You couldn’t even be bothered to get Wordfence’s name right, but is there anything you are claiming is inaccurate in the post or is this just an ad hominem attack because you can’t handle them being legitimately criticized?
You were criticizing us for what you claimed is a “poorly written article and poorly made site”, so getting things wrong yourself stands out.
We don’t have any axe to grind. We do have to deal with the results of Wordfence making false claims about vulnerabilities. As was the case with what led to us finding a serious vulnerability, after they falsely claimed there had been a vulnerability in a plugin that one of our customers started using. A lot of other people do as well, like when an unfixed vulnerability was widely exploited months after they claimed it had been fixed.
What are you claiming is misleading and also disingenuous?
You are engaged in ad hominem attacks and then appear to be getting angry that someone else responds in the same way. Please grow up.
It wasn’t a revenge piece and the crux of the article you are referencing, but Wordfence literately claimed that wordpress.org was their website. They said “The information cited in the blog post was directly taken from our website” and then listed their website as wordpress.org. It obviously isn’t true that it is their website, but it is what they claimed.
We didn’t plagiarize or steal anything. We were quoting Wordfence to point out that things they were saying were not true.
If you are claiming that someone isn’t telling the truth, to be fair, you would want to quote what they actually said instead of engaging in ad hominem attacks on them. That is what we did. For example, we quoted a two sentence description for what they claimed was a vulnerability and then explained why it wasn’t true. We clearly were not plagiarizing them, since we were quoting them. We also were not stealing anything, as we were noting their information was wrong. It seems like you can’t handle someone pointing out that Wordfence says things that are not true. That seems to be a common problem with their fanboys.
Wordfence filed DMCA takedown requests that were not legitimate. They claimed, for example, that we quoted them “without authorization and without citing the original source”. We cited the original source (it’s how they knew what we were quoting in the first place) and you don’t need authorization to quote someone.
All of them provided protection without a rule written for the specific vulnerability being exploited, so they will protect against similiar vulnerabilities in the future as well.
The issue described as “identifying a way for logged-in users to execute any shortcode” has been publicly known issue for many years. Its odd that WordPress finally decided it was something that shouldn’t be allowed. It also looks like there are plugins with tens of thousands of installs that now have what WordPress considers a vulnerability, as they also allow some variation of that as well.
ich weiss nicht, ob es an #Wordpress selbst oder an unserem Hoster #netcup liegt: Wir verzeichnen im Monat deutlich über 1000 Angriffe auf unsere Website. Ohne #Wordfence wäre sie schon mehrmals übernommen worden.
Wisst ihr, woran das liegen könnte? Ist das üblich?
Among the problems with Wordfence Security is that the developer tries to scare people by emphasizing the number of attacks, but failing to note when they know they would have failed even without the plugin. Almost all attacks fail on their own, because of things like attempts to exploit vulnerabilities that don’t exist on the website or trying to login with usernames/passwords that are not used. It’s unlikely that your website would have been taken over multiple times without that plugin. In fact, in our testing, it continues to provide significantly less protection than other firewall plugins against reals threats.
Avoiding security solutions that engage in FUD like Wordfence Security does seems like a good idea.
Many CVE Records Are Listing the Wrong Versions of Software as Being Affected (www.pluginvulnerabilities.com)
The Security Industry Isn't All That Interested in Security (www.pluginvulnerabilities.com)
YouTuber Falsely Claims You Can Easily Prevent WordPress Websites From Getting Hacked With Solid Security (www.pluginvulnerabilities.com)
Who could foresee that a plugin would get pulled from the WordPress plugin directory for a security issue when the developer has left in commented out security checks? (lemmy.world)
Wordfence's False Claim of Vulnerability in WordPress Plugin Everest Backup Leads to Serious Real Vulnerability (www.pluginvulnerabilities.com)
News Outlet Claims WordPress Plugin Contained Vulnerability Because an Administrator Could Access the Website's Database (www.pluginvulnerabilities.com)
Is This Spam Post Creation Vulnerability in Themify Builder What a Hacker Would Be Interested In? (www.pluginvulnerabilities.com)
3 WordPress Firewall Plugins Stop Recent Widely Exploit Vulnerability in tagDiv Composer Plugin (www.pluginvulnerabilities.com)
WordPress 6.3.2 – Maintenance and Security release (wordpress.org)
Update if you’re able
Wordfence Security Increases Protection in October Test of WordPress Security Plugins' Zero-Day Protection (www.pluginvulnerabilities.com)
Another Hacker Targeted WordPress Plugin Still in Plugin Directory Despite Publicly Disclosed Unfixed Exploitable Vulnerability (www.pluginvulnerabilities.com)
Patchstack, Wordfence, and Developer Make Mess of Minor Vulnerability in 100,000+ Install Plugin Optimize Database after Deleting Revisions (lemmy.world)
Hacker Targeted WordPress Plugin Still in Plugin Directory Despite Publicly Disclosed Unfixed SQL Injection Vulnerability (www.pluginvulnerabilities.com)
WPMU DEV and Their Partner Patchstack Didn't Handle Security Vulnerability in 400,000+ Install Plugin Well (www.pluginvulnerabilities.com)