A general question about methodology

  • Resolved jefromcanada

    (@jefromcanada)


    3 years, 3 months ago

    WordFence is one plugin that no WordPress site should be without. But I have a question stemming from a recent scan I did on my site. While the scan is running, I see warnings about deprecated functions. I am assuming these are generated by WordFence itself (as its PHP code is being executed). So my question has to do with whether WordFence does some initial “sanity checks” against core WordPress files that it relies on to run its scan. After all, if WordFence is running deprecated code, shouldn’t it be aware of this and do something to avoid this happening?

    • This topic was modified 3 years, 3 months ago by jefromcanada. Reason: Trying to include screen capture
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Support wfpeter

    (@wfpeter)

    3 years, 3 months ago

    Hi @jefromcanada, thanks for your question and I’m pleased you’re enjoying Wordfence.

    The deprecation messages originate from WordPress core functions that we use. This has been a known issue on their end with PHP8+, and you may see them resolved as part of the WordPress 6.2 release.

    Thanks,
    Peter.

    Thread Starter jefromcanada

    (@jefromcanada)

    3 years, 3 months ago

    Thanks for that reply. But my question goes deeper than that. If WordFence is designed to find CHANGES that have been made to WordPress core files, shouldn’t your program try to ELIMINATE any dependence on core functions within WordPress? So, for example, if you are calling core functions within WordPress, what happens if those core functions are among those that have been compromised? Just as the best Windows anti-malware products are those that can work from a clean boot and not be affected by a compromised operating system, shouldn’t your product be designed to have no dependency on WordPress functionality beyond the actual installation and activation?

    Plugin Support wfpeter

    (@wfpeter)

    3 years, 3 months ago

    Thanks @jefromcanada, I’m certainly able to clarify that for you.

    Our WAF doesn’t rely on WordPress core code because it has to run before WordPress loads. The scanner however is a different story. Ultimately, there’s no meaningful difference between an attacker that can hijack WordPress core functionality and an attacker that can hijack the functionality of any plugin including Wordfence. If an attacker has gained code execution access on the same level as WordPress core, they can make any plugin act however they want to. For us to overcome this type of issue, Wordfence would need to run as root which would significantly reduce its adoption – requiring a higher technical barrier to entry, alongside requiring a higher trust level than certain hosting platforms provide.

    For this reason, providing great security to millions of people is a higher focus for us than providing almost-perfect security to a few thousand with limited platform options. The fact alone that our scanner detects millions of malicious files every day is a good indicator that what we’re doing is highly useful.

    Thanks again,
    Peter.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘A general question about methodology’ is closed to new replies.