It turns out some bloggers are, indeed, debating the practical value of a Virtual Private Network for their business. So I thought I’d put my two cents in on the matter.
As a blogger and a privacy wonk, I’ve written a lot about WordPress security for bloggers and VPNs for digital nomads, gamers, binge-watchers, and privacy-minded folks in general. But it never occurred to me bloggers could be questioning the relevance of VPNs for blogging until someone asked me about it. It turns out some bloggers are, indeed, debating the practical value of a Virtual Private Network for their business. So I thought I’d put my two cents in on the matter.
What’s So Special about VPNs?
There are two fundamental functions of a VPN – geo-spoofing and data encryption.
A VPN is a network of servers across the globe.
A foreign IP enables you to bypass geo-blocks and unlock streaming sites, online TV, you get the idea. That’s geo-spoofing.
But a VPN also encrypts your traffic, making it unintelligible for anyone looking to snoop on your activities. That’s where the real value of VPNs kicks in – data encryption adds an extra layer of security to your browsing.
Now, let’s see if VPNs are relevant to blogging security.
VPNs Protect Your Admin Credentials
Securing your blog by enabling VPN encryption when you log in to your admin
Unpatched new Cross-domain Flash injection (XSF) in flashmediaelement.swf. Technical details about this will be released on Oct 19th 2017
What is the vulnerability ? There is an unpatched vulnerability in latest and older WordPress releases. The vulnerability is a cross-domain Flash injection (XSF), which impact is similar to a Reflected XSS (or Same-Origin policy bypass).
The vulnerable file is located at /wp-includes/js/mediaelement/flashmediaelement.swf.
Who is affected ?
Any up-to-date or older (for at least 2 years) version of WordPress is vulnerable by default. Every WordPress website is vulnerable to this as well as any other website hosted on the same subdomain as a WordPress website.
The only WordPress websites that are not affected are those where the vulnerable file, flashmediaelement.swf, is hosted on a sandboxed domain. This is the case for sites hosted on wordpress.com for example.
What is the impact ?
The impact is similar to an (authenticated) Reflected XSS, except you can’t manipulate the DOM and read some values like header responses. The attacker can send a malicious link that would execute arbitrary Flash code on the WordPress security sandbox. When a victim opens the malicious link, the attacker can perform “xhr style” requests with Flash to any URL in the WordPress domain, using
To the extent any guide to WordPress security can be "complete", this is pretty good: thorough look at security basics most sites need to follow that avoids the cliched poor quality advice often found on the topic.
WordPress sites are one of the most common targets for attack on the internet. They’re hacked more than any other type of site. If you, your friends, or someone you know has never had an experience of a WordPress site getting “hacked”, you’ve either been extremely lucky or have abnormally careful people surrounding you in your life. Security matters because WordPress sites are online, are running literally hundreds-of-thousands of lines of code, and WordPress is a common-enough platform that it’s going to be targeted by attackers. When Microsoft Windows was a relatively new and dominant platform with regular headlines about security issues, its defenders pointed out that the number of attacks was a big reason. While there were security mistakes being made by Microsoft, it was also the case that many security errors which were commonly exploited first on the Windows platform.
So too with WordPress. WordPress powers about 27% of the internet. That’s great, but it also means that if someone finds a fundamental security flaw that’s common on all WordPress sites, or even a big percentage, they can easily have thousands of servers mustered in a matter
A summary of where the advice is the same, and where it is different. In general, OWASP locks you down tighter than the WordPress recommendations.
We show you how to implement advice from the gold standards of WordPress Security: The WordPress Codex and OWASP. These best practices are the cornerstone of our tutorials and the service we give to our customers. The WordPress Codex is the online user manual published by the makers of WordPress. It really doesn’t get any more fundamental than this. The section on WordPress Security is here. OWASP – the Open Web Application Security Project – is similarly regarded for standards of internet security. They provide best practices for all types of web applications (including WordPress), as well as advice and training for security professionals. Their specific WordPress recommendations are here.
Besides being well-respected experts, these sources are trustworthy for another reason: they aren’t selling anything. It’s hard to trust people with advice that are also selling solutions. Their product does all the right things, the other products don’t, etc. That’s why we base our practice on independent advice.
Reading through those two pages can be a bit overwhelming. They have a lot of recommendations. What is not obvious is that most recommendations
Recently discovered: a severe SQL Injection vulnerability allowing an unauthenticated user to grab data from the victim’s website database. If you use NextGen or have a client who does, you might want to read this.
Security Risk: Critical Exploitation Level: Easy/Remote
DREAD Score: 9
Vulnerability: SQL Injection
Patched Version: 2.1.79
As part of a vulnerability research project for our Sucuri Firewall (WAF), we have been auditing multiple open source projects looking for security issues. While working on the WordPress plugin NextGEN Gallery, we discovered a severe SQL Injection vulnerability. This vulnerability allows an unauthenticated user to grab data from the victim’s website database, including sensitive user information.
Are You at Risk?
This vulnerability can be exploited by attackers in at least two different scenarios:
If you use a NextGEN Basic TagCloud gallery on your site, or
If you allow your users to submit posts to be reviewed (contributors). If you fit any of these two cases, you’re definitely at risk.
This issue existed because NextGEN Gallery allowed improperly sanitized user input in a WordPress prepared SQL query, which is basically the same as adding user input inside a raw SQL query. Using this attack vector, an attacker could leak hashed passwords and WordPress secret keys, in certain configurations.
Never trust the input – that is the
TIL: This is something I didn't know (or even think about) until now, and I can see how this might be important.
The Wordfence Team would like to encourage website owners and Internet users to support end-to-end encryption on the Web. Today we are announcing that our official position is the following: Wordfence is a strong supporter of end-to-end encryption for the online community.
We suggest that you avoid services that break end-to-end encryption by intercepting and decrypting traffic.
We encourage website owners to implement HTTPS on their websites in a way that provides end-to-end encryption for their site visitors and customers.
We encourage corporate network owners and CISOs to avoid products that perform HTTPS interception and break end-to-end encryption.
We encourage site owners to avoid Cloud products that perform HTTPS interception and decryption, like Cloud WAFs.
What is end-to-end encryption?
When your web browser connects directly to a website using HTTPS, your connection is end-to-end encrypted. If the website is using a Cloud WAF or similar service that decrypts traffic to inspect it, your connection is not end-to-end encrypted because your traffic is decrypted at the cloud WAF, not at the website you are visiting.
Similarly if you are on an office network and the company is using
Onsite WordPress backup files and old revision files can be pose a big security risk to your WordPress websites or blogs. Read on how easy it is for attackers to gain access to such files and use the information they contain to craft an attack against your website.
One common problem that we notice on the majority of WordPress websites that we audit are the number backup and old revision files stored on the website. This is a security problem because typically such files can be downloaded by anyone, and the information stored in them could aid malicious hackers craft a successful hack attack as explained in this article. What are Old Revision and WordPress Backup Files?
Old Revision Files
Not everyone has the commodity of a staging website. In such cases designers and administrators do troubleshooting and test changes on the live website. During such process it is of common practice to make a copy of files before editing them and renaming them with an old extension. For example before modifying wp-config.php, you make a copy of the file and rename it to wp-config.php.old, or wp-config.old, or wp-config.bak.
WordPress Backup Files
By default, the majority of the hosting providers store and WordPress plugins store the WordPress backup files on the website itself. Typically these backups are zip files and are stored in the /wp-content/uploads/ directory, or the plugin’s directory. Also, the filenames of these backup files are easy to guess
If you think your website has been hacked, it's good to determine the nature of the hack as soon as possible. There's many different types of hacks and some hacks can be malicious. Other hacks are just defacements to your actual webpages. This article lists some of the strongest indicators of a hacked website(WordPress or not).
If you think your website has been hacked, it's good to determine the nature of the hack as soon as possible. There's many different types of hacks and some hacks can be malicious. Other hacks are just defacements to your actual webpages. Indicators of compromise
Some hacks are quite apparent since they deface your page, while others are more subtle. Here are some common signs that your website has been compromised:
Your home page has changed. If you visit your website, and instead of seeing the page you have created you see something entirely different it's likely that your page has been "defaced." Normally, these types of hackers will have a "hacked by..." message displaying to take credit for the hack.
Your access to admin pages no longer exists. If you cannot access your admin section of your website, it's possible the hacker has gained access to the adminsitrator account or cpanel and altered the passwords.
Your computer's anti-virus software warns you when you visit your website. This is a typical situation where your website is trying to install a trojan or another type of virus on your local computer.
A page will not load but it used to. If you haven't changed
Did you just stumble upon a message stating that “The Site Ahead Contains Malware” or “The Site Ahead Contains Harmful Programs” and didn’t know what to do about it? This article is going to teach you why this is happening and guide you step-by-step so you know exactly what to do to fix the errors.
Did you just stumble upon a message stating that “The Site Ahead Contains Malware” or “The Site Ahead Contains Harmful Programs” and didn’t know what to do about it? We’re going to teach you why this is happening and guide you step-by-step so you know exactly what to do to fix the errors! But first… WordPress is a dominant content management system that powers around 30% of all websites on the Internet. It offers a plethora of incredible features, but it doesn’t mean that WordPress is resistant to malware attacks. On the contrary, security has always been one of the system’s weak spots.
A research revealed that over 90 thousand hacker attacks are happening each minute. Another study proved that 73% of the most popular WordPress-based websites are vulnerable to attacks. This is the reason why you often see a notification: The Site Ahead Contains Harmful Programs.
If you are a website owner, you should react immediately upon seeing this message on your site. This is why you need to eliminate the malware notification:
It ruins website credibility and reputation, chasing away even the most loyal visitors.
An average user does not care
VestaCP zero-day exploit is a serious DDoS #attack which may lead your hosting network to suspend or even drop your server/vps. If you're using Vesta Control Panel then make sure you follow the guide published below and avoid any server/vps downtime or suspending.
Exploit makes the hacked server to attack a chinese IP. It looks like a DDoS trojan where a .sh file(gcc.sh) is loaded in cro
There is no doubt that we have all left a window open in our house while we have popped to the shop to grab some milk. Think back to the number of occasions where you have left your car unlocked for a moment while paying for a parking ticket or dropping something off.
There is no doubt that we have all left a window open in our house while we have popped to the shop to grab some milk. Think back to the number of occasions where you have left your car unlocked for a moment while paying for a parking ticket or dropping something off.
Probably more than just once, right?
It is natural for us to forget about managing risky situations and put them on the back burner.
Human nature encourages us to feel positive wherever possible, and we like to think that most people and circumstances are to be trusted and that nothing untoward will happen.
Although that is true in most cases, there are times when the odds aren’t in our favor, and when that occurs, it will be too late to do anything about it.
If your home or car is broken into due to lapse security, you will be left picking up the pieces knowing that you could have prevented a very unfortunate situation.
With regards to WordPress, the same logic applies, and hoping that your site won’t get hacked is most definitely not the best course of action.
Obviously, nobody wants their site attacked, and if that happens, there are likely to be serious consequences; your website could get blacklisted from
There's no security beach on WordPress.com. but if your individual account is compromised, it could mean your self-hosted sites are as well, if you've connected them via JetPack.
Really interesting from David on WPShout, on how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress.
Today we’re going to cover how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress. But before we do, you can sign up to get a really interesting video from the course, which shows me executing an actual XSS attack on a WordPress site – thus showing why they’re important, and how to protect yourself against
Good news - WP Security Bloggers, an aggregate of WordPress security news is now manually curated.
Finally, WP Security Bloggers got some TLC! I started this project back in 2014, so I can have a central repository for all the WordPress security news instead of following all the blogs. Over the years the idea developed into creating a WordPress security news aggregator. Though because the number of blogs from which WP Security Bloggers aggregates the news is now over twenty, it is almost impossible to automatically curate the news.
The good news is that from today onward all the news will be curated manually. This means the value and quality for you subscribers will be much higher – you will no longer see duplicate posts and posts that are not about WordPress security.
Today we have also done several minor but significant changes on the website, such as:
We removed sources that no longer are working,
Deleted some of the latest posts that made it through the automated curation,
Added an About page etc.
Subscribe to WP Security Bloggers
To keep yourself up to date with WordPress security, subscribe to the WP Security Bloggers roundup emails, or follow us on Twitter and Facebook.
An interesting case on backdooring plugins and hacked links, written by famous blogger Charles Floate.
This subject was extremely difficult for me to find an opening to approach with. It’s something I wish I didn’t have to blog about in the first place, but it’s something that has not slowed down, even with the likes of WordFence revealing details surrounding it. I have actually been speaking with Dan who wrote the post on WF over the past few days, he’s been extremely helpful with this post. Backdooring Plugins
Most people blindly trust updates to plugins and will update it to defend against Cyberattacks. This weakness has been exploited by the 3 people mentioned in this article, to gain backdoors to people’s websites and use them as their own personal link network – Though it actually goes greatly beyond that.
Essentially, what these SEOs would do, is do an outreach email to plugin owners that haven’t updated in a while or have a smaller size of sites that have the plugin currently installed. They’d then offer to buy the plugin and proceed to run an update which included a backdoor to the sites, so they could inserts links onto the sites that installed them – All through a dashboard they had setup on a server that we actually located,
Security has been on the minds of many lately, with Equifax, CCleaner, and Display Widgets all happening within the last 10 days or so. So what do you do when your client asks you about security in WordPress?
Security has been on the mind of a lot of people lately. Most prominently there’s there Equifax news. But a story today about CCleaner broke, the Display Options plugin for WordPress was compromised and subsequently banned from the WordPress Plugin Repository, and there’ve been many high profile security issues in the last few years. To compound the issue, you have organizations like Equifax using WordPress for parts of their online presence and then blaming open source software’s shoddy security. This could lead our clients to ask: Are there security issues with WordPress? How should we handle that?
There are Security Issues with all Software
The most important thing to remember is that this can and does happen to anyone. It’s not specifically a WordPress problem. For example, CCleaner is specifically a Windows application.
WordPress is software runs on millions of websites, and updates to those websites are not consistent (another common software problem). So yes, there are security issues with WordPress, like there are with everything. But that’s not exactly what you should tell your clients to put them at ease, or to sell them on a new project.
Logs contain a wealth of information and are not just there for forensics reasons. Logs can help you improve the security posture of your WordPress website. Good read.
Your security logs offer a wealth of information about how your site is being accessed and how data is processed under the hood, so it’s important to learn how to read those logs. Based on the four principles of WordPress security, it’s recommended that you keep a dedicated audit trail. An audit trail essentially is a record of all the changes that happen on your WordPress website, enabling you to review every action taken.
You can begin keeping a record of all changes with a plugin, but there’s much more to consider than simply which solution you choose to create your security audit log. For this piece, we’ll first look at what a security logs record and why it’s essential that you keep one. We’ll then discuss a few solutions for implementing this feature on your WordPress website, before laying out the elements you should be looking for (and how to optimally leverage them) in order to secure your website.
An introduction to WordPress security logs (and what they record)
First, WordPress security logs record practically every action on your website (depending on its capabilities). Some audit-trail plugins keep a record of just about every detail,
Once again, another plugin has been purchased from the original owner, and the new owner has dropped malicious code into it. The plugin has been pulled from the repo, but as usual, if you are using this plugin, you won't be notified that it is f*#ked up! Hope you see this and delete it if you use it.
I am the original author of Fast Secure Contact Form. This plugin had a new owner in June 2017 with a WP user profile name “fastsecure”. The new owner attempted to put code in several of his newly acquired WordPress plugins that would connect to a 3rd party server he also owned and place spam ads for payday loans and such in the WP posts. The new owner put spam code in versions 4.0.52 4.0.53 4.0.54 and 4.0.55 but it failed to display any spam because he put the code in the secureimage.php file. The malicious code required WordPress libraries to also be loaded to execute. The reason the spam code did not do anything at all is because the secureimage.php file is not included in the WordPress run time environment. The secureimage.php file is included from another file securimage_show.php that loads the captcha image directly from html img src outside of the WordPress run time. The spam code in this plugin was never activated, it would not have corrupted your posts or changed anything in the WordPress database. I am sorry for any inconvenience this has caused. The plugin was taken off the WordPress repository by WordPress staff until this can be sorted out. Perhaps a new version
Cyber security is a hot topic right now. Here’s an interview with Brad Williams from WebDevStudios on WordPress security, password protection, SSL, 2FA and more.
Cybersecurity is a hot topic right now — it’s in the news almost daily. And as WordPress becomes more popular, site owners are looking for ways to make it more secure to prevent devastating hacking attacks. We recently had the opportunity to interview Brad Williams, the co-founder of WebDevStudios, a WordPress development company that’s thirty employees strong. He’s also a podcaster and co-author of Professional WordPress and Professional WordPress Plugin Development. He shares his advice on how to protect your site from cyber criminals. A Little Bit About Brad
Brad set up his first website when he was a sophomore in high school (when AOL came free on a floppy disk). From then on, his interest in computers and the Internet skyrocketed. “Being able to connect with people all over the world was fascinating. Back then it was the Wild West,” Brad says.
After high school, Brad joined the Marines to explore computer programming. He eventually taught himself ASP and .NET, which launched his career in web programming. At his first job out of the Marines, he learned business and how companies can use the web both for marketing and to improve operations.
Same scum running similar scammy backdoor code in more newly purchased plugin(s).
A few good reasons why you should never share WordPress logins with contributors - instead create a unique login for every contributor.
A WordPress security best practice that is easy to implement is having a unique WordPress login (username and password) for every person who accesses your website or multisite network. Sharing the same WordPress login details with groups of people can lead to a number of security issues and increases the maintenance of the website, as this post explains. Use of Weak Passwords
As a WordPress website administrator you know very well how important it is to use strong and complex passwords. In fact, most probably you use a password manager so you can use very long passwords which are impossible to remember. Though if you have a common WordPress login for a group of people, since many still do not use password managers, and because you do not want to hassle with support, you use an easy password for the shared WordPress users.
Easy to guess passwords were and still are the most common source of WordPress websites hacks. So avoid using shared WordPress logins and always encourage your contributors to use a password manager to reduce the use of weak and easy to guess passwords.
More Complex operations & high maintenance websites
Managing shared WordPress logins is more complex and requires
Now we find a plugin that is using visitor's CPU cycles for profit.
All about WordPress security - from interviews with different WordPress security experts.
I’ve spent the last three months deep in the weeds of WordPress security. As regular readers will know, this is because I’m working on a new course: WordPress Security With Confidence (it’s coming out in two weeks). Part of this research has involved talking to a lot of WordPress security experts. Some of these experts focus on the big picture, whilst some focus on extremely specific aspects. As a whole they offer an incredible depth of knowledge about how WordPress security works, what’s important, and what we should all be focusing on.
Hopefully you’ll find something interesting in this diverse mix of perspectives. I talked to people from S-brands like Sucuri, SiteGround, SiteLock, and SecuPress. (I prefer brands whose first letters are in the second half of the alphabet. ;p) To give you a quick sense of topics: these cover everything from convincing clients to think about security, why your WordPress site shouldn’t have a username and password, and how WordPress itself deals with security fixes.
WordPress Security With Confidence will includes hours of screencasts of me talking about security concepts, and showing you how to implement them in WordPress
A very useful and comprehensive guide about the WordPress security, step by step guide :)
The WordPress security team works diligently to provide important security updates and vulnerability patches. However, the use of third-party plugins and themes exposes users to additional security threats. By regularly installing the latest versions of core WordPress files and extensions, you can ensure that your website possesses all of the prevailing security patches.
Plugins and themes can become deprecated, obsolete, or include bugs that pose serious security risks to your website.
To protect your WordPress installation, we recommend that you audit your plugins and themes on a regular basis.
Assess Your Plugin Security
You can assess the security of WordPress plugins and themes by reviewing a couple of important indicators:
Does the plugin or theme have a large install base?
Are there a lot of user reviews, and is the average rating high?
Are the developers actively supporting their plugin and pushing frequent updates or security patches?
Does the vendor include a physical contact address in the ToS or from a contact page?
Carefully read the Terms of Service - it may include unwanted extras that the authors didn’t