BlogVault – Does your WordPress Security Plugin really secure your site?

Home Forums BulletProof Security Pro BlogVault – Does your WordPress Security Plugin really secure your site?

Tagged: 

This topic contains 0 replies, has 1 voice, and was last updated by  AITpro Admin 1 year, 7 months ago.

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #31342

    AITpro Admin
    Keymaster

    Regarding the BlogVault Post here: https://blogvault.net/does-wordpress-security-plugin-secure-your-site/

    Over the years people have asked us if the information in the BlogVault post above is valid/correct or just hype that is geared to getting a high ranking Post with popular WordPress security plugins in the Search Engines and obviously of course to sell their BlogVault backup software/service.  Lately the number of people asking us about that BlogVault Post has increased so I assume the BlogVault Post is ranking higher in the Search Engines and more people are finding that BlogVault Post.  Anyway instead of having to explain how ridiculous that BlogVault Post is over and over to people I decided to create this Forum Topic that explains things clearly so that I can just send someone this Forum link.

    Important Note:  I do not mind a competitor competing with BPS or BPS Pro, but spreading bad information irresponsibly in a “fear tactic” type of way to sell a product or service or due to a lack of general knowledge or expertise regarding website security is in my opinion a disservice to people that should be exposed publicly.  So I will take the BlogVault Post and break it down point by point.

    “WordPress Security – Reasons for hacks Almost all the WordPress security plugins focus mainly on login security.”
    Obviously this is invalid.  Even the average person can see that this generalized statement is BS.  This shows a total lack of general knowledge or expertise regarding website security.  Login security is the most important and essential website security measure of them all.

    “But statistics indicate that brute force login attacks make up a very small percentage of attacks.”
    This could not be more invalid.  Brute Force Login attacks make up the largest percentage of website attacks by far.  Probably somewhere between 85-90% of all attacks.

    “The plugins do little to prevent exploits in plugins and themes. To prove our point, we analyzed four different hacks in recent times and tested it with some of the popular security plugins.”
    The hack tests are either skewed or not valid whatsoever.  More on that later.  I will negate all or most of the hack tests performed and explain why they are not valid.

    Remote Code Execution – Timthumb Vulnerability – invalid due to skewed info and lack of general knowledge and expertise
    First off the version of the Timthumb script they are using to test with is an upatched/vulnerable Timthumb script version.  The Timthumb script was patched/fixed many years before the BlogVault Post was created.  So ask yourself why they are using a very old known vulnerable version of the Timthumb script and also ask yourself why they are stating this: “A vulnerability was found, not too long ago”.  Is that statement designed to make you worry/fearful or is it just a lack of general knowledge or expertise regarding website security and the Timthumb script?  Anyway, what they have done is skewed the test by only testing a rare scenario where Timthumb would be cached in the cache folder and somehow they magically get an encrypted MD5 hash without stating that that would very difficult to get in the first place since MD5 hashes are completely random intentionally so that no one will know/guess exactly what the MD5 hash is.  So I’m not even going to bother explaining why the rest of the test is BS since even at this point the test is completely skewed and invalid.

    Remote Code Execution via Comments – WP Super Cache vulnerability – invalid due to skewed info and lack of general knowledge and expertise
    Seriously?  Where is all the other information?  A caching plugin should never cache dynamic content such as a Comment Form or Login Form.  So right there that is a bug.  Security plugins cannot do magical things and do not compensate for bugs in other plugins.  Security plugins are intentionally designed to NOT interfere with the normal functionality of other plugins.  Example:  If something is seen as or appears to be the normal functionality of a plugin then security plugins will not interfere with that normal functionality, otherwise security plugins would end up breaking all other WordPress plugins normal functionality.  This whole test is ridiculous.  There are plenty of ways to legitimately test Remote Code Execution, but then the results of their test would show that BPS successfully blocks all Remote Code Execution attacks.  BlogVault probably would not want to state that because that would invalidate their ridiculous tests/post.

    WordPress Security – SQL injection –  invalid due to skewed info and lack of general knowledge and expertise
    Invalid since BPS protects against SQL Injection GET Requests and if the BPS POST attack protection code was used in their test then SQL Injection POST Requests would also have been blocked by BPS.  This statement is ridiculous and clearly shows their lack of general knowledge or expertise regarding website security and also just basic general understanding of htaccess code:  “Another key point is that the htaccess restrictions of keywords seems to be extremely strict and can hamper with normal working of the site in many cases.”  The BPS SQL Injection filter uses Regex code to ensure that only SQL Injection attacks are blocked and not any legitimate Queries.

    SQL Injection using HTTP POST requests – Custom Contact Forms plugin vulnerability – invalid due to skewed info and lack of general knowledge and expertise
    Once again security plugins do not do magical things or interfere with the normal functionality of other plugins.  If a plugin has a coding mistake/bug that is allowing something it should not be allowing and that creates a security vulnerability then all security plugins will not be able to do anything about that, otherwise security plugins would end up breaking all other WordPress plugins normal functionality.  Note:  If the bug/vulnerability in a plugin matches an attack vector that is protected against by BPS htaccess code then the attack/hack will be blocked/prevented/stopped.  In past years BPS has protected against several plugin security vulnerabilities because the hacker’s attack method is an attack vector that BPS protects against by default.

    Summary
    One of these 2 things are true:

    1. The tests were intentionally skewed to make people worried or fearful that security plugins do not really protect websites.  I assume their goal is to get people to buy their backup software since based on their ridiculous test results someone would not have any real security protection from any WordPress security plugins.

    2. The BlogVault folks probably know how to create a decent backup plugin, but obviously have no idea at all how website security works or how website security plugins work.  ie a general basic understanding of website security tech or what can or cannot or should and should not be done regarding website security.

    IMPORTANT Note:  If someone believes that only using a backup and restore strategy for website security protection without using a security plugin for real website security protection then take a look at this Blogvault forum topic for why that is a very bad idea:  https://forum.ait-pro.com/forums/topic/blogvault-does-your-backup-plugin-really-secure-your-website/

    Other Related BlogVault Plugin Info:

    BlogVault Security Breach Infects Customers’ Sites With Malware:  February 6, 2017
    https://wptavern.com/blogvault-security-breach-infects-customers-sites-with-malware

    BlogVault, a real-time backup and migration service with a WordPress plugin that’s active on more than 20K sites, announced over the weekend that it suffered a security breach that exposed data. Akshat Choudhary, founder of BlogVault, explains that some customer sites were accessed without authorization and were infected with malware.

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.