Pluginvulnerabilities.com – WordPress Security Plugin Scope of Protection Against Vulnerabilities

Home Forums BulletProof Security Pro Pluginvulnerabilities.com – WordPress Security Plugin Scope of Protection Against Vulnerabilities

This topic contains 5 replies, has 2 voices, and was last updated by  Chris 5 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #32733

    AITpro Admin
    Keymaster

    The Pluginvulnerabilities.com folks do not understand basic website security protection concepts or even the difference between “normal/standard” plugin functionality vs hacking attempts/attack vectors. I would have no problem with this Pluginvulnerabilities.com post: https://www.pluginvulnerabilities.com/2017/01/31/developer-of-popular-wordpress-security-plugin-thinks-it-outside-of-scope-for-them-to-protect-against-vulnerabilities/
    or the many other posts Pluginvulnerabilities.com has created claiming that all WordPress Security plugins do not offer any website security protection, IF Pluginvulnerabilities.com added disclaimers to these posts, such as “in my opinion”, “to the best of my knowledge and understanding”, etc., but instead they make completely ridiculous statements and claims as if they really know what they are talking about. That is a disservice to people because they are misleading folks with bad information that is based on a lack of understanding and knowledge about basic website security protection concepts. Also you can clearly see in the Pluginvulnerabilities.com post link above that my words were twisted to prove their ridiculous point.  My opinion is that most likely Pluginvulnerabilities.com has no idea how website security protection works or general knowledge of very basic website security concepts, but of course it is possible that they have a hidden agenda/motive for creating posts stating that all WordPress Security plugins do not offer any website security protection.

    This is a basic analogy using an automobile ignition system to clarify the meaning of “the normal/standard functionality of a plugin”.

    Let’s say your car ignition lock is broken and it allows any key to start the engine instead of only allowing only the 1 key that should be able to unlock the car ignition and start the engine. The car ignition locking system is analogous to the normal/standard functionality in a plugin. Simply put, the car ignition lock needs to be fixed/replaced. Any security/anti-theft measures that the car has installed will not protect against the car being stolen since the car’s engine was started using the normal/standard procedure of starting the engine using a “valid key” in the ignition system.

    Personally I prefer to ignore idiotic information such as the “information” that is posted on the Pluginvulnerabilities.com site, but when I am asked by a significant number of folks who have read the ridiculous claims made by the Pluginvulnerabilities.com site then it is time for me to create a forum topic so that I do not have to repeatedly explain how ridiculous that information is.

    So let’s use this plugin vulnerabilty scenario as an example, which is an actual ridiculous post by the Pluginvulnerabilities.com folks that was claiming that no WordPress security plugins could protect against this bug in a plugin’s upload form code:
    A plugin has an upload form that has a coding mistake, which allows an arbitrary file upload vulnerability, which allows a hacker to upload files of any kind to a website. The plugin’s upload form is analogous to a car’s ignition lock. An upload form allows input in the form fields and should have security protection coding created in the form code for the upload form that sanitizes and validates input data so that an arbitrary file upload will not be allowed. Since WordPress security plugins are designed not to interfere with the normal functionality of a plugin then security plugins will not interfere with a plugin upload form. If security plugins did interfere with other plugin’s forms then most likely those other plugin’s forms would no longer work normally.

    Since security plugins are specifically designed not to interfere with what is seen as normal/standard functionality in other plugins then the only way to correct/fix the arbitrary file upload vulnerability in the plugin with that coding mistake would be to fix that coding mistake/the car ignition lock.

    BPS Pro Plugin: BPS Pro does stop this particular type of attack/hack from being successful with AutoRestore|Quarantine (ARQ IDPS). The hacker will successfully be able to exploit the arbitrary file upload vulnerability and upload a hacker file to the website since BPS Pro does not interfere with normal/standard plugin functionality, but ARQ IDPS will immediately Quarantine the uploaded hacker file and stop/prevent the hack from being successful. Additionally, BPS Pro has other security features, such as the BPS Pro Plugin Firewall, which directly protect against other types of plugin vulnerability attacks/hacks from being successful at the time of attack instead of using countermeasure security methods like the automated AutoRestore|Quarantine Intrustion Detection and Prevention System (ARQ IDPS).

    Additional Notes:
    As a website security expert with 10 years of experience, one of the standard things that I always look at is motive. Just like a criminal investigator uses when investigating a crime. This is an essential aspect of doing forensic website hacking research and investigation. Personally I do not feel like the Pluginvulnerabilities.com site has a hidden agenda to discredit all WordPress security plugins, but these facts do exist about Pluginvulnerabilities.com:

    • Pluginvulnerabilities.com offers website hack repair/cleanup.
    • Pluginvulnerabilities.com offers a free WordPress plugin that displays current and past vulnerability warnings about other plugins. They claim that there plugin offers real website security protection vs all other WordPress security plugins that do not offer any website security protection. Note: Their plugin does not actually contain any website security protection code/features/functionality.
    • Pluginvulnerabilities.com offers a paid service for their free plugin if you want extensive plugin vulnerability data.

    https://affiliates.ait-pro.com/po/
    BulletProof Security Pro has an amazing track record. BPS Pro has been publicly available for 5+ years and is installed on over 30,000 websites worldwide. Not a single one of those 30,000+ websites in 5+ years have been hacked.

    BPS Pro protects your website files and database with multiple overlapping outer and inner layers of website security protection. The most powerful innermost countermeasure website security layer is AutoRestore|Quarantine Intrusion Detection and Prevention System (ARQ IDPS). A brief description of ARQ IDPS is below.

    FTP password hacked, cracked or cross-site infection/injection protection:
    ARQ IDPS is a file monitor that automatically quarantines malicious hacker files and autorestores legitimate website files if they have been altered or tampered with. Quarantined files can be viewed, restored or deleted. ARQ IDPS can monitor and protect any/all website files under your entire Hosting Account.

    ARQ IDPS uses a much more reliable method of checking and monitoring website files instead of scanning files for malicious code. Hacker files that do not contain any malicious code will never be detected by any/all scanners. ARQ IDPS quarantines all hacker files whether or not they contain malicious code.

    #35366

    Chris
    Participant

    [Topic has been merged into this relevant topic]
    Hello!

    I have some issues on my websites so… Here I am for some questions :
    -I’ve seen a review saying that BPS (version 0.54!!) isn’t blocking XSS Hack. Is that still correct? I thought it was covered through htaccess tweaks https://www.pluginvulnerabilities.com/2016/09/12/wordpress-security-plugins-provide-little-to-no-protection-against-recently-discovered-persistent-xss-vulnerability/
    -Is it blocking code injection? SQL injection? Shell command hacking?
    -Is it blocking unwanted robots/crawlers?

    I’ve seen a website encouraging to rename wp-login.php, wp-admin directory as well as changing the wp-login.php?action=register to something else. Can it be done by BPS? Would BPS still work after such a major change? (For instance the wp-admin htaccess will be located in another directory: I feel this might be an issue for BPS)

    Thanks for your support !

    #35369

    AITpro Admin
    Keymaster

    Originally we gave the pluginvulnerabilities.com guy the benefit of the doubt and just assumed he was incompetent regarding anything related to website security, but we now believe that his agenda is simply to get attention and visitor traffic to his websites by writing negative posts about popular WordPress security plugins.  You will notice a common theme in all of the pluginvulnerabilities.com guy’s posts, which can be summarized by this statement – All WordPress security plugins do not provide any website security protection and the pluginvulnerabilities.com guy’s plugin is the only WordPress plugin that provides website security protection.

    To answer your questions: BPS free and BPS Pro block all of the things that the pluginvulnerabilities.com guy claims BPS free and BPS Pro do not block.

    BPS free and BPS Pro have real website security protection for the WordPress login page and wp-admin area (requires login authentication to gain access) if you are using the BPS Login Security and Monitoring and JTC-Lite (BPS free)/JTC Anti-Spam|Anti-Hacker (BPS Pro) features.  There is no need to hide/rename/move anything since the WordPress login page and wp-admin area are already protected with real website security protection by BPS security features.

    #35370

    Chris
    Participant

    Thanks for your answer.

    Sorry to be so lame, but I’m stressed by this issue on my websites (potentially not a security one but more probably a performance one, but…)

    I used to install crawlprotect and crawltrack but apparently they are discontinue. Can I assume that BPS will do the security job as well as crawlprotect?

    .. Too bad you are not doing the same good job for Joomla 😉

    Have a safe day!

    #35371

    AITpro Admin
    Keymaster

    I found this old CrawlProtect archive on GitHub > https://github.com/ningirsu/crawlprotect.  Looks like CrawlProtect was a very basic and simple security script that provided some of the security protection that BPS provides.  So to answer your question, BPS provides the same protection that CrawlProtect provided and of course much more security protection than CrawlProtect.

    #35372

    Chris
    Participant

    Perfect then ! I just have one more thing to do : buying and installing BPS Pro ! 🙂

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.