Stop helping hackers!
Stop helping hackers!
WordFence is Negligently Hurting WordPress Community!
WordFence is negligently hurting the WordPress community!
WordFence is supposed to be protecting WordPress websites. WordFence is doing the opposite. In fact, WordFence is most likely causing damage to WordPress websites by causing hacks!
WordFence is giving everything the hacker needs to possibly obtain this information! How??? I’ll explain in the article. I believe by the time that you finish reading this article you will be as frustrated and furious as I am at WordFence. This must STOP…NOW!!!
Many of the large tech companies have a security team(s) that search and patch security holes in their software. Many tech companies also like Google will even pay a bounty if you find one and ethically inform them of the vulnerability.
What are these vulnerabilities??? A lot of times their never published. And we are never aware they even existed. And if they are published, the code that caused the security vulnerability is published after… Wait, take a breath. Pause for a second. Remember the word “After”. That simple, little word “After” is going to define why WordFence the company is awful and could be causing severe harm to the WordPress community. Let me finish my sentence now. …the security vulnerability is published after the security flaw is patched and fixed. Preventing ANYONE from using that published code to exploit their software.
As I said before when WordFence finds a security problem they try and contact the developer. According to WordFence blog post a lot of times they already have found the problem and they share it with the developer. At the same time, they send an update to their PREMIUM customers WordFence plugin. This protects the premium customer from this particular vulnerability.
Once the developer has fixed the vulnerability what does WordFence do???
Do they send an update out to everyone including their basic customers to protect them???
NO, they do not.
Instead of helping the WordPress community, this is where they DANGEROUSLY, negligently, and foolishly, expose…… one website,… .handful of websites,.. hundred,… thousands,… tens of thousands,… millions+ websites?????????????????
WordFence creates a blog post on the entire vulnerability that WordFence found. The blog posts are well written and in great detail. In the blog post, they describe the vulnerability and provide the code that is used to exploit the vulnerability and how it was fixed. WordFence then sends out an email to all their subscribers about the vulnerability and to read their blog post.
Just today, November 9, 2020, I received an email with the subject line
“Critical Privilege Escalation Vulnerabilities Affect 100K Sites Using Ultimate Member Plugin”
WordFence Email Subject Line Screen Capture – “Critical Privilege Escalation Vulnerabilities Affect 100K Sites Using Ultimate Member Plugin”
In the VERY first paragraph of the email, it states
"Our Threat Intelligence team discovered several critical privilege escalation vulnerabilities in Ultimate Member, a plugin installed on over 100,000 sites. These flaws made it possible for unauthenticated attackers to gain administrative access to WordPress sites running the plugin.”
WordFence Email Body Stating The Ultimate Member Plugin installed on over 100,00 sites!
Read that carefully. Over 100,000 sites that this vulnerability could affect!!!
When you click on the link to read the blog post it states
We initially reached out to the plugin’s developer on October 23, 2020. After establishing an appropriate communication channel, we provided the full disclosure details on October 26, 2020. The developer provided us with a copy of the first intended patch on October 26, 2020 for us to test. We confirmed the patch fixed one of the vulnerabilities, however, two still remained. On October 29, 2020, the plugin’s developer provided us with an updated copy which fully addressed all vulnerabilities. The plugin’s developer released a patched version of Ultimate Member, 2.1.12, on October 29, 2020.
These are critical and severe vulnerabilities that are easy to exploit. Therefore, we highly recommend updating to the patched version, 2.1.12, immediately.
Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on October 23, 2020. Sites still using the free version of Wordfence will receive the same protection on November 22, 2020.
WordFence Blog Post (Partial) – November 9, 2020
Lets’s break this down. This is where it gets very serious!
These are critical and severe vulnerabilities that are easy to exploit.
Ready that again. This is directly from WordFence!
These are critical and severe vulnerabilities that are easy to exploit.
WOW! Critical and severe.
EASY to exploit
WordFence is completely aware that these vulnerabilities are critical, severe, and easy to exploit!
Really, how so???
WordFence in the next paragraph tells you how.
I’ve blocked out the code and descriptions in the image gallery below. I won’t be negligent and responsible for someone’s website to be hacked. WordFence provides the code right in their blog post!
Now, let’s read another important line in WordFence’s blog post.
WordFence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on October 23, 2020. Sites still using the free version of Wordfence will receive the same protection on November 22, 2020.
This WordFence post with the vulnerability and the code was posted on November 9, 2020.
WordFence’s premium users are protected.
Let’s do some simple math.
It’s November 9, 2020. The basic customers do not receive the update until…November 16, 2020.
November 16, 2020
November 9, 2020
= equals 7….SEVEN….SEVEN days away!!! that many users are not PROTECTED while WordFence knowingly knows about the critical, server and EASY exploit vulnerability….AND PUBLISHES THE VULNERABILITY CODE for hackers to read!
When I contacted WordFence today, the Director of Marketing at WordFence, Kathy Zant informed me that most of the time it’s 30 days….THIRTY DAYS!!!
(*Full email chain is at the bottom of this email post for viewing)
Email from WordFence Director of Marketing Kathy Zant
Let’s pause for a second. I’m sure your blood pressure is rising now like mine is.
What about the three examples of sites that I had previously given?
The small business owners that are not aware of their wp-admin area of their WordPress website. Unaware that they need to update their plugins and themes, let alone the core of WordPress.
You’re a small business owner. And in today’s email from WordFence this security vulnerability was a membership plugin. A free membership plugin and as WordFence stated is installed in over 100,00 websites.
Possibly like, little league websites, softball websites, hiking membership websites, clubs, social media sites for their members, sites that may contain CHILDRENS information or the address to their homes due to sports websites…the list goes on and on… In fact, over 100,000 more per WordFence.
Your working on coaching your softball team. That’s your primary responsibility. Teach, train, win games! You are unaware that you need to update this plugin. Maybe you do update your WordPress site. But, you only do it monthly. Then again, there many website owners that don’t even have WordFence and again are completely unaware of having to update their plugins and theme(s). They don’t normally keep up with security updates, read blogs, emails from WordFence, etc.
WordFence just gave the hackers EVERYTHING they needed to hack your website. WordFence is supposed to be in the business to stifle hackers… not to help them??? Right??? Then why are they???????????
If I was using this membership plugin on my website and I was hacked. I would be filing a lawsuit against WordFence for negligence. I would even go as far as contacting a prosecutor for criminal negligence.
Let’s not forget about the developer of the Membership Plugin that had the security vulnerability. It happens. It even happens to Google, Facebook, IBM, etc.
WordFence just opened up a possible legal mess for the makers of this membership plugin. Now that WordFence has provided the hackers with the code. The hackers can actively search WordPress websites that have this plugin installed. Hackers fingers are crossed that there is someone that has not updated…What’s the chances of that happening???….As WordFence said in their blog post, over 100,000 installs of this plugin. Yea…that’s a pretty safe bet for the hacker.
Your website gets hacked. Your member’s information is stolen. You may get sued by the members. Who are you going to sue? The developer of the plugin most likely. WordFence just setup this developer up for possible lawsuits. If I was the developer I’d be naming WordFence in the lawsuit as well. What a tangled web of legal issues all because WordFence has to toot their own horn and show off the code that causes the issue.
Whereas Google, Facebook, IBM, etc. patches the vulnerability. And if they do publish the vulnerability it’s usually a lengthy time after and it’s completely patched and…….SAFE TO DO SO! Let’s say that again.
SAFE TO DO SO!!!!
Again, Again, Again, nope, that’s not a typo. One more time….AGAIN, WordFence is in the security business. WordFence has to be AWARE of the severe possibilities of what could happen by publishing this vulnerability code to the world. WordFence states clearly that this vulnerability is EASY to exploit and is critical and severe! Directly from WordFence blog post
"These are critical and severe vulnerabilities that are easy to exploit."
WordFence published the vulnerability knowingly that a large part of their customer base may not and is not protected.
Sites still using the free version of Wordfence will receive the same protection on November 22, 2020.
And they have to know that many users don’t use WordFence and don’t update their website daily, weekly, monthly, or at all!
This is the definition of negligence!
Directly from Merriam-Webster Dictionary:
Failure to exercise the care that a reasonably prudent person would exercise in like circumstances
Again, WordFence is completely aware of what they do and acknowledges it by the email that I received from Kathy Zant the DIRECTOR of marketing. Not just any ole employee. The DIRECTOR of MARKETING! This is the response from WordFence’s Director of Marketing Kathy Zant.
(*Full email chain can be viewed at the bottom of this blog post)
The fix for these vulnerabilities have been available to all users of the Ultimate Member plugin for almost two weeks. They can quickly and easily fix their sites by doing one thing: clicking update for Ultimate Member if they have it installed on their site.
As a general rule, we do not release firewall rules to users of the free Wordfence plugin for 30 days after our premium customers receive them.
Director of Marketing
If I was a hacker I would be monitoring WordFence’s blog daily….hourly!
WordFence is doing all the work for the hackers.
Why are they doing this?
I have no idea. I can only speculate?
Are they finding an out of the box, unethical way to drum up business for the divisions of WordFence that cleans and repairs websites that are hacked? Are they just trying to show off and toot their own horn???
I don’t know. Your guess is as good as mine.
What I do know is that this is the definition of negligence in my opinion. And, as I said before if I had a site that was hacked containing any of these plugins that WordFence posts the vulnerability code too; I would be speaking with an attorney and a prosecutor!
This has to stop!!! NOW!!!
Full detailed article https://bitsvital.link/wfstop