Month: July 2017

WPML and On The Go Systems Has A Stellar Product And Team!

Author wefightforsecurityPosted on July 31, 2017August 1, 2017Categories cyber security, Uncategorized, wordpress security

WPML owned by On The Go Systems is stellar, beyond stellar. They deeply care about security and will help all customers  including current paying customers and those who are no longer paying when a severe threat emerges. Did we work with them to improve their security? Yes, we did, but that isn’t the point, the point is how they handled the security issues and how amazing they are with their customers.

 

On The Go Systems makes many WordPress Plugins and while we haven’t reviewed them all, we can say that security is a high priority for them, which says a lot about a company. They care about providing a good experience to their users both with usability and a secure experience.

 

We asked Amir Helzer, the owner of On The Go Systems his view on customer usability and security and this is a quote directly from him ”

We treat security as an ongoing effort. Ryan helped boost the security of our plugins and helped keep them secure. We started with an initial review which uncovered a number of issues to handle. Then, we kept working with Ryan to maintain the security of our plugins as we released new versions and as WordPress updated the general security advice for the entire project. The cost of the security review was little compared to the damage that we avoided to ourselves and our clients, if we had left security exploits in our products. “
We love helping companies, but most importantly protecting users from being hacked and we were able to help both On The Go Systems and their users. It is companies like On The Go Systems that remind us that some companies truly do want to protect their users and it is truly heart-warming to find companies who do protect their customers.
We highly recommend On The Go Systems WordPress plugins for your plugin needs, and hope other companies will follow their lead in the effort to secure GPL code.
In conclusion, bravo to everyone who works at On The Go Systems to always being On The Go to secure your code.

Who We Helped With WordPress Security And Who We Are Part One

Author wefightforsecurityPosted on July 21, 2017Categories Uncategorized

We have been involved in the WordPress community and helping with security for five or six years, but many people still haven’t heard our name. So, let’s help catch you up to speed on who we are, what we do, and who we’ve helped.

We have published a list of some of the companies we’ve helped in the WordPress community, because we want you the reader to understand our goal. Unfortunately, a lot of the companies wanted to credit the person who reported the bug and not our company.

What is our goal in the WordPress security space and with all code?
Our goal is to create a more secure world of code. We want websites to be more secure, we want cars to be more secure, we want drones to be more secure. Yes, we’ve done research and communicated with teams on all those topics. Our end goal is to help people be more secure.

The problem we have with making people more secure is that a lot of developers ignore help, even when you offer it to them for free, like what happened with the WordPress plugin Redirect editor, which was pulled from the repo about 9 months ago and still no one has had an update, so we have a free version you can download of redirect editor with a ton of security fixes.

The history of the security community is long and tedious, but in short companies caused chaos for researchers, so the companies with a lot of money made a term called responsible disclosure. What does responsible disclosure mean? To most companies it means tell us about our issues, we won’t fix them and don’t you dare tell anyone else. There are some great companies to the contrary of that, but our experience over the last six years has been extremely negative. Companies can yell at us, but our goal will and always will be to help the users not be hacked by criminals.

Why is that our goal?
Without a safer web, we won’t ever be able to move forward and do more innovative things, we will continue to run into sites or servers covered in pictures of dead bodies, which is something we’ve dealt with. Without safer code, all of this will continue to happen.

When it comes to the open source community the reason code isn’t more secure from the get-go is like in other industry, lack of knowledge on the subject, but most importantly there is no budget for security, because the majority of WordPress plugin developers make products that leave your site at risk of being hacked, and for all those hacked WordPress sites wondering how this happened, it’s because you took something for free that generally has limited security added to it.

There are some projects that are quite the exception to this rule, but they almost always have a profit model, like Genesis does and is one reason we like it.

Why did we create a more secure shop of code?

This is simple, our goal is to take the products that were made and make them more secure to use for websites. We can not do major overhauls on products for free very often, because our time is valuable and we know that you also value your time and want to stay as secure as you can.

This is why we have the more secure shop, with plugins that you indeed get for free, but in our professional opinion the free versions are not as secure as ours, nor is it likely that they will get continued security updates by a company dedicated to security.

We helped out Cookies For Comments in version 0.5.5 sanitize their cookie key before utilizing it. We strongly appreciate the dedication Donncha shows to security of his products.

We helped w3 total cache fix a potential log injection and CSRF issue. The w3 total cache team is always working on making their product better, which is something we appreciate.

We helped make the most downloaded plugin on WordPress more secure, which is WordFence as is noted in version 5.2.5.

We helped Vladimir from manageWP fix an xss issue in his plugin Friendly SEO images in version 3.0.5.

We’ve reported a lot of plugins to WordPress Security.

We helped the great team at WPML with their security over multiple security audits in multiple plugins, in which we were hired to help improve their product security. It was indeed a treat to work with a GPL team who cared so much about security and we may write blog posts about their awesome products in the future. This is a team that is indeed an exception to the rule and truly cares about security. WPML is a lot like Genesis, in the sense that they both have a profit model, so their products are far more secure, unlike the majority of companies who do not have a profit model or do have a profit model and don’t want to address security.

We helped make WP book more secure.

We helped make WP-Post Ratings more secure

We helped make the great team at Mailpoet more secure and were thanked in their changelog

We helped make shortcodes ultimate more secure, and these are just a few of the plugins that we’ve helped.

Genesis Framework & Child Themes Are The Best We’ve Ever Seen

Author wefightforsecurityPosted on July 14, 2017Categories Uncategorized

We love, absolutely love the Genesis Framework and their Genesis child themes. We did a code review for someone awhile back and were unable to find a single mistake in the Genesis framework. This is saying so much, because on average we find 150 vulnerabilities in software.

We believe it is good to praise those who do an impeccable job in security and are focused on usability and security. Genesis falls under both those categories and we look forward to them continuing their incredible work.

What Genesis child theme do we use?

While there are a lot of them, we liked the design and usability of Centric. It allows for so much customization, that we can’t say enough about it. We certainly believe that if you are looking for a good solid framework you can use on multiple sites, that Genesis is what you are looking for.

We have had customers not want to use Genesis and download other software, which falls below sub-par and they are so upset, because they paid a fortune for it. The reason for this is because people don’t know how customizable Genesis makes their software.

We will only recommend products that we trust, because we are doing our best to make more secure software for plugins and themes in our more secure shop. Unlike other companies, if we make a mistake, we will own up to it, but what many don’t know is that we are writing multiple patches for every piece of more secure software we release.

To conclude our post, we look forward to the Genesis team keeping up their good work.

SiteOrigin Widgets Bundle Vulnerabilities — download our cure for you

Author wefightforsecurityPosted on July 12, 2017July 12, 2017Categories cyber security, Uncategorized, wordpress security

SiteOrigin Widgets Bundle is used by over one million sites and is the newest WordPress plugin for us to fix and have for sale, because siteorigin widgets bundle has some vulnerabilities that can not be ignored and definitely would not be ignored if a criminal wanted to get into your site.

SiteOrigin has a lot of vulnerabilities and we’ve patched the most severe one today. Based on our code review this vulnerability would allow attackers to inject malicious code into the website, deface the site and cause other damage to it. This bug among a few other bugs are patched.

What does this mean to me?
It means that anyone could negatively impact your website brand and cause you a headache and a half due to this vulnerability per code review. We patched the most severe vulnerability that we found and have made it available to you, which is far more secure then the free version of Site Origin Widgets Bundle.