evidence of that going back many years is with really bad false positives that indicate that these scanners are incredibly crude, so crude in fact that if we weren’t well aware of how bad the security industry is, we would have a hard time believing that they were even occurring. Below are a couple of them in WordPress plugins that we recently ran across that show the current poor state of such tools.

Quttera Web Malware Scanner

The first comes from the plugin Quttera Web Malware Scanner, which has 10,000+ active install according to wordpress.org. In recent thread on the support forum for that someone mentioned getting a false positive for what is quite common code. The plugin will warn when matching “RewriteRule ^(.*)$ h” in a .htaccess file, which would match when do some fairly common rewriting of URLs. Just doing that rewriting is not in any way malicious. The developer’s explanation for that wasn’t that this was a mistake, but that:

We mark it as suspicious because there are multiple malware instances utilizing this technique to steal/redirect traffic from infected websites.

Simply because malware uses common coding isn’t a good reason to flag any usage of it and that will necessarily cause the results of a scanner to be of limited use.

Making it seem like the developer really doesn’t know what they are doing in general, the description for that detection is “Detected suspicious JavaScript redirection”, which makes no sense considering that type of code has nothing to do with JavaScript.

Wordfence Security

The second instance of this involves a much more popular plugin Wordfence Security, which has 2+ million active installs according to wordpress.org, that we have frequently seen people believe is much more capable than it really is (sometimes they ignored evidence right before their eyes to continue to believe that).

A thread on the support forum of the plugin Ultimate Member was recently started with:

Wordfence seems to think there is a malware URL somewhere in the file class-um-mobile-detect.php:

* File contains suspected malware URL: wp-content/plugins/ultimate-member/includes/lib/mobiledetect/class-um-mobile-detect.php

but on comparison, the file’s contents are exactly the same as the latest file offered on https://ultimatemember.com

Can someone comment?

In follow to a question by the developer of the mentioned plugin, the original poster wrote:

I’m using 2.0.23 but as I’ve said the file in question is identical to the one found in the latest version. So as I thought it is a false positive. Maybe Wordfence doubled up on UM after the latest malware exploit.

In reality it was just that Wordfence’s scanner incredibly crude as hinted at by another reply in the thread:

It is caused by the URL: “http://www.vonino.eu/tablets” which was reported to contain malware.

In my file, it’s only mentioned in a comment so I guess it’s safe.

What that is referring to is the following line in the file /wp-content/plugins/ultimate-member/includes/lib/mobiledetect/class-um-mobile-detect.php:

340
// Vonino Tablets - http://www.vonino.eu/tablets

Currently the domain vonino.eu is being flagged by Google as malicious:

That doesn’t in any way make a file that includes the domain in a commented out line in the code, which can’t run, in any way malicious. If the developer’s of Wordfence Security cared at all they could easily avoid that false positive, but considering they can get away with much worse it isn’t surprising they wouldn’t care about that. That also leaves more responsible plugin developers to have to deal with the fallout from those false claims.

Wordfence Employee Ridiculously Claims You Can Make Sites “invincible against all the attack methods that are associated with WordPress sites”

While we have seen the bad side of the security industry for a long time, certain things continue to be surprising to us despite having seen them many times before. One of those is sheer amount of lying that goes on (that is on top of the amount of the massive amount false and misleading claims that are not clearly lies), despite trust being an important part of security. One area we frequently see that with is claims that products and services can provide a level protection that they can’t possibly provide.

When it comes to WordPress security plugins two are tied for the most popular in terms of active installations according to WordPress.org. One of them, Limit Login Attempts, is focused on a threat that isn’t of real concern and the current version contains a security we discovered and disclosed through our Plugin Vulnerabilities service last week (that security plugins frequently are found to have security vulnerabilities is a good indication of the poor state of the security industry). The other, Wordfence Security, owes at least some of its popularity and maybe a lot of it to marketing it with the unqualified claim that it “stops you from getting hacked”:

The WordPress security plugin provides the best protection available for your website. Powered by the constantly updated Threat Defense Feed, WordFence Firewall stops you from getting hacked.

That claim used to be the second sentence of description of the plugin on the page for it on the Plugin Directory and more recently has been found in the answer to the second FAQ question on that page.

The reality is that security plugins can’t possibly stop a lot of hacks, Wordfence intentionally leaves websites not using their service as well as the plugin vulnerable to being hacked, and in testing over at our Plugin Vulnerabilities service we found that the plugin provided no protection or the protection was easily bypassed when attempting to exploit real vulnerabilities in other plugins.

Once again in our monitoring of the WordPress.org Support Forum to keep track of information vulnerabilities in WordPress plugins for our Plugin Vulnerabilities service we ran across a Wordfence employee admitting that the plugin doesn’t do what they claim. This time it had the added element that even while admitting to that, they were still claiming a level of protection that is contradicted by what they were responding to.

The Wordfence employee wrote this:

Sorry we didn’t get back to you sooner! Unfortunately, there are many attack vectors associated with WordPress sites that lie outside of your WordPress installation like insecure servers, insecure passwords, encryption flaws, shared hosting, and many others; all these things combined make your site vulnerable to attacks. Wordfence helps protect and secure the WordPress installation side of your site and it does quite an excellent job at that. No security plugin can help protect your site against every vulnerability that lives there out in the wild, we can only help mitigate the risks associated with a vast majority of them. I recommend taking some time to go through these articles that will help you better understand WordPress security and how you can make your site invincible against all the attack methods that are associated with WordPress sites.

One of the problems with that is that the failure of Wordfence Security in this instance related to the WordPress installation:

I found this morning that someone from India logged into my WordPress admin panel on Jan. 11th using by login.
I am surprised that Wordfence did not stop this since it had been blocking the ip address range this login occurred from.

That seems like something it should have been able to protect against if it truly “does quite an excellent job at” security of the “WordPress installation side of your site”.

Something else that stood out in the Wordfence employee’s statement is this:

go through these articles that will help you better understand WordPress security and how you can make your site invincible against all the attack methods that are associated with WordPress sites

Below that were links to several pages on Wordfence’s website. Nobody that knows and or cares much about WordPress security would possibly make a claim of invincibility like that, but Wordfence seems to have no qualms about telling lies to public to promote themselves. That unfortunately comes at the expense of the security of websites since people are being mislead about the security Wordfence can provide versus other solutions like our Plugin Vulnerabilities service, which provides real protection that Wordfence doesn’t provide, and our service helps to actually make the WordPress ecosystem more secure even for those not using it.

Wordfence Employee Admits the Company Knows Wordfence Security Won’t Stop All Hacks as They Continue To Claim Otherwise

What we have been noticing more and more is how much lying is done by the security industry. Considering that trust is an important part of security and you often have to rely on their claims about what protection their products and services might provide, that is a big issue.

One glaring example of this when it comes to WordPress related security, is a prominent claim made about the most popular security plugin, Wordfence Security. The second sentence of the description on its page on wordpress.org is:

Powered by the constantly updated Threat Defense Feed, our Web Application Firewall stops you from getting hacked.

Could a WordPress security plugin stop some hacks? Sure. Can it stop all them, as this unqualified statement by the makers of the plugin would lead to you believe? No.

People do believe that claim though, as we were recently reminded by a topic on the WordPress Support Forum that we ran across while doing monitoring for our Plugin Vulnerabilities service. The topic is titled “Hacked anyway!” and the message reads:

Well.
I installed Wordfence, and got hacked anyway.
Not sure whether or not to trust it anymore.
A defacement hack by the look of it.
Yet, when I run a full scan, it tells me all is OK.
WTF?
Any suggetions?

The reply from a Wordfence employee reads in part:

Often when we see sites get hacked despite having Wordfence, or we see them getting hacked repeatedly it’s because of a vulnerability on the server.

So they know how they promote the plugin isn’t accurate, but they continue to market it that way anyway. This is far from the only lie that we have seen from the company behind Wordfence Security. We wonder if and when the public will realize that the company behind it isn’t trustworthy?

The other thing worth noting about this situation is that it is also a reminder that Wordfence Security isn’t all that great at detecting that websites are hacked, which is also contrary to what people have been lead to believe. If it was better at that, someone could try to make an argument that while the plugin can’t stop a number of types of hack, it could provide effective mitigation against the damage caused by those hacks.