An update to our vulnerability disclosure policy. 30 days - no exception.
This post is about the realities both good and bad that come with the responsibility of reporting vulnerabilities. The long days of summer are gone, fall has faded away and winter is upon us… reflecting back over the past months the Pagely security team spent some of those days uncovering and reporting a number of unreleased exploits (or 0days) being used against our customers’ sites. It’s just part of the job. When securing sites we see what vulnerabilities attackers are using and how they work, and as an extension of that task, we make sure plugin authors are notified about the vulnerability so they can apply a patch.
It’s a fantastic feeling when we see an actively targeted vulnerable plugin getting patched and secured, but that feeling only comes after the patch gets applied. Just like the feeling of the first fall colors coming in, summer must heed to fall, to allow the shorter, cooler days to prevail. If we had 365 days of summer, then the world would be a barren wasteland. Much like the seasons, vulnerability reports need to be handled swiftly, before the users of the software get burned by attackers.
The time spent waiting for the patch can be stressful,
Don't wait for the worst to happen — use this WordPress security checklist to protect your website from the worst WordPress security issues.
Updated 11/9/18. Please note: this article contains affiliate links for businesses I use and love. Powering 30% of all websites in the world (and growing!) and capturing almost 60% market share of all open source content management systems, there is no doubt about WordPress’ popularity.
But when it comes to popularity on the internet, there are often consequences. Because of its widespread use, WordPress has become a favorite target for hackers and attackers.
Did you know:
There are roughly 91,000 attacks on WordPress every minute.
During the worst WordPress security breach, over 18 million users were compromised.
73% of the 40,000 most popular websites that use WordPress are vulnerable to attack.
Many of these hackers use bots to automate the process of sniffing out vulnerabilities from your site. With this in mind, an attack isn’t necessarily personal, which is why even the smallest, under-the-radar websites get hacked. Once their bots find a viable entry point, hackers jump in and take advantage.
Before going through the comprehensive WordPress security checklist I’ve put together to help you safeguard your website from the worst possibilities, let’s take
Recently I saw a talk on site security at a WordPress meetup that explained how vulnerabilities in sites are found and then exploited. It got me thinking that perhaps I should really look deeper into site security.
Recently I had Tim Nash, the WordPress platform lead at 34SP.com, speak at the local WordPress meetup I help run. It’s the third time Tim has spoken at the meetup, and in the past he has spoken about site security and performance but this time he spoke about a handful of case studies of hackings; how the sites were exploited and what could be done to mitigate the vulnerability. Tim’s talk was essentially a scaryhelpful introduction to penetration testing (or pentesting) with a WordPress flavor. It got me thinking just how secure the sites I manage are and perhaps I should really look deeper into site security further than just the fundamentals of WordPress security.
What is Penetration Testing
The deeper you get into site security, the darker it gets. Penetration testing is the practice of simulating an attack on a system, network, app or website to identify vulnerabilities that might be exploited.
In simple terms, you become the hacker to protect your site. But that means any testing you perform needs to be authorized by the site or system owner (read: your boss or client needs to give the thumbs up), and to avoid arrest and criminal charges (keep in mind I’m not
In the same way, your computer has been exposed to a variety of Internet threats, so is your blog.
You Think the Password Keeps You Safe? In the same way, your computer has been exposed to a variety of Internet threats so is your blog.
Whether you have established the blog to share your knowledge, passion or as a kind of a business, you are supposed to protect it as your personal property.
Keep always in mind that your integrity and reputation could be compromised by some hackers’ attack. Posts and mailing lists can be used for spamming or other criminal purposes.
A hard work invested in gaining the readership can be lost in minutes. Security of your blog is of utmost importance, and complicated usernames and passwords are certainly not enough.
How to keep your WordPress blog safe all the time is a big task every blogger has to fulfill as soon as they start the blog.
Simple and insufficient security of the username and password is sensitive, and there is no guarantee it will work 100% effective. You should also always take care of the old & outdated plugins.
Operating your blog on multiple devices increases the risks. You can choose among free and premium software in accordance with your budget and the needs, but do not ever forget to update it constantly. Consider it an
WordPress security is super important. But, as times change, knowing which classic WordPress security advice to follow and not to follow isn't easy. David Hayes of WPShout fame shares advice on what not to worry about.
Following last week’s post about WordPress security, in this post, I’ll start with advice I see commonly in other places that I don’t see much point in doing. Most of this advice is nearly harmless to slightly beneficial if it’s done. But the reason I don’t recommend it is that its benefits (where they exist) are so small. And the possibility that spending time on them makes you ignore more-valuable security practices is big. You’re free to do these, but I just don’t think they’re worth the time invested because the gains they give are very small. Don’t Bother: Hide WordPress Version
We’re starting with the most useless piece of common security advice—that you should hide your WordPress version number, or that you’re using WordPress. The second is very hard to do in a serious way, and the first is basically valueless.
Hiding that you’re running WordPress is hard, and most people are trying to do it merely by changing or eliminating a <meta> tag in their site. No reasonably intelligent botnet builder is going to be relying on that, and many webmasters of non-WordPress sites report that they see people
A look at how adapting our behaviors can result in a more secure website.
Web security has grown into one of the most important issues we face – right up there with design and development. And those of us who use an open source content management system such as WordPress are under even more pressure to tighten up security. The unfortunate fact is that, as time goes on, the task is only going to become more difficult. WordPress itself is the target of an array of automated attacks. Bots are attempting brute-force logins, script and database injections, along with a multitude of other malicious activities. But, while preventing bot attacks is vital, they’re far from the only threat that needs dealt with.
Indeed, there are other bases we need to cover. Beyond automated threats, changing human behavior may be an even more important step in securing a WordPress site. With that in mind, here are 5 things we can do right now to improve security.
1. Train Users in Best Practices
Part of a designer’s job description often includes training clients. But while we tend to focus on the basics of managing content, this is also a prime opportunity to talk about security. I know, it sounds like a potentially complicated discussion – but it doesn’t
Interesting to see that this bad actor got caught up in a big net.
An interested read from ZDNet about the latest vulnerability in WooCommerce, which if exploited "allows shop managers to delete certain files on the server and then to take over any administrator account," It also links to the original disclosure post from RIPS, which include the actual exploitation code etc. Certainly worth a read.
This device is unable to play the requested video. A flaw in how WordPress handles privilege assignments can be exploited to permit attackers to hijack WooCommerce websites.
The issue in the content management system (CMS) was discovered by Simon Scannell, a security researcher from RIPS Technologies, who said in a blog post that the design flaw specifically impacts WooCommerce, a popular WordPress plugin which has been downloaded over four million times.
"The vulnerability allows shop managers to delete certain files on the server and then to take over any administrator account," the security researcher says.
The plugin has been developed by Automattic and is a free e-commerce system for WordPress-based websites.
A file deletion bug was found in the software, and on its own, would generally not be considered critical as the best an attacker could do would be to delete index.php pages and cause a denial of service. However, when coupled with the WordPress design flaw, the bug's severity increases.
See also: Wordpress urges users to update now to fix critical security holes
The unpatched WordPress issue stems from how the CMS assigns capabilities to different roles.
WordPress powers 31% of all websites which makes it a tempting target for hackers. Here are the 8 common ways WordPress is hacked and what to do about it.
Hacking is a bigger problem now than it has ever been. As the sophistication of our technology and software has grown so have the techniques employed by hackers. By the same token we have better security for websites now than ever before. You can never make your WordPress site 100% safe from hackers, but there are certain proactive steps you can take to make it harder for them.
***Check out my post on 10 important things do after installing WordPress***
If Hackers Are Targeting WordPress Should I Use Another Platform?
Let me be clear, ALL websites are vulnerable to hacking, not just WordPress. The most secure websites on earth such as Google, The Department of Defense and the National Security Agency (NSA) have all been hacked.
The reason WordPress is a common target of Hackers is because of it’s widespread use. WordPress is the most popular website platform in the world. It powers a staggering 31% of all websites on the Internet. Therefore, it’s not surprising it would be a popular target for those with bad intentions.
To its credit, WordPress takes security very serious. Even right out of the box WordPress it’s pretty secure.
What I want to share with you today are
If you’ve developed a WordPress blog and it has started to get popular, there are several things that you can do to ensure that it keeps growing and becomes successful.
If you’ve built a WordPress blog and it has started to get popular, there are several things that you can do to ensure that it keeps growing and becomes successful. While practices such as regularly adding quality #content and #networking with other #blog owners to increase your exposure and traffic are certainly important to the success of your blog, you should also take measures to increase its #security.
Popular WordPress blogs are regularly targeted by hackers and other cybercriminals who use technical exploits and other tricks to compromise them. Some hackers target blogs with weak security merely to deface pages for fun. However, many engage in more nefarious deeds.
Once they gain control of a blog, they can modify it to redirect all visitors to phishing websites or pages that promote various scams. Some will leave the blog’s content unchanged but will add code that tries to take advantage of security vulnerabilities in browsers to download malware to the visitor’s device.
Having your blog compromised can make you lose visitors and hurt your overall reputation.
Use a Reputable Hosting Provider
According to research by WP WhiteSecurity, a leading developer of
Log files contain a wealth of information and give you the information you need as long as you know where to look for it. This article lists some of the log files typically found on a WordPress web server and highlights what information you can find in them.
Every service running on the web server on which your WordPress website is hosted has a log file. Log files are used to keep a record of what a service or software has done or what errors it encountered while running. Hence why logs are a vital tool for administrators, webmasters, developers, testers and anyone who works with software (including WordPress) or maintains an IT system. Typically, we focus on the WordPress activity logs because that is WP Security Audit Log does – it keeps a record of everything that happens on your WordPress website and multisite network in an audit log.
Though in this article we introduce you to some useful log files you can find on a typical WordPress web server. Logs give you all the information you need as long as you know what you are looking for and where to look for it, hence why we have written this article. So when managing a WordPress website you might need to refer to some of the below log files to troubleshoot a technical or user problem, learn about possible malicious attacks, and do forensic work.
Web server logs
Starting with the most obvious, the web server log files. WordPress is written in PHP so it is typically hosted on either
Researchers say the PHP security flaw could leave countless WordPress websites open to exploit.
A severe WordPress vulnerability which has been left a year without being patched has the potential to disrupt countless websites running the CMS, researchers claim. At the BSides technical cybersecurity conference in Manchester on Thursday, Secarma researcher Sam Thomas said the bug permits attackers to exploit the WordPress PHP framework, resulting in a full system compromise.
If the domain permits the upload of files, such as image formats, attackers can upload a crafted thumbnail file in order to trigger a file operation through the "phar://" stream wrapper.
In turn, the exploit triggers eXternal Entity (XXE -- XML) and Server Side Request Forgery (SSRF) flaws which cause unserialization in the platform's code. While these flaws may only originally result in information disclosure and may be low risk, they can act as a pathway to a more serious remote code execution attack.
The security researcher says the core vulnerability, which is yet to receive a CVE number, is within the wp_get_attachment_thumb_file function in /wpincludes/post.php and when attackers gain control of a parameter used in the "file_exists" call," the bug can be triggered.
Everyone talks about website security. Although it's pretty much obvious, did you know all the details about how to protect your site from malicious code & attacks?
No doubt WordPress is the world’s most popular CMS that powering 31.1% of websites and still going on. In fact, it is one the fastest growing content management system. …the growing popularity of WordPress put it on the hackers’ radar.
According to a study, more than 73.2% of WordPress websites are vulnerable to hacker attacks.
To be honest, no website is 100% secure from hackers. But, anyone who has a WordPress website can harden the security of their WordPress websites.
Why Website Security in Important?
“Your website has been hacked?” is the website owners’ worst nightmare that no one would dare to dream. A hacked website can cause you lots of trouble including data loss, time, money, and website traffic.
A hacker can steal user’s personal information, important data, passwords, install malicious software, and much more.
Moreover, they can even you blackmail to pay them to regain access to your website.
A study found that Google blacklists around 20 thousand websites for malware and over 50,000 for phishing each week. When your website is making money for you, then it becomes important to take every single step to protect your website from
It turns out some bloggers are, indeed, debating the practical value of a Virtual Private Network for their business. So I thought I’d put my two cents in on the matter.
As a blogger and a privacy wonk, I’ve written a lot about WordPress security for bloggers and VPNs for digital nomads, gamers, binge-watchers, and privacy-minded folks in general. But it never occurred to me bloggers could be questioning the relevance of VPNs for blogging until someone asked me about it. It turns out some bloggers are, indeed, debating the practical value of a Virtual Private Network for their business. So I thought I’d put my two cents in on the matter.
What’s So Special about VPNs?
There are two fundamental functions of a VPN – geo-spoofing and data encryption.
A VPN is a network of servers across the globe.
A foreign IP enables you to bypass geo-blocks and unlock streaming sites, online TV, you get the idea. That’s geo-spoofing.
But a VPN also encrypts your traffic, making it unintelligible for anyone looking to snoop on your activities. That’s where the real value of VPNs kicks in – data encryption adds an extra layer of security to your browsing.
Now, let’s see if VPNs are relevant to blogging security.
VPNs Protect Your Admin Credentials
Securing your blog by enabling VPN encryption when you log in to your admin
The more you know the better you can manage your WordPress site. Here are 5 reasons on why you should know which users are logged in to your WordPress site right now. The post also explains how you can get such information.
If I asked you who is logged in to your WordPress site right now, would you know? Most WordPress site admins cannot tell who is logged in to their sites or multisite network. If they use a comprehensive WordPress activity log plugin they can see who has logged in, when and from where, and what they have done in the past. Though they still they cannot say what is happening at this instances on their sites.
Since WordPress is a multi-user platform used for any kind of website, from e-commerce to online services, you need a means to see what your users and customers are doing on your website. This post highlights five reasons on why you need to know who is logged in to your site. It also explains what tool you can use to see the logged in users.
Why You Should Know Who Is Logged In To Your WordPress
In a brick and mortar business it is very easy to tell who came in to work and who is doing what. You have clocking in systems, and can physically see people doing the work. Though when you have a WordPress site it is not that easy to tell what your users are doing at this instant. Are they writing a new article, modifying an existing page or modifying the theme?
And what about the sub contracted
There are loads of indicators telling you that you are/might be affected by something suspicious that needs additional observation. Start with these 7 and make sure your site is secure
Sure, WordPress might be one of the best and well-liked CMS (content management system), especially when it comes to bloggers. It is super easy to use, and even utter newbies can build a professional website using a WordPress theme. Unfortunately, WordPress sites are still very poorly protected if not using any 3rd party software. In fact, you better not even dare to use a page without any, even if free, protection plugins. And if you invest in a premium tool, well, that’s even better.
Of course, there are loads of other indicators telling you that you are/might be affected by something suspicious that needs additional observation.
If you are serious about your online project, you better be serious about protection even more. What’s the point in doing all the hard work if later all gets lost?
Overnight website traffic decrease
When the time comes to check your Google analytics to see how your page is doing and you spot something questionable, like a big drop in traffic, it is worth to investigate the situation further. This could be a sign that your WordPress site is under attack.
Some hackers attack your page to redirect your traffic to their content and ads for one main
Having a site get hacked is never a fun experience. WordPress security should be a concern for all site owners, so this week we cover security practices and tools to help give some peace of mind.
Have you ever been hacked? Whether that’s a yes or a no, falling victim to a malicious hacker is one of the worst experiences you’ll ever have. I’ve been hacked before, and you don’t want to know how frustrating it is. How I wish I knew what I’m about to share with you today. And what’s that? In today’s post, you and I cover a couple of security measures to protect your WordPress site from the bad guys. On top of that, we pepper the post with a couple of excellent WordPress security tools, so be on the lookout for that.
How to Secure Your WordPress Site
Before we go on, it’s important to keep in mind that securing your WordPress site is not a single process. Instead, WordPress security involves repeatedly doing many things right. And contrary to popular belief, protecting your WordPress site is simple.
Read on to learn how you can secure your WordPress site without breaking a sweat.
Update, Update & Update
I can’t emphasize this enough but running an out of date website makes it all too easy for attackers. Why do you think I was hacked? That’s right; I forgot to update one of my test sites. Now I know better; I use ManageWP
How to protect your WP blog with Security Ninja? The plugin is free and will help you by doing a lot of tests that will let you know what & how can be fixed.
If you worry about your WordPress-based website security, rest assured you’re not the only one! Everybody admires WordPress for being the largest content management system with 60% of market share, but most webmasters are also afraid because over 70% of installations are vulnerable to hacker attacks. Luckily enough, there are dozens of plugins that can help you keep your website safe and sound. The most difficult task is actually to choose the best option and find a tool that suits your preferences. We decided to give you a hand here and narrow down the options.
In this post, we will present you one of the most efficient WordPress plugins called Security Ninja.
Let’s check it out!
Security Ninja: General Information
Security Ninja was developed in 2011 with one goal in mind – to ensure easy and seamless website protection. It already serves more than 20 thousand WordPress sites using more or less complex safety procedures.
Jake Alison, a WordPress specialist at Best Dissertation, says it’s important that you don’t need to invest a lot of time or effort to operate Security Ninja: “It runs most of the operations automatically, while your only job is
We live in a data-driven world. Almost every transaction and interaction you have with most organizations involves you sharing personal data, such as your name, address and birth date. You share data online too, every time you visit a website, search for or buy something, use social media or send an email.
We live in a data-driven world. Almost every transaction and interaction you have with most organisations involves you sharing personal data, such as your name, address and birth date. You share data online too, every time you visit a website, search for or buy something, use social media or send an email. Sharing data helps makes life easier, more convenient and connected. But your data is your data. It belongs to you so it's important your data is used only in ways you would reasonably expect, and that it stays safe. Data protection law makes sure everyone’s data is used properly and legally.
Did you just stumble upon a message stating that “The Site Ahead Contains Malware” or “The Site Ahead Contains Harmful Programs” and didn’t know what to do about it? This article is going to teach you why this is happening and guide you step-by-step so you know exactly what to do to fix the errors.
Did you just stumble upon a message stating that “The Site Ahead Contains Malware” or “The Site Ahead Contains Harmful Programs” and didn’t know what to do about it? We’re going to teach you why this is happening and guide you step-by-step so you know exactly what to do to fix the errors! But first… WordPress is a dominant content management system that powers around 30% of all websites on the Internet. It offers a plethora of incredible features, but it doesn’t mean that WordPress is resistant to malware attacks. On the contrary, security has always been one of the system’s weak spots.
A research revealed that over 90 thousand hacker attacks are happening each minute. Another study proved that 73% of the most popular WordPress-based websites are vulnerable to attacks. This is the reason why you often see a notification: The Site Ahead Contains Harmful Programs.
If you are a website owner, you should react immediately upon seeing this message on your site. This is why you need to eliminate the malware notification:
It ruins website credibility and reputation, chasing away even the most loyal visitors.
An average user does not care
VestaCP zero-day exploit is a serious DDoS #attack which may lead your hosting network to suspend or even drop your server/vps. If you're using Vesta Control Panel then make sure you follow the guide published below and avoid any server/vps downtime or suspending.
Exploit makes the hacked server to attack a chinese IP. It looks like a DDoS trojan where a .sh file(gcc.sh) is loaded in cro
By having regular update and pushing forward security practices, it is clear that WordPress is doing its best. But, is it sufficient?
Security has always been a major topic for the state of WordPress. It is clearly seen that the WordPress community as a whole has steadily moved towards proactive measures. By maintain security updates more often and pushing forward security practices, it is clear that WordPress is doing its best. But, is it sufficient? This has been a question for the majority of bloggers out there. Today, above 30% of all websites are made with WordPress (a staggering amount indeed). More and more individuals are adopting WordPress and the number keeps on growing. The more it grows, the harder it is to ensure each website with the maximum level of protection.
Whatever the Content Management System (CMS) is being used, no one can guarantee absolute 100% website security. WordPress being at the pinnacle of them, it is obvious that it is most prone of attacks. There’s no denying that it has its fair share of security flaws.
Basically, any large CMS is going to intermittently contain bugs that lead to security loopholes. WordPress has an open source system for themes and plugins development, so the majority of those holes occur due to faulty themes and external used services rather than the core
I have my own share of the story. But let’s drop it and read the minds of other WordPress users. I asked them how they protect their blogs without necessarily installing a plugin.
WordPress (WP) is the most popular blogging platform. Latest updates have made it one of the most used tools for eCommerce shops, news and business websites. This brings about a serious security issue that must be handled at various ends to keep the project alive. One of the things used to close up loopholes and enforce security on the CMS are plugins. Unfortunately, this comes with a plethora of other issues.
I have been very curious about this. I wanted to know how WordPress bloggers handle the protection aspect of their WP site without the use of Plugins.
WordPress Security Vox pop!
I went about talking with some WordPress experts and users on a couple of issues related to the platform. One of the things I found easy is setting up a WordPress site. If you have issues at this point, you may want to check out this WordPress Installation guide by Freddy Muriuki.
A lot of people find it quite easy to setup and manage WordPress sites. The interface is super user-friendly with absolutely no tech knowledge required to move forward.
However, some beginners I spoke with remain puzzled by the simple mentioning of the word. Susan Valez, an avid WordPress user, and blogger wrote this comprehensive
Really interesting from David on WPShout, on how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress.
Today we’re going to cover how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress. But before we do, you can sign up to get a really interesting video from the course, which shows me executing an actual XSS attack on a WordPress site – thus showing why they’re important, and how to protect yourself against