As mentioned in our previous post, we have decided to completely remove our plugin vulnerability scanner from Shield.
We’ll clear-up exactly why we’re doing this and what your new vulnerability scanning options are.
What’s wrong with the old vulnerability scanner?
It’s very old. It hasn’t been updated since August 2015 (over 9 months ago at the time of writing).
In the beginning, we thought we’d found a great solution. We used the data from another WordPress.org plugin as the source for the vulnerability data. While they wanted to make WordPress more secure, they made it clear they didn’t want anyone else using their data. So, they restructured their plugin to “hide” most it.
As such we haven’t been able to update the underlying data for quite a while.
Would you trust your antivirus scanner if it didn’t update its database for >9 months? No, of course you wouldn’t. You wouldn’t dare.
WordPress vulnerabilities are no different. And we’re not prepared to put our name, and our reputation, against flawed data.
What are the options for reliable vulnerability data?
Very few. We’ve had to go commercial to ensure our data is reliable and current.
We have chosen an long-established and reputable vendor that provides vulnerability data for all WordPress assets – plugins, themes, and even WordPress itself.
Not only that, this data is also updated at least once every day! As soon as new vulnerability data is available, we’ll know about it and you’ll get notified if any of your sites are at risk.
Isn’t this a ploy to get Shield Pro customers?
We’ve had this thrown at us, and yep, the cynical folks will think that. There’s probably not a lot we can do to convince you otherwise.
As I said, we’re not prepared to put our name against a feature that is fundamentally flawed. We’ve also massively upgraded our scanning ability beyond just plugins and we’re offering a powerful service that is not currently offered anywhere else.
If you’re a professional/business, and you’re serious about protecting your sites, you ought to do whatever it takes to mitigate your risk. If you’re comfortable buying premium themes, cool sliders, contact forms and whatever else you think deserves paying for, why would the security of your websites be any different?
Or maybe it is different. But it doesn’t change the fact that for us to offer reliable data in our service, we have to pay for it 🙂
Question, concerns or comments?
If you’re an iControlWP client, you don’t have to do anything to get the new scanning system – it runs from the App and not on your sites (reducing workload on your sites too).
If you have any questions or comments about this, please do let me know in the comments below. We’re happy to answer any concerns you have about this.
Sign-up for the trial here if you want professional-grade security for your WordPress websites.