A very useful and comprehensive guide about the WordPress security, step by step guide :)
The WordPress security team works diligently to provide important security updates and vulnerability patches. However, the use of third-party plugins and themes exposes users to additional security threats. By regularly installing the latest versions of core WordPress files and extensions, you can ensure that your website possesses all of the prevailing security patches.
Plugins and themes can become deprecated, obsolete, or include bugs that pose serious security risks to your website.
To protect your WordPress installation, we recommend that you audit your plugins and themes on a regular basis.
Assess Your Plugin Security
You can assess the security of WordPress plugins and themes by reviewing a couple of important indicators:
Does the plugin or theme have a large install base?
Are there a lot of user reviews, and is the average rating high?
Are the developers actively supporting their plugin and pushing frequent updates or security patches?
Does the vendor include a physical contact address in the ToS or from a contact page?
Carefully read the Terms of Service - it may include unwanted extras that the authors didn’t
Now we find a plugin that is using visitor's CPU cycles for profit.
If you're doing work on a medically-related project in the United States, you need to know what HIPAA is. This article gives an overview of what it is and what it means for people building applications using patient information.
In many situations, building a website is a straight-forward process. Many projects can follow similar path; as sites get bigger, however, there’s more to think about. If you’re working with a financial institution you’ll need to follow certain regulations. The same goes with education, government, and the medical field. When we work on medical projects, there’s an incredibly important regulation that we need to keep in mind called HIPAA – the Health Insurance Portability & Accountability Act. While there are many facets to this law, there’s one that people in tech really need to focus on: the section of HIPAA called the “HIPAA Privacy Rule.”
The HIPAA Privacy Rule
Under the HIPAA Privacy Rule, anyone who works with patient health information must protect it. For example, a nurse cannot disclose patient information (or protected health information – PHI for short) to anyone except those that have been specifically authorized by the patient.
There are some nuances to that example (like usually you can find out if a patient is staying at a hospital, but some can’t even know that much). The main takeaway is that under the
There is a long story behind the WordPress 4.8.3 security fix. In my opinion, Anthony Ferrara, is the man behind this update.
Today, a significant SQL-Injection vulnerability was fixed in WordPress 4.8.3. Before reading further, if you haven’t updated yet stop right now and update. The foundations of this vulnerability was reported via Hacker-One on September 20th, 2017.
This post will detail the technical vulnerability as well as how to mitigate it. There is another post which deals with the background and time-lines.
What Site Owners Should Do
Simply upgrade to 4.8.3 and update any plugins that override $wpdb (like HyperDB, LudicrousDB , etc). That should be enough to prevent these sorts of issues.
What Hosts Should Do
Upgrade wp-db.php for clients.
There may be some firewall rules in the mean time that you could implement (such as blocking %s and other sprintf() values), but your mileage may vary.
What Plugin Developers Should Do
To prevent this issue? Nothing, it’s been mitigated at the WP layer.
In general however, go through and remove all user input from the $query side of ->prepare(). NEVER pass user input to the query side. Meaning, never do this (in any form):
$where = $wpdb->prepare(" WHERE foo = %s", $_GET['data']);
$query = $wpdb->prepare("SELECT * FROM something
Interesting look at how hackers target WordPress. Which plugins & themes are targeted. By what countries & IPs. Part of a monthly series.
In Evan's latest article, he digs into WordPress security. What makes a site more or less secure and what you can do to protect your site without being a PhD in information security. If you're not already offering security auditing as a service for your clients, you should!
WordPress has made great strides in its effort to democratize publishing, making the ability to publish content on the web accessible to a very large number of people all over the world. Today, it powers roughly 28% of the websites on the web making it the most widely used platform in the world by far in terms of market share. However, with the status of being number one comes the attention of those who wish to exploit it. In this article, we’ll look at what you can do to make your site more secure to weather the eternal storm of bad guys.
Isn’t WordPress Secure Already?
Just as it is not possible to secure your home 100%, no site is 100% secure. Every lock has a key which is possible to open by anyone who has something that fits the same way. That is not to say that WordPress is not secure though. As an open-source project with literally thousands of developers working on it, in it, and around it all the time, the collective effort of so many people makes it very strong because it only takes one person to find a vulnerability and report it. WordPress also has a dedicated security team responsible for making sure WordPress core is as secure as possible.
The WordPress Security
Really interesting from David on WPShout, on how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress.
Today we’re going to cover how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress. But before we do, you can sign up to get a really interesting video from the course, which shows me executing an actual XSS attack on a WordPress site – thus showing why they’re important, and how to protect yourself against
All about WordPress security - from interviews with different WordPress security experts.
I’ve spent the last three months deep in the weeds of WordPress security. As regular readers will know, this is because I’m working on a new course: WordPress Security With Confidence (it’s coming out in two weeks). Part of this research has involved talking to a lot of WordPress security experts. Some of these experts focus on the big picture, whilst some focus on extremely specific aspects. As a whole they offer an incredible depth of knowledge about how WordPress security works, what’s important, and what we should all be focusing on.
Hopefully you’ll find something interesting in this diverse mix of perspectives. I talked to people from S-brands like Sucuri, SiteGround, SiteLock, and SecuPress. (I prefer brands whose first letters are in the second half of the alphabet. ;p) To give you a quick sense of topics: these cover everything from convincing clients to think about security, why your WordPress site shouldn’t have a username and password, and how WordPress itself deals with security fixes.
WordPress Security With Confidence will includes hours of screencasts of me talking about security concepts, and showing you how to implement them in WordPress
My take on the recent issues with malicious code in plugins and the importance of getting the word out to users.
In case you missed it, three widely-used WordPress plugins were recently found to have malicious code included with recent updates. Display Widgets, Fast Secure Contact Form and SI CAPTCHA Anti-Spam were each removed from the official WordPress Plugin Repository due to SEO spam discovered by users. One thing each plugin has in common was that they were all previously trusted and generally considered secure. More recently, they were sold by their original authors to a new developer, who used these popular plugins to spread payday loan spam posts. In fact, security plugin company Wordfence recently reported that up to 9 plugins have been found with malicious code added through various means.
While many web designers and developers have become more proactive in securing their sites against typical threats like brute force attacks, etc. – malicious plugins appear to be a whole new ballgame. We’re used to defending against security holes, but not authors who are intentionally trying to propagate malware. And in the case of the plugins mentioned above, immediately updating to the latest version was the worst thing we could have done since that was how the code was installed.
Interesting project for WordPress Security. Check the integrity of your WordPress installation
Overview WP-CLI provides a way for system administrators to verify the integrity of the WordPress core files. Through wp checksum core, you can easily verify that a given installation has not been tampered with. It not only checks whether the correct files are in place, but also that their content has not been changed. This is possible because WordPress provides an official API to check the expected core file checksums at https://api.wordpress.org/core/checksums/.
Having this kind of functionality for plugins and themes as well would be a huge security benefit. It would allow you to check the file integrity of an entire site, possibly in an automated fashion. However, there is no centralized way of retrieving the file checksums for plugins or themes yet, and the alternative of downloading the plugins and themes from the official servers first just to check against them is wasteful in terms of resources and bandwidth.
The aim of this project is to extend the checksum verification and its underlying infrastructure so that it can reliably and efficiently check the integrity of plugins and themes as well.
The project will be structured into four stages. Each stage will be
Unpatched new Cross-domain Flash injection (XSF) in flashmediaelement.swf. Technical details about this will be released on Oct 19th 2017
What is the vulnerability ? There is an unpatched vulnerability in latest and older WordPress releases. The vulnerability is a cross-domain Flash injection (XSF), which impact is similar to a Reflected XSS (or Same-Origin policy bypass).
The vulnerable file is located at /wp-includes/js/mediaelement/flashmediaelement.swf.
Who is affected ?
Any up-to-date or older (for at least 2 years) version of WordPress is vulnerable by default. Every WordPress website is vulnerable to this as well as any other website hosted on the same subdomain as a WordPress website.
The only WordPress websites that are not affected are those where the vulnerable file, flashmediaelement.swf, is hosted on a sandboxed domain. This is the case for sites hosted on wordpress.com for example.
What is the impact ?
The impact is similar to an (authenticated) Reflected XSS, except you can’t manipulate the DOM and read some values like header responses. The attacker can send a malicious link that would execute arbitrary Flash code on the WordPress security sandbox. When a victim opens the malicious link, the attacker can perform “xhr style” requests with Flash to any URL in the WordPress domain, using
Hiding that you're running WordPress (security through obscurity) is pretty terrible security advice... most of the time.
What counts as security, and how you make sure that you’re secure are both big and complicated topics. But, the complication of them is worsened when people mistake useless task-creation for actual benefit. “Security theater” has been an ever more common term used to characterize practices that look like they improve security but don’t really do much of anything at all. There’s a specific class of common WordPress security advice that just isn’t really worth all the time and energy that people spend on it: hiding the fact that you’re running WordPress. I think that while some of the often-recommended “security through obscurity” features have value for an average WordPress site, they aren’t worth the hassle.
In this article, we’ll start with a brief overview of how to think about security with WordPress, cover what “security through obscurity” is, which practice it entails, and then what modest benefit it does have.
Oh, and if you want some guidance on some actually helpful WordPress security advice, you should sign up for my free course below. It’s a brief, valuable, and fun mini-series ahead of the
How to use Nmap to scan for WordPress plugins and themes. Nmap can also try to bruteforce logins with common usernames and passwords
Nmap is one our favorite tool when it comes to security testing (except for WPScans.com). Nmap was created in 1997 by Gordon Lyon aka Fyodor. The current version 7.60 contains about 580 different NSE-scripts (Nmap Scripting Engine) used for different security checks or information gathering and about six of them are related to WordPress. Our first test is to just use the default options in nmap and see which ports that are open:
Btw, we are using the amazing penetration testing Kali Linux distro. The above screenshot shows that there is a webserver, ssh server and MySQL listening on the network. Exposing MySQL to the network is not really safe, it’s not the target this time.
The following Nmap NSE scripts are directly related to WordPress:
When we are running our second test we focus on the webserver and using the -A argument to Nmap to enable script scanning:
From the above screenshot we notice that the http-generator script displays the WordPress version, and in this case 4.8.2.
Now it’s time for the heavy lifting stuff: Running the WordPress
Looks like another plugin has gone down. This time due to a XSS vulnerability.
As part of a comprehensive analysis of the key points of WordPress and WooCommerce, we could not bypass the WooCommerce security issues.
As part of a comprehensive analysis of the key points of WordPress and WooCommerce, we could not bypass the WooCommerce security issues. When looking at the core of the platform, there are generally no striking security issues in WordPress. There are only relatively narrow places that can potentially cause hacking. The vast majority of these bottlenecks in WordPress sites are actually easy to control. The core of this system has gone a long way to development, so it’s quite safe. Surprising as it may sound, web developers are serious about security and release patches very quickly. One of the strengths of WordPress is the ease of upgrading and the high speed of the development cycle.
A large part of potential security issues emerge due to end users’ short-sightedness in choosing themes and plugins with dangerous codes and using poor quality hosting.
Let’s start with some statistics
One of the articles on WP White Security gives the statistics of hacked websites:
41% were hacked through a vulnerability of the hosting account
29% were hacked via a security issue in the WordPress theme they were using
22% were hacked via a security issue in the WordPress plugins they
And, here we have yet another plugin pulled because of malicious code. Is this considered a crisis yet?
I am the original author of SI CAPTCHA for WordPress. This plugin had a new owner in June 2017 with a WP user profile name “fastsecure”. The new owner attempted to put code in several of his newly acquired WordPress plugins that would connect to a 3rd party server he also owned and place spam ads for payday loans and such in the WP posts. The new owner put spam code in versions 3.0.1 and 3.0.2 but it failed to display any spam because he put the code in the secureimage.php file. The malicious code required WordPress libraries to also be loaded to execute. The reason the spam code did not do anything at all is because the secureimage.php file is not included in the WordPress run time environment. The secureimage.php file is included from another file securimage_show.php that loads the captcha image directly from html img src outside of the WordPress run time. The spam code in this plugin was never activated, it would not have corrupted your posts or changed anything in the WordPress database.
I am sorry for any inconvenience this has caused. I never expected that this would happen. The plugin was taken off the WordPress repository by WordPress staff until this can be sorted
Some thoughts on choosing safe plugins and the importance of staying vigilant.
To some degree, the world of WordPress plugins is a bit like the old wild west. The open source platform means that anyone can write plugins to extend functionality. At its best, plugin authors create useful tools to help us build highly-functional websites for very little cost. The other side of the coin is that plugins containing security holes and even malicious code can put us at risk. For example, it was recently discovered that an updated version of Display Widgets (a plugin with over 200,000 active installations) included code that generated SEO spam posts within WordPress. This was all done without the site owner’s knowledge or permission.
While this was certainly a nuisance, it’s not hard to imagine something even worse being attempted in the future. Such malware could potentially delete website content or infect a visitor’s computer or mobile device. This is a serious threat that could cause widespread damage.
We sometimes fall into the trap of installing plugins on a whim and assuming that nothing bad could come of it. Unfortunately, that strategy isn’t the most secure. Instead, there are some things you can do to help lower the risk of installing
Once again, another plugin has been purchased from the original owner, and the new owner has dropped malicious code into it. The plugin has been pulled from the repo, but as usual, if you are using this plugin, you won't be notified that it is f*#ked up! Hope you see this and delete it if you use it.
I am the original author of Fast Secure Contact Form. This plugin had a new owner in June 2017 with a WP user profile name “fastsecure”. The new owner attempted to put code in several of his newly acquired WordPress plugins that would connect to a 3rd party server he also owned and place spam ads for payday loans and such in the WP posts. The new owner put spam code in versions 4.0.52 4.0.53 4.0.54 and 4.0.55 but it failed to display any spam because he put the code in the secureimage.php file. The malicious code required WordPress libraries to also be loaded to execute. The reason the spam code did not do anything at all is because the secureimage.php file is not included in the WordPress run time environment. The secureimage.php file is included from another file securimage_show.php that loads the captcha image directly from html img src outside of the WordPress run time. The spam code in this plugin was never activated, it would not have corrupted your posts or changed anything in the WordPress database. I am sorry for any inconvenience this has caused. The plugin was taken off the WordPress repository by WordPress staff until this can be sorted out. Perhaps a new version
I watch changelogs like a hawk. Nuggets of gold to be found in there. Or sharp knives.
There have been several high profile plugins lately that have been found to be posting spam and deceptive links on user’s blogs lately. One such is the “Display Widgets” plugin. You can read Wordfence’s detailed breakdown of the spam. It turns out the original developer of the plugin sold it, and the new owner started to place spammy backlinks and other bad code into the plugin. This gave this “developer” access to tens of thousands of blogs and the site owner’s never knew it was happening.
I was checking the WordPress that runs this blog today to see if there were any plugin or system updates for me to do, as is good practice. I noticed one today had an update, a no-follow plugin I’ve been using for a few years. Today, I saw that plugin had an update, and I looked at the changelog to see what was new, which is also a good thing to look at instead of blindly trusting plugins.
I saw this, which set off my Spidey sense.
No offense to this new maintainer person, but seeing a plugin go to a new person, one that has no other active plugins in the WP repository, has no mention of this plugin on his blog, and whose Twitter feed is mostly links
If you use the Display Widgets plugin, it has been removed from the plugin repository due to potentially malicious code.
This is the latest version of the plugin code (version 18.104.22.168) : https://plugins.trac.wordpress.org/browser/display-widgets/trunk/geolocation.php Look at the function on line 186 (pasted below).
Note the name of the function dynamic_page, what do you think a function with name Dynamic Page does?
It creates a DYNAMIC PAGE (a Dynamic WordPress Post) on Display Widget users sites and is loaded using line 299:
299 add_filter( 'the_posts', array( 'dw_geolocation_connector', 'dynamic_page' ) );
The above hooks into the_posts function, this line basically intercepts your Posts before they are output to the browser so the Dynamic Post can be added to the Posts.
Why would a plugin to determine where widgets are loaded create Dynamic Posts?
Line 187, this checks if a user is logged in, a logged in user is probably the site owner, when a user is logged in (the site owner) the Dynamic Page function does nothing (outputs the Posts normally). So if you are logged into your site and you look at your site in a browser everything looks normal.
Why would a legitimate plugin feature be hidden from the site owner and other logged in users?
If a user is logged out: that would be your sites visitors and
WordPress.org recently discovered that login credentials in a list of compromised emails and passwords published by a group of security researchers.
Hello everyone, some of you will have the following email in your inbox: Your password on WordPress.org has been deactivated, and you need to reset it to log in again.
We recently discovered your login credentials in a list of compromised emails and passwords published by a group of security researchers. This list was not generated as the result of any exploit on WordPress.org, but rather someone gaining access to the email & password combination you also used on another service.
To reset your password and get access to your account, please follow these steps:
1. Go to login.wordpress.org
2. Click on the link “Lost your password?”
3. Enter your WordPress.org username:
4. Click the “Get New Password” button
It is very important that your password be unique. Using the same password on different web sites increases the risk of your account being hacked.
If you have any further questions or trouble resetting your password, please reply to this message to get help from our support team. We will never ask you to supply your account password via email.
At this point we don’t have a reason to believe any accounts have been compromised, but out of an abundance
Security has been on the minds of many lately, with Equifax, CCleaner, and Display Widgets all happening within the last 10 days or so. So what do you do when your client asks you about security in WordPress?
Security has been on the mind of a lot of people lately. Most prominently there’s there Equifax news. But a story today about CCleaner broke, the Display Options plugin for WordPress was compromised and subsequently banned from the WordPress Plugin Repository, and there’ve been many high profile security issues in the last few years. To compound the issue, you have organizations like Equifax using WordPress for parts of their online presence and then blaming open source software’s shoddy security. This could lead our clients to ask: Are there security issues with WordPress? How should we handle that?
There are Security Issues with all Software
The most important thing to remember is that this can and does happen to anyone. It’s not specifically a WordPress problem. For example, CCleaner is specifically a Windows application.
WordPress is software runs on millions of websites, and updates to those websites are not consistent (another common software problem). So yes, there are security issues with WordPress, like there are with everything. But that’s not exactly what you should tell your clients to put them at ease, or to sell them on a new project.
By taking the following steps you will be able to prevent your WooCommerce store from malicious security attacks, threats and hackers.
Having an online store instead of a physical store is a great way to start a business, but even online stores are prone to security breaches and hacking. While an online store offers many advantages, it is to be considered that such stores have a lot of third party information, log-ins from different people, payment gateways and links to many other webpages. Creating an online retail store is easy with WooCommerce but it must be kept in mind that all online stores make an attractive target for hackers and cyber criminals. However, there are no reasons to worry because adequate safety measures exist to make ecommerce safe and secure without the requirement of too much money or technical expertise. Here we discuss how one can secure their online stores.
1. Using security plugins
Though WordPress is considered to be a safe platform, it is a good idea to increase the security with the help of any of the available security plugins. These plugins keep checking the website for security threats and eliminate them with constantly regulated and updated security measures.
Some of the popular security plugins are Wordfence, Bulletproof security and All in One WP security and firewall. Many more
DreamHost is sharing here how they are dealing with a Search Warrant by Department of Justice about their hosted website disruptj20.org. They are working closely with legal counsel and also supported by the Electronic Frontier Foundation.
For the past several months, DreamHost has been working with the Department of Justice to comply with legal process, including a Search Warrant (PDF) seeking information about one of our customers’ websites. At the center of the requests is disruptj20.org, a website that organized participants of political protests against the current United States administration. While we have no insight into the affidavit for the search warrant (those records are sealed), the DOJ has recently asked DreamHost to provide all information available to us about this website, its owner, and, more importantly, its visitors.
DreamHost, like many online service providers, is approached by law enforcement regularly to provide information about customers who may be the subject of criminal investigations. These types of requests are not uncommon; our legal department reviews and scrutinizes each request and, when necessary, rejects and challenges vague or faulty orders.
You would be shocked to see just how many of these challenges we’re obligated to mount every year!
Chris Ghazarian, our General Counsel, has taken issue with this particular search warrant for being a highly untargeted