This article gets technical. But I had to write to so I didn’t have to continually repeat the same points during internet discussions of a new WordPress Security Plugin. First, the background:
The New WordPress Security Plugin
Recently a slick marketing campaign has effectively promoted a new WordPress security plugin. A video promoting the plugin demonstrates a successful attack on a WordPress site. The voiceover claims that two popular security plugins Sucuri and WordFence do not effectively defend against this one particular attack type.
But the promoted product does. According to the promoters. So if you buy this one plugin (which I’ll name later in the article) then you can be assured of security for your WordPress site.
Not So Fast!
Like any good ad campaign this one speaks the to it’s audience in the language they understand. However, the campaign targets non-expert while covering a subject that requires expert knowledge. This factor allows the omission of valuable context. The omissions combined with misdirections and other FUD factors create the quality of outright deceit.
The campaign is deceitful.
What’s The Real Story?
Is it possible that Sucuri or WordFence could miss a vulnerability in a popular plugin? Sure it is.
Is it possible that a new entry to the WordPress security plugin market could defeat this vulnerability? Sure.
Do these facts say anything about the value of any of these plugins? Possibly. But only in a very limited sense.
We have to consider a few things:
- The vendor of the new plugin doesn’t reveal any details about the vulnerability.
- The vendor of the new plugin has no history of contribution within the WordPress community.
- The vendor doesn’t specialise commercially in WordPress products.
- The source code of the plugin hasn’t been released under the GPL license.
- Since the video release WordFence and Sucuri most probably now provide protection against the vulnerabilty. It’s very unlikely that they don’t. But the original video is still in circulation.
So the claims in the video aren’t outright false. But they are still deceitful.
Vulnerabilities are discovered within any set of web technologies all the time. And every week new vulnerabilities are discovered by all vendors of defensive products who then update their products. I would be very surprised if the Big Scary Vulnerability shown in the video wasn’t fixed within a couple of days of the ad being launched.
WordPress Security Plugins And Community Contribution
Sucuri and WordFence compete. One of the domains of their competition is in their community contribution. They each have public blogs and newsletters. Every serious WordPress consultant consumes from at least one of these channels.
The new product is called ‘wp siteguardian’. If you find it on google you’ll find a very slick advertising page that produces a brilliant story complete with misdirection on the nature of the security, WordPress security, and the WordPress security plugin market.
What you wont find is any real information, substantial on security. The kind of information that other players in the market provide plentifully and for free.
You also won’t find real attempt at client education. Something that WordFence and Sucuri offer for free and in great quantity.
Consider: when WordFence have discovered new, high-impact vulnerabilites they have alerted the community.
What they haven’t done is hidden the details of the vulnerability while using them to scare the crap out of people until they open their wallets. Unlike the WP Site Guardian.
WP Site Guardian have displayed no affinity with the WordPress community. That doesn’t mean that their product doesn’t work. But having shallow roots makes for poor positioning. Especially in terms of technical expertise. And WordPress security requires technical expertise.
And You Won’t Find The Source Code
WP Site Guardian has not opened their code. Moreover the vendor has stated in facebook discussions that he has no intention to do so. He has stated that the code is not covered by the GPL.
That is to say: WP Site Guardian most probably violates the license of WordPress by failing to cover their own WordPress Security Plugin under the GPL. In doing so, they both hide the quality of their own code while violating the rights of their own customers.
Any complete conversation around this is nuanced and should be in detail. The opinion of Matt Mullenweg, the Lead Developer of the WordPress Foundation, and original developer of WordPress itself is that all themes and plugins are covered by the GPL.
Customer rights aside, refusing to apply the GPL to WordPress derivative works makes them less secure.
The Worst Thing About The Advertising Of The New Security Plugin
The target audience of the advertising campaign has a problem. They aren’t in a position to navigate the advertised claims. They don’t know the context. They don’t understand the threat model.
And that’s fine. Consumers shouldn’t be obliged to learn the fine details. That task is for expert consultants.
After purchasing the WP Site Guardian the customer will feel like they have “purchased security”.
But they haven’t. And they can’t. Because “buying security” is impossible. Genuine security for WordPress requires expert knowledge. And an application of the Defense In Depth principle.
WordPress consumers deserve better.