Researchers say the PHP security flaw could leave countless WordPress websites open to exploit.
A severe WordPress vulnerability which has been left a year without being patched has the potential to disrupt countless websites running the CMS, researchers claim. At the BSides technical cybersecurity conference in Manchester on Thursday, Secarma researcher Sam Thomas said the bug permits attackers to exploit the WordPress PHP framework, resulting in a full system compromise.
If the domain permits the upload of files, such as image formats, attackers can upload a crafted thumbnail file in order to trigger a file operation through the "phar://" stream wrapper.
In turn, the exploit triggers eXternal Entity (XXE -- XML) and Server Side Request Forgery (SSRF) flaws which cause unserialization in the platform's code. While these flaws may only originally result in information disclosure and may be low risk, they can act as a pathway to a more serious remote code execution attack.
The security researcher says the core vulnerability, which is yet to receive a CVE number, is within the wp_get_attachment_thumb_file function in /wpincludes/post.php and when attackers gain control of a parameter used in the "file_exists" call," the bug can be triggered.
Interesting to see that this bad actor got caught up in a big net.
Log files contain a wealth of information and give you the information you need as long as you know where to look for it. This article lists some of the log files typically found on a WordPress web server and highlights what information you can find in them.
Every service running on the web server on which your WordPress website is hosted has a log file. Log files are used to keep a record of what a service or software has done or what errors it encountered while running. Hence why logs are a vital tool for administrators, webmasters, developers, testers and anyone who works with software (including WordPress) or maintains an IT system. Typically, we focus on the WordPress activity logs because that is WP Security Audit Log does – it keeps a record of everything that happens on your WordPress website and multisite network in an audit log.
Though in this article we introduce you to some useful log files you can find on a typical WordPress web server. Logs give you all the information you need as long as you know what you are looking for and where to look for it, hence why we have written this article. So when managing a WordPress website you might need to refer to some of the below log files to troubleshoot a technical or user problem, learn about possible malicious attacks, and do forensic work.
Web server logs
Starting with the most obvious, the web server log files. WordPress is written in PHP so it is typically hosted on either
Everyone talks about website security. Although it's pretty much obvious, did you know all the details about how to protect your site from malicious code & attacks?
No doubt WordPress is the world’s most popular CMS that powering 31.1% of websites and still going on. In fact, it is one the fastest growing content management system. …the growing popularity of WordPress put it on the hackers’ radar.
According to a study, more than 73.2% of WordPress websites are vulnerable to hacker attacks.
To be honest, no website is 100% secure from hackers. But, anyone who has a WordPress website can harden the security of their WordPress websites.
Why Website Security in Important?
“Your website has been hacked?” is the website owners’ worst nightmare that no one would dare to dream. A hacked website can cause you lots of trouble including data loss, time, money, and website traffic.
A hacker can steal user’s personal information, important data, passwords, install malicious software, and much more.
Moreover, they can even you blackmail to pay them to regain access to your website.
A study found that Google blacklists around 20 thousand websites for malware and over 50,000 for phishing each week. When your website is making money for you, then it becomes important to take every single step to protect your website from
How to protect your WP blog with Security Ninja? The plugin is free and will help you by doing a lot of tests that will let you know what & how can be fixed.
If you worry about your WordPress-based website security, rest assured you’re not the only one! Everybody admires WordPress for being the largest content management system with 60% of market share, but most webmasters are also afraid because over 70% of installations are vulnerable to hacker attacks. Luckily enough, there are dozens of plugins that can help you keep your website safe and sound. The most difficult task is actually to choose the best option and find a tool that suits your preferences. We decided to give you a hand here and narrow down the options.
In this post, we will present you one of the most efficient WordPress plugins called Security Ninja.
Let’s check it out!
Security Ninja: General Information
Security Ninja was developed in 2011 with one goal in mind – to ensure easy and seamless website protection. It already serves more than 20 thousand WordPress sites using more or less complex safety procedures.
Jake Alison, a WordPress specialist at Best Dissertation, says it’s important that you don’t need to invest a lot of time or effort to operate Security Ninja: “It runs most of the operations automatically, while your only job is
It turns out some bloggers are, indeed, debating the practical value of a Virtual Private Network for their business. So I thought I’d put my two cents in on the matter.
As a blogger and a privacy wonk, I’ve written a lot about WordPress security for bloggers and VPNs for digital nomads, gamers, binge-watchers, and privacy-minded folks in general. But it never occurred to me bloggers could be questioning the relevance of VPNs for blogging until someone asked me about it. It turns out some bloggers are, indeed, debating the practical value of a Virtual Private Network for their business. So I thought I’d put my two cents in on the matter.
What’s So Special about VPNs?
There are two fundamental functions of a VPN – geo-spoofing and data encryption.
A VPN is a network of servers across the globe.
A foreign IP enables you to bypass geo-blocks and unlock streaming sites, online TV, you get the idea. That’s geo-spoofing.
But a VPN also encrypts your traffic, making it unintelligible for anyone looking to snoop on your activities. That’s where the real value of VPNs kicks in – data encryption adds an extra layer of security to your browsing.
Now, let’s see if VPNs are relevant to blogging security.
VPNs Protect Your Admin Credentials
Securing your blog by enabling VPN encryption when you log in to your admin
We live in a data-driven world. Almost every transaction and interaction you have with most organizations involves you sharing personal data, such as your name, address and birth date. You share data online too, every time you visit a website, search for or buy something, use social media or send an email.
We live in a data-driven world. Almost every transaction and interaction you have with most organisations involves you sharing personal data, such as your name, address and birth date. You share data online too, every time you visit a website, search for or buy something, use social media or send an email. Sharing data helps makes life easier, more convenient and connected. But your data is your data. It belongs to you so it's important your data is used only in ways you would reasonably expect, and that it stays safe. Data protection law makes sure everyone’s data is used properly and legally.
By having regular update and pushing forward security practices, it is clear that WordPress is doing its best. But, is it sufficient?
Security has always been a major topic for the state of WordPress. It is clearly seen that the WordPress community as a whole has steadily moved towards proactive measures. By maintain security updates more often and pushing forward security practices, it is clear that WordPress is doing its best. But, is it sufficient? This has been a question for the majority of bloggers out there. Today, above 30% of all websites are made with WordPress (a staggering amount indeed). More and more individuals are adopting WordPress and the number keeps on growing. The more it grows, the harder it is to ensure each website with the maximum level of protection.
Whatever the Content Management System (CMS) is being used, no one can guarantee absolute 100% website security. WordPress being at the pinnacle of them, it is obvious that it is most prone of attacks. There’s no denying that it has its fair share of security flaws.
Basically, any large CMS is going to intermittently contain bugs that lead to security loopholes. WordPress has an open source system for themes and plugins development, so the majority of those holes occur due to faulty themes and external used services rather than the core
I have my own share of the story. But let’s drop it and read the minds of other WordPress users. I asked them how they protect their blogs without necessarily installing a plugin.
WordPress (WP) is the most popular blogging platform. Latest updates have made it one of the most used tools for eCommerce shops, news and business websites. This brings about a serious security issue that must be handled at various ends to keep the project alive. One of the things used to close up loopholes and enforce security on the CMS are plugins. Unfortunately, this comes with a plethora of other issues.
I have been very curious about this. I wanted to know how WordPress bloggers handle the protection aspect of their WP site without the use of Plugins.
WordPress Security Vox pop!
I went about talking with some WordPress experts and users on a couple of issues related to the platform. One of the things I found easy is setting up a WordPress site. If you have issues at this point, you may want to check out this WordPress Installation guide by Freddy Muriuki.
A lot of people find it quite easy to setup and manage WordPress sites. The interface is super user-friendly with absolutely no tech knowledge required to move forward.
However, some beginners I spoke with remain puzzled by the simple mentioning of the word. Susan Valez, an avid WordPress user, and blogger wrote this comprehensive
Did you just stumble upon a message stating that “The Site Ahead Contains Malware” or “The Site Ahead Contains Harmful Programs” and didn’t know what to do about it? This article is going to teach you why this is happening and guide you step-by-step so you know exactly what to do to fix the errors.
Did you just stumble upon a message stating that “The Site Ahead Contains Malware” or “The Site Ahead Contains Harmful Programs” and didn’t know what to do about it? We’re going to teach you why this is happening and guide you step-by-step so you know exactly what to do to fix the errors! But first… WordPress is a dominant content management system that powers around 30% of all websites on the Internet. It offers a plethora of incredible features, but it doesn’t mean that WordPress is resistant to malware attacks. On the contrary, security has always been one of the system’s weak spots.
A research revealed that over 90 thousand hacker attacks are happening each minute. Another study proved that 73% of the most popular WordPress-based websites are vulnerable to attacks. This is the reason why you often see a notification: The Site Ahead Contains Harmful Programs.
If you are a website owner, you should react immediately upon seeing this message on your site. This is why you need to eliminate the malware notification:
It ruins website credibility and reputation, chasing away even the most loyal visitors.
An average user does not care
VestaCP zero-day exploit is a serious DDoS #attack which may lead your hosting network to suspend or even drop your server/vps. If you're using Vesta Control Panel then make sure you follow the guide published below and avoid any server/vps downtime or suspending.
Exploit makes the hacked server to attack a chinese IP. It looks like a DDoS trojan where a .sh file(gcc.sh) is loaded in cro
In the second volume of our GDPT article we are moving from theory to practice. Check the article to learn new facts about GDPR and cookies!
WordPress website has quite a wide variety of plugins. They allow you to customize the style and options for GDPR notification according to your requirements and site theme. Some of them allow users to enable and disable cookies on your site. The option “Reject” or “Block” cookie files deserves special attention, because permission to use them is one of the main requirements of GDPR.
How does this function work and does it work at all?
In fact, depend on the user’s choice to give permission for using cookie files or not, cookies should be saved or blocked.
Some cookies are necessary for the functioning of the website: for browsing and using its functions. Without their loading, it is impossible to provide services such as shopping cart and Internet payment. Another category of cookies collect an information about your browsing of websites, for example, the most frequently visited pages. Such data can be used for websites optimizing. Collected information is intended for statistical purposes. Some cookies allow websites to remember the choices
Heather explains what HTTPS and SSL is, plus what the changes to Chrome are that are coming in July. It covers why that change is important for all website owners, if they have even a basic contact or comment form on their site.
In February 2018, Google made an announcement regarding SSL certificates, also known as https. This announcement said: For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.
What Does This Mean?
Basically, Google is saying that because a connection to a website via HTTPS encryption is more secure, they’ve been gradually marking pages where visitors information is transmitted, as “not secure.” This could be anything from a ecommerce checkout page to just a simple contact form. Starting in July, any form that accepts a user’s data will be marked as “not secure” on Chrome, if it’s not using HTTPS.
The bottom line is that if you have a website with any kind of form on it where visitors submit information (this includes a simple contact form), you’ll need to have an SSL certificate
One of the least fun things is to clean up hacked WordPress. Much of these points goes without saying but there are some useful tips.
One of the least fun things is to clean up customer’s hacked legacy WordPress sites. Much of these points goes with out saying. Today I don’t use FTP and expose PHP-files above the site root. Change password for FTP-account
Beware the big lists of passwords is circulating around the Internet. A quick check at Pwned can reveal this.
Change username for your FTP-account
Don’t use the same username as your domain, make this hard to guess or brute force.
Keep an eye on index.php and .htaccess
The most common hack nowadays seems to be to alter the index.php or .htaccess. The site owner or visitor does not see anything special, but the Google bot does.
Keeping an eye on changes on index.php or .htaccess can give you an quick alert if anything suddenly changes.
echo md5_file('index.php') . '-' . md5_file('.htaccess');
Then put an site monitor to check for the output of this script. If the keyword changes you know something fishy has happend.
Keep an eye on Google Index
Add Google Webmaster Tools and keep an eye of how many index pages your site has. A sudden raise of pages indicates that your site is hacked. For sure.
Clean up an hacked
Good news - WP Security Bloggers, an aggregate of WordPress security news is now manually curated.
Finally, WP Security Bloggers got some TLC! I started this project back in 2014, so I can have a central repository for all the WordPress security news instead of following all the blogs. Over the years the idea developed into creating a WordPress security news aggregator. Though because the number of blogs from which WP Security Bloggers aggregates the news is now over twenty, it is almost impossible to automatically curate the news.
The good news is that from today onward all the news will be curated manually. This means the value and quality for you subscribers will be much higher – you will no longer see duplicate posts and posts that are not about WordPress security.
Today we have also done several minor but significant changes on the website, such as:
We removed sources that no longer are working,
Deleted some of the latest posts that made it through the automated curation,
Added an About page etc.
Subscribe to WP Security Bloggers
To keep yourself up to date with WordPress security, subscribe to the WP Security Bloggers roundup emails, or follow us on Twitter and Facebook.
Really interesting from David on WPShout, on how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress.
Today we’re going to cover how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress. But before we do, you can sign up to get a really interesting video from the course, which shows me executing an actual XSS attack on a WordPress site – thus showing why they’re important, and how to protect yourself against
Cyber security is a hot topic right now. Here’s an interview with Brad Williams from WebDevStudios on WordPress security, password protection, SSL, 2FA and more.
Cybersecurity is a hot topic right now — it’s in the news almost daily. And as WordPress becomes more popular, site owners are looking for ways to make it more secure to prevent devastating hacking attacks. We recently had the opportunity to interview Brad Williams, the co-founder of WebDevStudios, a WordPress development company that’s thirty employees strong. He’s also a podcaster and co-author of Professional WordPress and Professional WordPress Plugin Development. He shares his advice on how to protect your site from cyber criminals. A Little Bit About Brad
Brad set up his first website when he was a sophomore in high school (when AOL came free on a floppy disk). From then on, his interest in computers and the Internet skyrocketed. “Being able to connect with people all over the world was fascinating. Back then it was the Wild West,” Brad says.
After high school, Brad joined the Marines to explore computer programming. He eventually taught himself ASP and .NET, which launched his career in web programming. At his first job out of the Marines, he learned business and how companies can use the web both for marketing and to improve operations.
Logs contain a wealth of information and are not just there for forensics reasons. Logs can help you improve the security posture of your WordPress website. Good read.
Your security logs offer a wealth of information about how your site is being accessed and how data is processed under the hood, so it’s important to learn how to read those logs. Based on the four principles of WordPress security, it’s recommended that you keep a dedicated audit trail. An audit trail essentially is a record of all the changes that happen on your WordPress website, enabling you to review every action taken.
You can begin keeping a record of all changes with a plugin, but there’s much more to consider than simply which solution you choose to create your security audit log. For this piece, we’ll first look at what a security logs record and why it’s essential that you keep one. We’ll then discuss a few solutions for implementing this feature on your WordPress website, before laying out the elements you should be looking for (and how to optimally leverage them) in order to secure your website.
An introduction to WordPress security logs (and what they record)
First, WordPress security logs record practically every action on your website (depending on its capabilities). Some audit-trail plugins keep a record of just about every detail,
A few good reasons why you should never share WordPress logins with contributors - instead create a unique login for every contributor.
A WordPress security best practice that is easy to implement is having a unique WordPress login (username and password) for every person who accesses your website or multisite network. Sharing the same WordPress login details with groups of people can lead to a number of security issues and increases the maintenance of the website, as this post explains. Use of Weak Passwords
As a WordPress website administrator you know very well how important it is to use strong and complex passwords. In fact, most probably you use a password manager so you can use very long passwords which are impossible to remember. Though if you have a common WordPress login for a group of people, since many still do not use password managers, and because you do not want to hassle with support, you use an easy password for the shared WordPress users.
Easy to guess passwords were and still are the most common source of WordPress websites hacks. So avoid using shared WordPress logins and always encourage your contributors to use a password manager to reduce the use of weak and easy to guess passwords.
More Complex operations & high maintenance websites
Managing shared WordPress logins is more complex and requires
This seems like something that needs attention. Sites with multiple user accounts would be affected by this potential vulnerability.
WordPress is the most popular CMS on the web. According to w3tech, it is used by approximately 30% of all websites1. This wide adoption makes it an interesting target for cyber criminals. In this blog post we are going to introduce an authenticated arbitrary file deletion vulnerability in the WordPress core that can lead to attackers executing arbitrary code. The vulnerability was reported 7 months ago to the WordPress security team but still remains unpatched. The long time elapsed since the initial reporting without any patch or concrete plans has led us to the decision to make it public. Who is affected
At the time of writing no patch preventing this vulnerability is available. Any WordPress version, including the current 4.9.6 version, is susceptible to the vulnerability described in this blogpost.
For exploiting the vulnerability discussed in the following an attacker would need to gain the privileges to edit and delete media files beforehand. Thus, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/misconfiguration.
Impact - What can an attacker do
There's no security beach on WordPress.com. but if your individual account is compromised, it could mean your self-hosted sites are as well, if you've connected them via JetPack.
Security has been on the minds of many lately, with Equifax, CCleaner, and Display Widgets all happening within the last 10 days or so. So what do you do when your client asks you about security in WordPress?
Security has been on the mind of a lot of people lately. Most prominently there’s there Equifax news. But a story today about CCleaner broke, the Display Options plugin for WordPress was compromised and subsequently banned from the WordPress Plugin Repository, and there’ve been many high profile security issues in the last few years. To compound the issue, you have organizations like Equifax using WordPress for parts of their online presence and then blaming open source software’s shoddy security. This could lead our clients to ask: Are there security issues with WordPress? How should we handle that?
There are Security Issues with all Software
The most important thing to remember is that this can and does happen to anyone. It’s not specifically a WordPress problem. For example, CCleaner is specifically a Windows application.
WordPress is software runs on millions of websites, and updates to those websites are not consistent (another common software problem). So yes, there are security issues with WordPress, like there are with everything. But that’s not exactly what you should tell your clients to put them at ease, or to sell them on a new project.
The risk of cyberattack is always there. Here’s how you can ensure your WordPress website remains secured against hacking incidents.
WordPress is an established authority in the content management universe—powering almost a third of all websites on the internet. The size, however, comes at a certain cost. According to research, more than 70 percent of all websites are vulnerable to hacker attacks.
Most people would now ask the logical question: With so many safety threats, how come WordPress is not losing supremacy among content management systems?
The answer is very simple. The problem lies not in WordPress but rather in webmasters who don’t protect their sites regularly.
For instance, as much as 8 percent of WordPress security breaches happen as the result of a weak password. Although improving a password is the easiest thing in the world, some people still find it too boring to deal with it, which is exactly the kind of mistake hackers are hoping for.
If you want your website protected, then you need to learn several methods of securing your websites against hackers. In this post, we will show you 20 ways to secure a WordPress site.
Let’s hop right in.
1. Limit login attempts
The first tip on our list is one of the golden rules of WordPress security. You should limit the number of login attempts
My take on the recent issues with malicious code in plugins and the importance of getting the word out to users.
In case you missed it, three widely-used WordPress plugins were recently found to have malicious code included with recent updates. Display Widgets, Fast Secure Contact Form and SI CAPTCHA Anti-Spam were each removed from the official WordPress Plugin Repository due to SEO spam discovered by users. One thing each plugin has in common was that they were all previously trusted and generally considered secure. More recently, they were sold by their original authors to a new developer, who used these popular plugins to spread payday loan spam posts. In fact, security plugin company Wordfence recently reported that up to 9 plugins have been found with malicious code added through various means.
While many web designers and developers have become more proactive in securing their sites against typical threats like brute force attacks, etc. – malicious plugins appear to be a whole new ballgame. We’re used to defending against security holes, but not authors who are intentionally trying to propagate malware. And in the case of the plugins mentioned above, immediately updating to the latest version was the worst thing we could have done since that was how the code was installed.