Send WordFence A Message!
Sign the Change.org Petition
Update: I sent this article 24 hours before publishing to WordFence for an official comment. As of November 11, 12:00 pm UTC-7 they have yet to respond with a comment.
WordFence is negligently hurting the WordPress community!
WordFence with over three  million downloads from the WordPress plugin repository is the most popular WordPress security plugin. WordFence is supposed to be protecting your WordPress website, correct? WRONG! WordFence is doing the opposite and hurting the WordPress community. Allow me to explain.
WordFence is giving the hackers everything they need to hack your website! Think of what hackers could obtain if they hacked your website? Your member’s personal information, possibly credit card information, do you have a little league website with the children’s and parents’ information contained in it?
WordFence is giving everything the hacker needs to possibly obtain this information! How??? I’ll explain in the article. I believe by the time that you finish reading this article you will be as frustrated and furious as I am at WordFence. This must STOP…NOW!!!
According to W3Techs, WordPress is by far the most popular CMS system in the world with over 60% of the CMS websites use WordPress. And over 30% of the world’s websites use WordPress.
With WordPress being as popular as it is, it’s a prime target for hackers. WordPress has a large community of open-source (free) plugins. Over fifty-eight thousand [58,000+] plugins in just the WordPress.org repository alone. This doesn’t even include 3rd party sellers and markets like Envato/CodeCanyon/Theme Forest.
With WordPress’s large number of free plugins, many of these plugins are created and never updated. These plugins are years old, with the developer never touching the plugin after publishing the plugin to the WordPress repository. Many of these plugins are created by amateurs, students, and hobbyists. Who may not be educated in security and lack the training to review their code for any type of security problems that a hacker could exploit. These plugins remain in the WordPress repository for anyone to download and use.
Security for WordPress is mandatory. If you have a WordPress website you need to have some type of security plugin, in my opinion. The number one security plugin is WordFence. As of November 2020, it has been downloaded over three  million times from the WordPress plugin repository.
WordFence as of November 2020 has two types of plans. Free and Premium. WordFence also offers a service to help disinfect and recover your WordPress website if it has been hacked.
I’ve been developing WordPress websites since 2005. I have fixed countless number of WordPress sites that have been hacked. Many of these WordPress sites that I fixed are due to the owner of the site forgetting about the back-end of WordPress and never updating their theme(s) and plugins. Or they’re not even aware that they have a back-end to their WordPress website that needs to be maintained.
Let me give you three examples that I’ve experienced during my WordPress development years.
The first one is a church website.
A small church in the midwest decided to build a website for their congregation. Mainly they wanted a website to post pictures from their events. But, once they found out how simple WordPress was they added their Google Events Calendar and started posting blog posts of each week’s serums. The church was small and didn’t have a large budget. They turned to their congregation and found a high school student to take on the project. Once the website was built and a year later the high school student left for college. The pastor and board had no idea that their website needed to be updated daily, weekly, monthly, or even at all! Or that their WordPress website used plugins and themes.
Three years down the line, I receive a phone call that their website was not working. I logged into their VPS on GoDaddy and as soon as I did a simple
ls of the main directory, I immediately knew they were hacked. There were multiple files that did not belong to WordPress. After examining the site and files I found they were hacked due to a popular image plugin that had not been updated in over three years!
Next, we have a small travel website.
A small family-owned business that offers tours of their small town and surroundings. They called up a local website developer to create a website for them. They had no idea that their website was even on WordPress let alone that you need to update it. The developer did a great job of creating their website. Less than a year later the developer went out of business. Like many developers, this developer never trained the customer on how to use their website and the importance of keeping their WordPress website up-to-date. About two years later my phone started to ring. There was a frantic lady on the line. She was so frantic that her husband took the phone and started to talk to me because she was not able to speak. She was in tears and sobbing. Their website was offline! Their business was offline. Their income was offline!
They were hosting their WordPress website on GoDaddy, and the husband informed me that GoDaddy would not help them. All GoDaddy support said was that their website was most likely hacked and was out of the scope of support that GoDaddy offers.
Their entire business relied on that one WordPress website. I immediately went to work and right off the bat there were the telltale signs of a hack. Files that did not belong to WordPress that had suspicious code in them. It didn’t take long to find that once again, it was a photo plugin that had a security vulnerability that a hacker was able to exploit. The plugin had never been updated. When I asked the husband and wife when was the last time they logged into their website, they had no idea they even had the functionality of being able to log-in to their WordPress site let alone that their site was built on WordPress.
My last example is a membership website for medical billers.
Their website was developed by a professional WordPress development team. The developers installed a popular membership plugin to manage their members, subscriptions, and payments. Once the website was developed and payment made, the communication between the medical billing business and the developer ended. And again, like many website developers, they never trained the customer on how to use the wp-admin area of their WordPress website.
Ring ring went my telephone with frantic and frustrated gentlemen on the line. He informed me that their website had been hacked and they were worried that the hacker(s) was able to steal their member’s credit card and personal information.
This was a larger hack than the previous two examples. The hack exploited a very outdated plugin on the website and was able to take full control of the WordPress site. The hacker locked the owner completely out. The hacker changed the admin’s password. The hacker also did a SQL injection and changed the root MySQL password. The only option was to destroy the VPS that the website was on… It gets worse!
The owner of the site did have backups. The developer of the site created a script that backed up the website every night and transferred the backup to Amazon AWS S3 bucket. Yey…right? Wrong!
The developer created a policy for the bucket to delete the backup files every seven days to save space and money. There were only seven days worth of backups in the bucket. By the time I received the phone call, it was nine days after the hack.
These are great stories but what do they have to do with WordFence? WordFence protects WordPress websites, AND in my opinion, does a great job of protecting the WordPress website from hackers. As the saying goes…the proofs in the pudding. With over three million downloads, that says a lot about how efficient and trusted WordFence protects WordPress websites.
Let’s talk quickly about the two versions of WordFence. The free version is very close to the paid version. The free version is feature-rich. There are very few things missing from the premium version. As of November 2020, the premium version for one license is 99.00 for an entire year. There are no monthly plans. It’s just a flat $99.00. WordFence does offer discounts for additional licenses that you can purchase. This is beneficial if you have multiple WordPress websites.
As I said earlier in this article, WordFence also has been working hard creating a division of their business to diagnose and help recover hacked websites. As of November 9, 2020 they charge $490.00 to help clean a WordPress website that has been hacked.
This all sounds fantastic, doesn’t it? WordFence is on my side helping me protect my WordPress website. And they are in some ways. So how are they hurting the WordPress community?
If you are using WordFence you most likely subscribed to their newsletter. Have you read their newsletters/emails? And if you have, have you actually clicked on the link and read the entire blog post? Not just the little snippet in the email.
WordFence is in the business of security. WordFence actively looks out for exploits in WordPress plugins and themes per their blog posts. When WordFence finds one they try and contact the developer, again per their blog post. They inform the developer of the exploit and from many of their blog posts, it sounds like they also help the developer in fixing the exploit. Their saints!!!! Right?
That’s where the story diverges. Many of the large tech companies have a security team(s) that search and patch security holes in their software. Many tech companies also like Google will even pay a bounty if you find one and ethically inform them of the vulnerability.
What are these vulnerabilities??? A lot of times their never published. And we are never aware they even existed. And if they are published, the code that caused the security vulnerability is published after… Wait, take a breath. Pause for a second. Remember the word “After”. That simple, little word “After” is going to define why WordFence the company is awful and could be causing severe harm to the WordPress community. Let me finish my sentence now. …the security vulnerability is published after the security flaw is patched and fixed. Preventing ANYONE from using that published code to exploit their software.
WordFence is supposed to be protecting WordPress websites. WordFence is doing the opposite. In fact, WordFence is most likely causing damage to WordPress websites by causing hacks!
As I said before when WordFence finds a security problem they try and contact the developer. According to WordFence blog post a lot of times they already have found the problem and they share it with the developer. At the same time, they send an update to their PREMIUM customers WordFence plugin. This protects the premium customer from this particular vulnerability.
Once the developer has fixed the vulnerability what does WordFence do???
Do they send an update out to everyone including their basic customers to protect them???
NO, they do not.
Instead of helping the WordPress community, this is where they DANGEROUSLY, negligently, and foolishly, expose…… one website,… .handful of websites,.. hundred,… thousands,… tens of thousands,… millions+ websites?????????????????
WordFence creates a blog post on the entire vulnerability that WordFence found. The blog posts are well written and in great detail. In the blog post, they describe the vulnerability and provide the code that is used to exploit the vulnerability and how it was fixed. WordFence then sends out an email to all their subscribers about the vulnerability and to read their blog post.
Just today, November 9, 2020, I received an email with the subject line
“Critical Privilege Escalation Vulnerabilities Affect 100K Sites Using Ultimate Member Plugin”
In the VERY first paragraph of the email, it states
"Our Threat Intelligence team discovered several critical privilege escalation vulnerabilities in Ultimate Member, a plugin installed on over 100,000 sites. These flaws made it possible for unauthenticated attackers to gain administrative access to WordPress sites running the plugin.”
Read that carefully. Over 100,000 sites that this vulnerability could affect!!!
When you click on the link to read the blog post it states
We initially reached out to the plugin’s developer on October 23, 2020. After establishing an appropriate communication channel, we provided the full disclosure details on October 26, 2020. The developer provided us with a copy of the first intended patch on October 26, 2020 for us to test. We confirmed the patch fixed one of the vulnerabilities, however, two still remained. On October 29, 2020, the plugin’s developer provided us with an updated copy which fully addressed all vulnerabilities. The plugin’s developer released a patched version of Ultimate Member, 2.1.12, on October 29, 2020.
These are critical and severe vulnerabilities that are easy to exploit. Therefore, we highly recommend updating to the patched version, 2.1.12, immediately.
Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on October 23, 2020. Sites still using the free version of Wordfence will receive the same protection on November 22, 2020.
Lets’s break this down. This is where it gets very serious!
These are critical and severe vulnerabilities that are easy to exploit.
Ready that again. This is directly from WordFence!
These are critical and severe vulnerabilities that are easy to exploit.
WOW! Critical and severe.
EASY to exploit
WordFence is completely aware that these vulnerabilities are critical, severe, and easy to exploit!
Really, how so???
WordFence in the next paragraph tells you how.
I’ve blocked out the code and descriptions in the image gallery below. I won’t be negligent and responsible for someone’s website to be hacked. WordFence provides the code right in their blog post!
Now, let’s read another important line in WordFence’s blog post.
WordFence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on October 23, 2020. Sites still using the free version of Wordfence will receive the same protection on November 22, 2020.
This WordFence post with the vulnerability and the code was posted on November 9, 2020.
WordFence’s premium users are protected.
Let’s do some simple math.
It’s November 9, 2020. The basic customers do not receive the update until…November 16, 2020.
November 16, 2020
November 9, 2020
= equals 7….SEVEN….SEVEN days away!!! that many users are not PROTECTED while WordFence knowingly knows about the critical, server and EASY exploit vulnerability….AND PUBLISHES THE VULNERABILITY CODE for hackers to read!
When I contacted WordFence today, the Director of Marketing at WordFence, Kathy Zant informed me that most of the time it’s 30 days….THIRTY DAYS!!!
(*Full email chain is at the bottom of this email post for viewing)
Let’s pause for a second. I’m sure your blood pressure is rising now like mine is.
What about the three examples of sites that I had previously given?
The small business owners that are not aware of their wp-admin area of their WordPress website. Unaware that they need to update their plugins and themes, let alone the core of WordPress.
You’re a small business owner. And in today’s email from WordFence this security vulnerability was a membership plugin. A free membership plugin and as WordFence stated is installed in over 100,00 websites.
Possibly like, little league websites, softball websites, hiking membership websites, clubs, social media sites for their members, sites that may contain CHILDRENS information or the address to their homes due to sports websites…the list goes on and on… In fact, over 100,000 more per WordFence.
Your working on coaching your softball team. That’s your primary responsibility. Teach, train, win games! You are unaware that you need to update this plugin. Maybe you do update your WordPress site. But, you only do it monthly. Then again, there many website owners that don’t even have WordFence and again are completely unaware of having to update their plugins and theme(s). They don’t normally keep up with security updates, read blogs, emails from WordFence, etc.
WordFence just gave the hackers EVERYTHING they needed to hack your website. WordFence is supposed to be in the business to stifle hackers… not to help them??? Right??? Then why are they???????????
If I was using this membership plugin on my website and I was hacked. I would be filing a lawsuit against WordFence for negligence. I would even go as far as contacting a prosecutor for criminal negligence.
Let’s not forget about the developer of the Membership Plugin that had the security vulnerability. It happens. It even happens to Google, Facebook, IBM, etc.
WordFence just opened up a possible legal mess for the makers of this membership plugin. Now that WordFence has provided the hackers with the code. The hackers can actively search WordPress websites that have this plugin installed. Hackers fingers are crossed that there is someone that has not updated…What’s the chances of that happening???….As WordFence said in their blog post, over 100,000 installs of this plugin. Yea…that’s a pretty safe bet for the hacker.
Your website gets hacked. Your member’s information is stolen. You may get sued by the members. Who are you going to sue? The developer of the plugin most likely. WordFence just setup this developer up for possible lawsuits. If I was the developer I’d be naming WordFence in the lawsuit as well. What a tangled web of legal issues all because WordFence has to toot their own horn and show off the code that causes the issue.
Whereas Google, Facebook, IBM, etc. patches the vulnerability. And if they do publish the vulnerability it’s usually a lengthy time after and it’s completely patched and…….SAFE TO DO SO! Let’s say that again.
SAFE TO DO SO!!!!
Again, Again, Again, nope, that’s not a typo. One more time….AGAIN, WordFence is in the security business. WordFence has to be AWARE of the severe possibilities of what could happen by publishing this vulnerability code to the world. WordFence states clearly that this vulnerability is EASY to exploit and is critical and severe! Directly from WordFence blog post
"These are critical and severe vulnerabilities that are easy to exploit."
WordFence published the vulnerability knowingly that a large part of their customer base may not and is not protected.
Sites still using the free version of Wordfence will receive the same protection on November 22, 2020.
And they have to know that many users don’t use WordFence and don’t update their website daily, weekly, monthly, or at all!
This is the definition of negligence!
Failure to exercise the care that a reasonably prudent person would exercise in like circumstances
Again, WordFence is completely aware of what they do and acknowledges it by the email that I received from Kathy Zant the DIRECTOR of marketing. Not just any ole employee. The DIRECTOR of MARKETING! This is the response from WordFence’s Director of Marketing Kathy Zant.
(*Full email chain can be viewed at the bottom of this blog post)
Hi David, The fix for these vulnerabilities have been available to all users of the Ultimate Member plugin for almost two weeks. They can quickly and easily fix their sites by doing one thing: clicking update for Ultimate Member if they have it installed on their site. As a general rule, we do not release firewall rules to users of the free Wordfence plugin for 30 days after our premium customers receive them. Kind regards, Kathy Zant Director of Marketing
If I was a hacker I would be monitoring WordFence’s blog daily….hourly!
WordFence is doing all the work for the hackers.
Why are they doing this?
I have no idea. I can only speculate?
Are they finding an out of the box, unethical way to drum up business for the divisions of WordFence that cleans and repairs websites that are hacked? Are they just trying to show off and toot their own horn???
I don’t know. Your guess is as good as mine.
What I do know is that this is the definition of negligence in my opinion. And, as I said before if I had a site that was hacked containing any of these plugins that WordFence posts the vulnerability code too; I would be speaking with an attorney and a prosecutor!
This has to stop!!! NOW!!!