Once again, another plugin has been purchased from the original owner, and the new owner has dropped malicious code into it. The plugin has been pulled from the repo, but as usual, if you are using this plugin, you won't be notified that it is f*#ked up! Hope you see this and delete it if you use it.
I am the original author of Fast Secure Contact Form. This plugin had a new owner in June 2017 with a WP user profile name “fastsecure”. The new owner attempted to put code in several of his newly acquired WordPress plugins that would connect to a 3rd party server he also owned and place spam ads for payday loans and such in the WP posts. The new owner put spam code in versions 4.0.52 4.0.53 4.0.54 and 4.0.55 but it failed to display any spam because he put the code in the secureimage.php file. The malicious code required WordPress libraries to also be loaded to execute. The reason the spam code did not do anything at all is because the secureimage.php file is not included in the WordPress run time environment. The secureimage.php file is included from another file securimage_show.php that loads the captcha image directly from html img src outside of the WordPress run time. The spam code in this plugin was never activated, it would not have corrupted your posts or changed anything in the WordPress database. I am sorry for any inconvenience this has caused. The plugin was taken off the WordPress repository by WordPress staff until this can be sorted out. Perhaps a new version
Security has been on the minds of many lately, with Equifax, CCleaner, and Display Widgets all happening within the last 10 days or so. So what do you do when your client asks you about security in WordPress?
Security has been on the mind of a lot of people lately. Most prominently there’s there Equifax news. But a story today about CCleaner broke, the Display Options plugin for WordPress was compromised and subsequently banned from the WordPress Plugin Repository, and there’ve been many high profile security issues in the last few years. To compound the issue, you have organizations like Equifax using WordPress for parts of their online presence and then blaming open source software’s shoddy security. This could lead our clients to ask: Are there security issues with WordPress? How should we handle that?
There are Security Issues with all Software
The most important thing to remember is that this can and does happen to anyone. It’s not specifically a WordPress problem. For example, CCleaner is specifically a Windows application.
WordPress is software runs on millions of websites, and updates to those websites are not consistent (another common software problem). So yes, there are security issues with WordPress, like there are with everything. But that’s not exactly what you should tell your clients to put them at ease, or to sell them on a new project.
I watch changelogs like a hawk. Nuggets of gold to be found in there. Or sharp knives.
There have been several high profile plugins lately that have been found to be posting spam and deceptive links on user’s blogs lately. One such is the “Display Widgets” plugin. You can read Wordfence’s detailed breakdown of the spam. It turns out the original developer of the plugin sold it, and the new owner started to place spammy backlinks and other bad code into the plugin. This gave this “developer” access to tens of thousands of blogs and the site owner’s never knew it was happening.
I was checking the WordPress that runs this blog today to see if there were any plugin or system updates for me to do, as is good practice. I noticed one today had an update, a no-follow plugin I’ve been using for a few years. Today, I saw that plugin had an update, and I looked at the changelog to see what was new, which is also a good thing to look at instead of blindly trusting plugins.
I saw this, which set off my Spidey sense.
No offense to this new maintainer person, but seeing a plugin go to a new person, one that has no other active plugins in the WP repository, has no mention of this plugin on his blog, and whose Twitter feed is mostly links
In this article we will learn how to install and configure the open-source tool Sysdig Falco. This tool can be used to detect WordPress backdoors
Falco, or Sysdig Falco, is a behavior activity monitoring tool for keeping track of what’s going on on your servers in real time. It works similarly to tools like OSSEC, but only detects and alerts, lacking the means to take any action, like block offensive traffic. It’s a kernelspace tool which works by loading a kernel module onto the system and monitors all syscalls the system sees. In this way, Falco keeps track of any activity passing through the system.
When Falco is started, it reads settings from a configuration file named falco.yaml, and rules from a file named falco_rules.yaml, both under the etc directory. Falco’s rules determines what the application alerts on, and are very easy to write and customize
When a rule is triggered, Falco can log to the display, syslog, a file, and can send alerts via email to an address specified in its configuration file.
In this article, you’ll learn how to install Falco and use it to detect WordPress backdoors.
To complete this tutorial, you’ll need to have the following in place:
An installation of WordPress on any Linux server, but preferably on an Ubuntu 16.04 server, because testing of Falco
If you use the Display Widgets plugin, it has been removed from the plugin repository due to potentially malicious code.
This is the latest version of the plugin code (version 184.108.40.206) : https://plugins.trac.wordpress.org/browser/display-widgets/trunk/geolocation.php Look at the function on line 186 (pasted below).
Note the name of the function dynamic_page, what do you think a function with name Dynamic Page does?
It creates a DYNAMIC PAGE (a Dynamic WordPress Post) on Display Widget users sites and is loaded using line 299:
299 add_filter( 'the_posts', array( 'dw_geolocation_connector', 'dynamic_page' ) );
The above hooks into the_posts function, this line basically intercepts your Posts before they are output to the browser so the Dynamic Post can be added to the Posts.
Why would a plugin to determine where widgets are loaded create Dynamic Posts?
Line 187, this checks if a user is logged in, a logged in user is probably the site owner, when a user is logged in (the site owner) the Dynamic Page function does nothing (outputs the Posts normally). So if you are logged into your site and you look at your site in a browser everything looks normal.
Why would a legitimate plugin feature be hidden from the site owner and other logged in users?
If a user is logged out: that would be your sites visitors and
By taking the following steps you will be able to prevent your WooCommerce store from malicious security attacks, threats and hackers.
Having an online store instead of a physical store is a great way to start a business, but even online stores are prone to security breaches and hacking. While an online store offers many advantages, it is to be considered that such stores have a lot of third party information, log-ins from different people, payment gateways and links to many other webpages. Creating an online retail store is easy with WooCommerce but it must be kept in mind that all online stores make an attractive target for hackers and cyber criminals. However, there are no reasons to worry because adequate safety measures exist to make ecommerce safe and secure without the requirement of too much money or technical expertise. Here we discuss how one can secure their online stores.
1. Using security plugins
Though WordPress is considered to be a safe platform, it is a good idea to increase the security with the help of any of the available security plugins. These plugins keep checking the website for security threats and eliminate them with constantly regulated and updated security measures.
Some of the popular security plugins are Wordfence, Bulletproof security and All in One WP security and firewall. Many more
WordPress.org recently discovered that login credentials in a list of compromised emails and passwords published by a group of security researchers.
Hello everyone, some of you will have the following email in your inbox: Your password on WordPress.org has been deactivated, and you need to reset it to log in again.
We recently discovered your login credentials in a list of compromised emails and passwords published by a group of security researchers. This list was not generated as the result of any exploit on WordPress.org, but rather someone gaining access to the email & password combination you also used on another service.
To reset your password and get access to your account, please follow these steps:
1. Go to login.wordpress.org
2. Click on the link “Lost your password?”
3. Enter your WordPress.org username:
4. Click the “Get New Password” button
It is very important that your password be unique. Using the same password on different web sites increases the risk of your account being hacked.
If you have any further questions or trouble resetting your password, please reply to this message to get help from our support team. We will never ask you to supply your account password via email.
At this point we don’t have a reason to believe any accounts have been compromised, but out of an abundance
A demonstration of password guessing attacks (aka brute force) and then what attackers see after installing basic security defenses. Hope you like it. But even more, I hope you defend your site against these attacks!
If you have a WordPress site, someone is likely trying to guess your username and password combination. It is easily the most common attack against these sites. This is because it’s an easy attack to automate and undoubtedly it pays off occasionally. In this post, I’ll show you some common methods attackers use to guess your username and password, and then show what happens when you implement simple defenses. What is a WordPress Password Guessing Attack?
Simply, this attack is when someone tries to guess your password. An attacker will use a program to guess the most common variations of usernames and passwords on your site. It will use your login form to enter the most common username:password combination (that’s admin:admin, btw). If that fails, the program moves on to the next most common variation. On and on, it just keeps trying different combinations indefinitely. This is why it’s called a Brute Force Attack – it uses brute force to try all possibilities instead of doing something intelligent.
Should You be Worried?
By default, WordPress gives you no defenses against this. If someone is trying this attack against your site, they can just keep trying
DreamHost is sharing here how they are dealing with a Search Warrant by Department of Justice about their hosted website disruptj20.org. They are working closely with legal counsel and also supported by the Electronic Frontier Foundation.
For the past several months, DreamHost has been working with the Department of Justice to comply with legal process, including a Search Warrant (PDF) seeking information about one of our customers’ websites. At the center of the requests is disruptj20.org, a website that organized participants of political protests against the current United States administration. While we have no insight into the affidavit for the search warrant (those records are sealed), the DOJ has recently asked DreamHost to provide all information available to us about this website, its owner, and, more importantly, its visitors.
DreamHost, like many online service providers, is approached by law enforcement regularly to provide information about customers who may be the subject of criminal investigations. These types of requests are not uncommon; our legal department reviews and scrutinizes each request and, when necessary, rejects and challenges vague or faulty orders.
You would be shocked to see just how many of these challenges we’re obligated to mount every year!
Chris Ghazarian, our General Counsel, has taken issue with this particular search warrant for being a highly untargeted
A summary of where the advice is the same, and where it is different. In general, OWASP locks you down tighter than the WordPress recommendations.
We show you how to implement advice from the gold standards of WordPress Security: The WordPress Codex and OWASP. These best practices are the cornerstone of our tutorials and the service we give to our customers. The WordPress Codex is the online user manual published by the makers of WordPress. It really doesn’t get any more fundamental than this. The section on WordPress Security is here. OWASP – the Open Web Application Security Project – is similarly regarded for standards of internet security. They provide best practices for all types of web applications (including WordPress), as well as advice and training for security professionals. Their specific WordPress recommendations are here.
Besides being well-respected experts, these sources are trustworthy for another reason: they aren’t selling anything. It’s hard to trust people with advice that are also selling solutions. Their product does all the right things, the other products don’t, etc. That’s why we base our practice on independent advice.
Reading through those two pages can be a bit overwhelming. They have a lot of recommendations. What is not obvious is that most recommendations
At it seems these last few days a there is a sudden urge of WordPress site which are infected by a malware redirect to the tradetraffic.life site. We have received more than 20 WordPress Hack Fix Requests in just 3 days so we understand that something weird is going on out there. This WordPress Malware Redirect is injected into most of your WordPress site post types(posts, pages etc) usually through an infected plugin and redirects usually your site visitors to a spam site. If you're infected I suggest to clean your site asap or request help for WordPress Hack Removal Services or else your site may be banned from Google's index.
Are you infected with tradetraffic Malware Redirect? As it seems these last few days a there is a sudden urge of WordPress site which are infected by a malware redirect to the tradetraffic.life site. We have received more than 20 WordPress Hack Fix Requests in just 3 days so we understand that something bad is going on out there.
This WordPress Malware Redirect is injected into most of your WordPress site post types(posts, pages etc) usually through an infected plugin and redirects usually your site visitors to a porn site. If you're infected I suggest to clean your site asap or request help for WordPress Hack Removal Services or else your site may be banned from Google's index.
If you try to clean your WordPress site yourself make sure to remove or replace the infected plugin(s) AND THEN export your database and remove all bad code which refers to tradetraffic.life. Make sure though you keep a backup of your database first before working on the malware removal.
Hint: If you want to remove that malware injection from your database which suggest to open the database using a text editor like Notepad++ then search for the bad code and replace it with an empty character. You can do the
While auditing the popular WordPress plugin Loginizer, I discovered a SQL Injection vulnerability and a Cross-Site Request Forgery (CSRF)
Sneaky, Certificate Transparency is an open standard that allows the online community to monitor SSL certificates that have been issued to websites. This can enable hackers to attack while installing your new fresh WP-site.
If you or your customers use WP Statistics (plugin is currently installed on 300,000+ websites) then read more about this discovered SQL Injection vulnerability.
Security Risk: Dangerous Exploitation Level: Easy/Remote
DREAD Score: 7/10
Vulnerability: SQL Injection
Patched Version: 12.0.8
As part of a vulnerability research project for our Sucuri Firewall, we have been auditing popular open source projects looking for security issues.
While working on the WordPress plugin WP Statistics, we discovered a SQL Injection vulnerability. This plugin is currently installed on 300,000+ websites.
Are You at Risk?
This vulnerability is caused by the lack of sanitization in user provided data. An attacker with at least a subscriber account could leak sensitive data and under the right circumstances/configurations compromise your WordPress installation.
If you have a vulnerable version installed and your site allows user registration, you are definitely at risk.
WordPress provides an API that enables developers to create content that users can inject to certain pages just using a simple shortcode:
[shortcode atts_1=”test” atts_2=”test”]
Among other functionalities, WP Statistics allows admin users to get detailed information related with the number of visits by just calling the shortcode below:
As you can see on
Much like Clef, Keyy gives you 2-factor authentication with a difference. It replaces passwords with sophisticated RSA public-key cryptography, which results in stronger security and a better user experience.
This is version 1 of the software. Please don’t hit us with a bad review, but we’re very eager for your feedback in the support channel. In the coming weeks and months we will: Replace the QR code (current version) with a “Keyy wave” – an animated barcode which was a loved feature of Clef
Launch a single-sign on feature, so logging into one site with Keyy logs you into all sites on that device
Announce many more soon!
It replaces typing usernames, passwords and the usual two factor tokens with a simple cryptograph that users sync to an app on their mobile phone.
It makes logging in both incredibly safe and unbelievably easy. Keyy instantly boosts user account security and protects the site.
Everyone wins, except for the hackers!
The threat of hacking has never been stronger, and it’s constantly evolving in both scale and sophistication.
There’s a bewildering array of online security solutions and best-practices out there. The trouble is, most of them have flaws and loopholes that criminals are always looking to exploit.
What’s more, implementing them is a pain. Who wants to remember yet another password? And who wants to go fumbling about
How to stop brute force attacks with Cloudflare Free Page Rules - Troy Glancy - Entrepreneur - Coach
Using the Cloudflare CDN it's possible with a few rules to make brute-force attacks against wp-admin and xmlrpc harder
How to stop brute force attacks with Cloudflare Free Page Rules - Troy Glancy - Entrepreneur - Coach
Recently I made a post on how to block brute force attacks on cPanel servers which had some information about Cloudflare at the bottom. Since Cloudflare Page Rules can work for anyone I felt it needs to have it’s own post. What is Cloudflare: The Short Answer Cloudflare protects and accelerates any website online. Here is a guide from Cloudflare on how it works.
Personally I have been using Cloudflare for about 4-5 years and they have evolved a lot since then. I have used Cloudflare Free and Cloudflare Pro for my own sites and my clients sites. The version I use depending on the type of security that is needed to protected a site. Sometimes free will work for a basic business page but sometimes Cloudflare Pro is needed to protect the site even more. Cloudflare Pro is a great service because they block everything they do with Cloudflare Free but they have an application firewall which block injection type attacks on your site. (Little technical guide). Bottom line, while Cloudflare Free does a good job blocking bots, spammers, and some basic security Pro gives you a lot more security features.
However, this post is mostly about the Cloudflare Free. You can use Clouldflare page
Nice Interview with Julio Potier why he created the SecuPress plugin. Julio also created WP Rocket and funded the company WP Media.
Julio Potier is the developer behind SecuPress, the WordPress plugin that makes it possible to easily secure your WordPress websites and blogs. Julio is based in France and is very active in the WordPress security scene. He is also a security consultant and teaches developers to write more secure code through his lecture and audits . Julio has contributed to WordPress core and was one of the co-founders of WP Media, the company behind the popular caching plugin WP Rocket. In this interview Julio talks a bit about how he got started with WordPress, the REST API and its security issues, and he also explains why he developed SecuPress when there are already a few WordPress security plugins available on the market.
What got you interested in security?
Back in 2000, I created my first static HTML website and 2 years later in 2002, I developed my first PHP/SQL website. It was full of security issues. A friend showed me how to exploit and fix vulnerabilities. It was the “aha!” moment for me.
What got you interested / hooked on WordPress?
Back in 2009 my first daughter was born and I wanted to create a gallery website to post three photos a day to share with our distant family members.
Release notes are out, and this release fixes 6 security issues.
WordPress 4.7.5 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.4 and earlier are affected by six security issues:
Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.
Thank you to the reporters of these issues for practicing responsible disclosure.
In addition to the security issues above, WordPress 4.7.5 contains 3 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.
I have tried compiling a list of stuff that, in my opinion, does not bring more security to your WordPress installation. https://eastwest.se/blog/wordpress-security-myths What do you think, am I wrong? Is there something important I have forgotten?
Hide or move wp-admin to prevent brute force attacks If you search on WordPress security, moving or hiding the wp-admin is one common tip, and there are many plugins that can do this for you. Bots and scanners are activity looking for WordPress-installations and attempting a brute password attack on /wp-admin
This is method is what's called "security by obscurity". Relying on this is not real security and cannot see as a good solution.
A big downside of this method is that many plugins depend on the exact location of /wp-admin. You are risking of breaking plugins.
Besides this, the most of the attacks are using vulnerabilities in XML-RPC, and hiding wp-admin are useless.
However, I highly recommend a password attempt plugin to prevent a brute-force attack.
Changing wp-prefix of all tables
Another common tip is to change the wp_ -prefix of the WordPress-tables. The theory is that this will make an SQL-injection harder. In reality, this does not matter; it is just a waste of time.
If an attacker can query against information_schema.tables, he or she will get all info about tables, whatever fancy prefix you put in front of the names, again "security by obscurity".
Blocking the Bad Guys and Bad Bots, Can It Be Done on The Cheap? - Free Consultation by Phone We Fix Hacked Websites Fast (619) 479
I just wrote this article, "Blocking the Bad Guys and Bad Bots, Can It Be Done on The Cheap?" where I discuss taking advantage of the rate limiting feature within Cloudflare. I hope you find this helpful, and I look forward to reading your comments and experiences.
Blocking the Bad Guys and Bad Bots, Can It Be Done on The Cheap? - Free Consultation by Phone We Fix Hacked Websites Fast (619) 479
Within the WordPress community, I find a lot of folks use a variety of security plugins and methods to secure their websites against denial of service attacks and brute force connections. Recently I’ve begun reading a number of comments in the Facebook forums and personal blogs regarding how poorly Cloudflare performs against automated website attacks.
I find this strange because Cloudflare has always promoted the benefits of its distributed content delivery network (CDN) to help reduce the impacts of extreme events, like mass IP connections, and it has protocols in place to help reduce Layer 7 DOS and brute-force attacks as well.
That said, it’s become apparent to me that many are simply not taking the next step in reviewing all of the features available within Cloudflare, and implementing them appropriate to their needs.
I use the free Cloudflare service to help protect my website and I use my web host’s free SSL certificate to better secure my login page and forms. Using the free Cloudflare and SSL certificate services seems like a no brainer to me.
So what about blocking the bad guys and bad bots you ask?
If you have Cloudflare set up already, then you are half
Pretty darn impressive! Running a scan on one of my sites right now. This is nice!
This morning I am incredibly excited to introduce you to a project that the Wordfence team has been working on for almost a year. A few moments ago we officially launched Gravityscan.com, a malware and vulnerability scanner that works on any website. Gravityscan is free. You don’t need to install any software to use it. Simply visit https://www.gravityscan.com/ and enter your website URL. Then hit the “Launch Scan” button and Gravityscan will start examining your website to find out if you have been hacked, or if you have any security vulnerabilities. Go and run your first scan now! I’ll be here when you get back.
A Malware and Vulnerability Scanner for Websites
Gravityscan is designed specifically for websites. It is smart enough to detect if you are running WordPress, Joomla, Drupal, Magento or vBulletin. Then it carefully examines each of those applications you have installed to find out if they have any vulnerabilities. It even detects the extensions you are running in each application and checks them for vulnerabilities.
Gravityscan also performs a comprehensive scan for malware on your site. It does a great job if you simply run a regular scan on any website.
File monitoring can be one of several methods for finding WordPress-malware
OSSEC is an open source host-based intrusion detection system (HIDS) that can be used to monitor file system changes on an operating system. In this article, you’ll learn how to use it to monitor directory and file system changes on WordPress installations. OSSEC in a manager-agent HIDS, where the manager and agent can be installed on the same server, or on different servers. In this article, we’ll use the former approach, with all the components on the same server that WordPress is installed on.
And the WordPress installation used for this article was running on an Ubuntu 16.04 server. The same configurations may be used on most other Linux distributions.
To complete this article, you’ll need to have the following in place:
An Ubuntu 16.04 server. Because OSSEC is chroot-ed, you need to be root to configure it. See the Troubleshooting OSSEC section of step 2 for further instructions.
The server must be able to send out emails or you should be willing to use a third party email provider to send emails.
A WordPress-powered blog or website running on the server. Make a note of the location of the WordPress installation directory, because you’ll need
Mika explains why it's natural to NOT write secure code and why It's time to get into a clear mindset of security when coding.
At WordCamp Europe last week, I talked about the basics of plugin development. Since I had a mixed bag of experiences, I decided not to actually write a plugin in the class, but instead I took Hello Dolly and edited it. I discussed how the plugin worked, that an action called a function, which returned a value, and showed the interconnectivity. In this way, the attendees could understand the big picture of how code comes together. But at the end, with five minutes, I touched on an important aspect of plugins that Hello Dolly doesn’t do much with, because it doesn’t have to.
I talked about security.
In the past, you probably done insecure things. Have you ever left your car unlocked in the driveway while you ran the groceries inside? We all do things that are insecure or unsafe. This is normal. Similarly, we have done insecure code. In the past, all of us, when we begin, we write code to perform actions without thinking about how it will be used globally. We don’t worry about safe, we worry about functions.
There’s nothing wrong with this. We are often focus driven designers, fueled by passion and desire, so we want to do and not worry about the details.
A new take on WordPress security; WordPress firewalls and security hardening plugins are common, but what about Intrusion Detection Systems? It is now possible to build one for WordPress, with WordPress.
What is an Intrusion Detection System? An Intrusion Detection System is a software that monitors a host and notifies you of suspicious activity, in this case your WordPress website. Such suspicious activity can be a sign that attackers are trying to find a security hole to exploit on your WordPress website, or have already hacked into it.
It is of utmost importance to be notified as early as possible about possible attacks, so you can take the necessary evasive actions to thwart the attack, or to limit the damage in case of a successful hack. This article explains how you can build an intrusion detection system for your WordPress websites and WordPress multisite network with the WP Security Audit Log plugin, WordPress’ most comprehensive audit trail solution.
Detecting And Getting Notified of WordPress Hack Attempts
Prevention is better than cure, so let’s start with the prevention first. What do malicious hackers typically do to find vulnerabilities or security weaknesses on your WordPress websites? They:
Use an automated scanners (such as WPScan) and scripts to scan your website and detect possible old and vulnerable plugins, themes or WordPress core.
Use automated software