Welcome to ManageWP.org

Register to share, discuss and vote for the best WordPress stories every day, find new ideas and inspiration for your business and network with other members of the WordPress community. Join the #1 WordPress news community!

×

4 min read David Gewirtz
Security | zdnet.com | 2 days ago

Severe vulnerability exposes WordPress websites to attack

Researchers say the PHP security flaw could leave countless WordPress websites open to exploit.

Severe vulnerability exposes WordPress websites to attack

Security | zdnet.com | 2 days ago

A severe WordPress vulnerability which has been left a year without being patched has the potential to disrupt countless websites running the CMS, researchers claim. At the BSides technical cybersecurity conference in Manchester on Thursday, Secarma researcher Sam Thomas said the bug permits attackers to exploit the WordPress PHP framework, resulting in a full system compromise.
If the domain permits the upload of files, such as image formats, attackers can upload a crafted thumbnail file in order to trigger a file operation through the "phar://" stream wrapper.
In turn, the exploit triggers eXternal Entity (XXE -- XML) and Server Side Request Forgery (SSRF) flaws which cause unserialization in the platform's code. While these flaws may only originally result in information disclosure and may be low risk, they can act as a pathway to a more serious remote code execution attack.
The security researcher says the core vulnerability, which is yet to receive a CVE number, is within the wp_get_attachment_thumb_file function in /wpincludes/post.php and when attackers gain control of a parameter used in the "file_exists" call," the bug can be triggered.
Unserialization

13 min read robert Abela

10 log files you need to know about on a WordPress server

Log files contain a wealth of information and give you the information you need as long as you know where to look for it. This article lists some of the log files typically found on a WordPress web server and highlights what information you can find in them.

10 log files you need to know about on a WordPress server

Every service running on the web server on which your WordPress website is hosted has a log file. Log files are used to keep a record of what a service or software has done or what errors it encountered while running. Hence why logs are a vital tool for administrators, webmasters, developers, testers and anyone who works with software (including WordPress) or maintains an IT system. Typically, we focus on the WordPress activity logs because that is WP Security Audit Log does – it keeps a record of everything that happens on your WordPress website and multisite network in an audit log.
Though in this article we introduce you to some useful log files you can find on a typical WordPress web server. Logs give you all the information you need as long as you know what you are looking for and where to look for it, hence why we have written this article. So when managing a WordPress website you might need to refer to some of the below log files to troubleshoot a technical or user problem, learn about possible malicious attacks, and do forensic work.
Web server logs
Starting with the most obvious, the web server log files. WordPress is written in PHP so it is typically hosted on either

Security | wpbreakingnews.com | 27 days ago

Learn Why WordPress Website Security is so Important

Everyone talks about website security. Although it's pretty much obvious, did you know all the details about how to protect your site from malicious code & attacks?

Learn Why WordPress Website Security is so Important

Security | wpbreakingnews.com | 27 days ago

No doubt WordPress is the world’s most popular CMS that powering 31.1% of websites and still going on. In fact, it is one the fastest growing content management system. …the growing popularity of WordPress put it on the hackers’ radar.
According to a study, more than 73.2% of WordPress websites are vulnerable to hacker attacks.
To be honest, no website is 100% secure from hackers. But, anyone who has a WordPress website can harden the security of their WordPress websites.
Why Website Security in Important?
“Your website has been hacked?” is the website owners’ worst nightmare that no one would dare to dream. A hacked website can cause you lots of trouble including data loss, time, money, and website traffic.
A hacker can steal user’s personal information, important data, passwords, install malicious software, and much more.
Moreover, they can even you blackmail to pay them to regain access to your website.
A study found that Google blacklists around 20 thousand websites for malware and over 50,000 for phishing each week. When your website is making money for you, then it becomes important to take every single step to protect your website from

Security | wppluginsify.com | 16 days ago

Don’t Neglect the Security of Your WordPress Site

How to protect your WP blog with Security Ninja? The plugin is free and will help you by doing a lot of tests that will let you know what & how can be fixed.

Don’t Neglect the Security of Your WordPress Site

Security | wppluginsify.com | 16 days ago

If you worry about your WordPress-based website security, rest assured you’re not the only one! Everybody admires WordPress for being the largest content management system with 60% of market share, but most webmasters are also afraid because over 70% of installations are vulnerable to hacker attacks. Luckily enough, there are dozens of plugins that can help you keep your website safe and sound. The most difficult task is actually to choose the best option and find a tool that suits your preferences. We decided to give you a hand here and narrow down the options.
In this post, we will present you one of the most efficient WordPress plugins called Security Ninja.
Let’s check it out!
Security Ninja: General Information
Security Ninja was developed in 2011 with one goal in mind – to ensure easy and seamless website protection. It already serves more than 20 thousand WordPress sites using more or less complex safety procedures.
Jake Alison, a WordPress specialist at Best Dissertation, says it’s important that you don’t need to invest a lot of time or effort to operate Security Ninja: “It runs most of the operations automatically, while your only job is

Security | wpsecurityninja.com | Jun. 7, 2018

How VPNs Can Help Secure Your Blog

It turns out some bloggers are, indeed, debating the practical value of a Virtual Private Network for their business. So I thought I’d put my two cents in on the matter.

How VPNs Can Help Secure Your Blog

Security | wpsecurityninja.com | Jun. 7, 2018

As a blogger and a privacy wonk, I’ve written a lot about WordPress security for bloggers and VPNs for digital nomads, gamers, binge-watchers, and privacy-minded folks in general. But it never occurred to me bloggers could be questioning the relevance of VPNs for blogging until someone asked me about it. It turns out some bloggers are, indeed, debating the practical value of a Virtual Private Network for their business. So I thought I’d put my two cents in on the matter.
What’s So Special about VPNs?
There are two fundamental functions of a VPN – geo-spoofing and data encryption.
A VPN is a network of servers across the globe.
A foreign IP enables you to bypass geo-blocks and unlock streaming sites, online TV, you get the idea. That’s geo-spoofing.
But a VPN also encrypts your traffic, making it unintelligible for anyone looking to snoop on your activities. That’s where the real value of VPNs kicks in – data encryption adds an extra layer of security to your browsing.
Now, let’s see if VPNs are relevant to blogging security.
VPNs Protect Your Admin Credentials
Securing your blog by enabling VPN encryption when you log in to your admin

2 min read Vasile Stoica
Security | ico.org.uk | Jul. 16, 2018

Your data matters

We live in a data-driven world. Almost every transaction and interaction you have with most organizations involves you sharing personal data, such as your name, address and birth date. You share data online too, every time you visit a website, search for or buy something, use social media or send an email.

Your data matters

Security | ico.org.uk | Jul. 16, 2018

We live in a data-driven world. Almost every transaction and interaction you have with most organisations involves you sharing personal data, such as your name, address and birth date. You share data online too, every time you visit a website, search for or buy something, use social media or send an email. Sharing data helps makes life easier, more convenient and connected. But your data is your data. It belongs to you so it's important your data is used only in ways you would reasonably expect, and that it stays safe. Data protection law makes sure everyone’s data is used properly and legally.

Security | premiumcoding.com | Jul. 10, 2018

Is WordPress Secure Enough for Serious Blogs?

By having regular update and pushing forward security practices, it is clear that WordPress is doing its best. But, is it sufficient?

Is WordPress Secure Enough for Serious Blogs?

Security | premiumcoding.com | Jul. 10, 2018

Security has always been a major topic for the state of WordPress. It is clearly seen that the WordPress community as a whole has steadily moved towards proactive measures. By maintain security updates more often and pushing forward security practices, it is clear that WordPress is doing its best. But, is it sufficient? This has been a question for the majority of bloggers out there. Today, above 30% of all websites are made with WordPress (a staggering amount indeed). More and more individuals are adopting WordPress and the number keeps on growing. The more it grows, the harder it is to ensure each website with the maximum level of protection.
Whatever the Content Management System (CMS) is being used, no one can guarantee absolute 100% website security. WordPress being at the pinnacle of them, it is obvious that it is most prone of attacks. There’s no denying that it has its fair share of security flaws.
Basically, any large CMS is going to intermittently contain bugs that lead to security loopholes. WordPress has an open source system for themes and plugins development, so the majority of those holes occur due to faulty themes and external used services rather than the core

11 min read Web News Insider
Security | wpsecurityninja.com | Jul. 3, 2018

8 Successful Bloggers Talk About How to Protect a Site without Plugins

I have my own share of the story. But let’s drop it and read the minds of other WordPress users. I asked them how they protect their blogs without necessarily installing a plugin.

8 Successful Bloggers Talk About How to Protect a Site without Plugins

Security | wpsecurityninja.com | Jul. 3, 2018

WordPress (WP) is the most popular blogging platform. Latest updates have made it one of the most used tools for eCommerce shops, news and business websites. This brings about a serious security issue that must be handled at various ends to keep the project alive. One of the things used to close up loopholes and enforce security on the CMS are plugins. Unfortunately, this comes with a plethora of other issues.
I have been very curious about this. I wanted to know how WordPress bloggers handle the protection aspect of their WP site without the use of Plugins.
WordPress Security Vox pop!
I went about talking with some WordPress experts and users on a couple of issues related to the platform. One of the things I found easy is setting up a WordPress site. If you have issues at this point, you may want to check out this WordPress Installation guide by Freddy Muriuki.
A lot of people find it quite easy to setup and manage WordPress sites. The interface is super user-friendly with absolutely no tech knowledge required to move forward.
However, some beginners I spoke with remain puzzled by the simple mentioning of the word. Susan Valez, an avid WordPress user, and blogger wrote this comprehensive

12 min read Web News Insider
Security | deliciousthemes.com | Jun. 15, 2018

The Site Ahead Contains Malware! Here’s How to Fix It!

Did you just stumble upon a message stating that “The Site Ahead Contains Malware” or “The Site Ahead Contains Harmful Programs” and didn’t know what to do about it? This article is going to teach you why this is happening and guide you step-by-step so you know exactly what to do to fix the errors.

The Site Ahead Contains Malware! Here’s How to Fix It!

Security | deliciousthemes.com | Jun. 15, 2018

Did you just stumble upon a message stating that “The Site Ahead Contains Malware” or “The Site Ahead Contains Harmful Programs” and didn’t know what to do about it? We’re going to teach you why this is happening and guide you step-by-step so you know exactly what to do to fix the errors! But first… WordPress is a dominant content management system that powers around 30% of all websites on the Internet. It offers a plethora of incredible features, but it doesn’t mean that WordPress is resistant to malware attacks. On the contrary, security has always been one of the system’s weak spots.
A research revealed that over 90 thousand hacker attacks are happening each minute. Another study proved that 73% of the most popular WordPress-based websites are vulnerable to attacks. This is the reason why you often see a notification: The Site Ahead Contains Harmful Programs.
If you are a website owner, you should react immediately upon seeing this message on your site. This is why you need to eliminate the malware notification:
It ruins website credibility and reputation, chasing away even the most loyal visitors.
An average user does not care

Security | didgit.com | Apr. 8, 2018

VestaCP hit by 0-day exploit

VestaCP zero-day exploit is a serious DDoS #attack which may lead your hosting network to suspend or even drop your server/vps. If you're using Vesta Control Panel then make sure you follow the guide published below and avoid any server/vps downtime or suspending.

VestaCP hit by 0-day exploit

Security | didgit.com | Apr. 8, 2018

Exploit makes the hacked server to attack a chinese IP. It looks like a DDoS trojan where a .sh file(gcc.sh) is loaded in cro

Security | supsystic.com | Jun. 21, 2018

GDPR to be continued or How to fight again cookies

In the second volume of our GDPT article we are moving from theory to practice. Check the article to learn new facts about GDPR and cookies!

GDPR to be continued or How to fight again cookies

Security | supsystic.com | Jun. 21, 2018

WordPress website has quite a wide variety of plugins. They allow you to customize the style and options for GDPR notification according to your requirements and site theme. Some of them allow users to enable and disable cookies on your site. The option “Reject” or “Block” cookie files deserves special attention, because permission to use them is one of the main requirements of GDPR.
How does this function work and does it work at all?
In fact, depend on the user’s choice to give permission for using cookie files or not, cookies should be saved or blocked.
Why is the permission to use cookies is so important and what kind of personal information do the cookies upload?
Some cookies are necessary for the functioning of the website: for browsing and using its functions. Without their loading, it is impossible to provide services such as shopping cart and Internet payment. Another category of cookies collect an information about your browsing of websites, for example, the most frequently visited pages. Such data can be used for websites optimizing. Collected information is intended for statistical purposes. Some cookies allow websites to remember the choices

6 min read Tevya
Security | wordx.press | Jun. 28, 2018

This is Why You Need SSL by July 2018 – Google Changes

Heather explains what HTTPS and SSL is, plus what the changes to Chrome are that are coming in July. It covers why that change is important for all website owners, if they have even a basic contact or comment form on their site.

This is Why You Need SSL by July 2018 – Google Changes

Security | wordx.press | Jun. 28, 2018

In February 2018, Google made an announcement regarding SSL certificates, also known as https. This announcement said: For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure by gradually marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”.
What Does This Mean?
Basically, Google is saying that because a connection to a website via HTTPS encryption is more secure, they’ve been gradually marking pages where visitors information is transmitted, as “not secure.” This could be anything from a ecommerce checkout page to just a simple contact form. Starting in July, any form that accepts a user’s data will be marked as “not secure” on Chrome, if it’s not using HTTPS.
The bottom line is that if you have a website with any kind of form on it where visitors submit information (this includes a simple contact form), you’ll need to have an SSL certificate

2 min read Jan Östlund
Security | janostlund.com | May. 14, 2018

Quick tips after cleaning up a hacked site

One of the least fun things is to clean up hacked WordPress. Much of these points goes without saying but there are some useful tips.

Quick tips after cleaning up a hacked site

Security | janostlund.com | May. 14, 2018

One of the least fun things is to clean up customer’s hacked legacy WordPress sites. Much of these points goes with out saying. Today I don’t use FTP and expose PHP-files above the site root. Change password for FTP-account
Beware the big lists of passwords is circulating around the Internet. A quick check at Pwned can reveal this.
Change username for your FTP-account
Don’t use the same username as your domain, make this hard to guess or brute force.
Keep an eye on index.php and .htaccess
The most common hack nowadays seems to be to alter the index.php or .htaccess. The site owner or visitor does not see anything special, but the Google bot does.
Keeping an eye on changes on index.php or .htaccess can give you an quick alert if anything suddenly changes.
// https://mydomin.com/secret/md5.php

echo md5_file('index.php') . '-' . md5_file('.htaccess');

Then put an site monitor to check for the output of this script. If the keyword changes you know something fishy has happend.
Keep an eye on Google Index
Add Google Webmaster Tools and keep an eye of how many index pages your site has. A sudden raise of pages indicates that your site is hacked. For sure.
Clean up an hacked

2 min read robert Abela
Security | wpsecuritybloggers.com | May. 3, 2018

WP Security Bloggers is now Manually Curated

Good news - WP Security Bloggers, an aggregate of WordPress security news is now manually curated.

WP Security Bloggers is now Manually Curated

Security | wpsecuritybloggers.com | May. 3, 2018

Finally, WP Security Bloggers got some TLC! I started this project back in 2014, so I can have a central repository for all the WordPress security news instead of following all the blogs. Over the years the idea developed into creating a WordPress security news aggregator. Though because the number of blogs from which WP Security Bloggers aggregates the news is now over twenty, it is almost impossible to automatically curate the news.
The good news is that from today onward all the news will be curated manually. This means the value and quality for you subscribers will be much higher – you will no longer see duplicate posts and posts that are not about WordPress security.
Other Updates
Today we have also done several minor but significant changes on the website, such as:
We removed sources that no longer are working,
Deleted some of the latest posts that made it through the automated curation,
Added an About page etc.
Subscribe to WP Security Bloggers
To keep yourself up to date with WordPress security, subscribe to the WP Security Bloggers roundup emails, or follow us on Twitter and Facebook.

15 min read Alex Denning
Security | wpshout.com | Oct. 19, 2017

Preventing XSS Attacks in WordPress: Complete Guide to Validating, Sanitizing, and Escaping Data

Really interesting from David on WPShout, on how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress.

Preventing XSS Attacks in WordPress: Complete Guide to Validating, Sanitizing, and Escaping Data

Security | wpshout.com | Oct. 19, 2017

When it comes to making your WordPress site secure as a developer, probably the most impactful thing you can do is make sure you always clean up data they get from users. That means, generally, two things, validating or sanitizing it on the way into your system, and escaping it on the way out. In a recent survey of disclosed vulnerabilities in WordPress core, plugins, and themes, I did for WordPress Security with Confidence (my new course on WordPress security, launching next month), the most common type of vulnerability (about 33%) was cross-site scripting. Cross-site scripting vulnerabilities (often abbreviated XSS) are one where you make it possible for an attacker to execute unauthorized JavaScript to be run on your pages, because you failed to escape or sanitize something in your application’s data flow.
Today we’re going to cover how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress. But before we do, you can sign up to get a really interesting video from the course, which shows me executing an actual XSS attack on a WordPress site – thus showing why they’re important, and how to protect yourself against

6 min read Lizzie Kardon
Security | robojuice.com | Jan. 24, 2018

Is WordPress Secure Enough for Microsoft? An Interview with Brad Williams.

Cyber security is a hot topic right now. Here’s an interview with Brad Williams from WebDevStudios on WordPress security, password protection, SSL, 2FA and more.

Is WordPress Secure Enough for Microsoft? An Interview with Brad Williams.

Security | robojuice.com | Jan. 24, 2018

Cybersecurity is a hot topic right now — it’s in the news almost daily. And as WordPress becomes more popular, site owners are looking for ways to make it more secure to prevent devastating hacking attacks. We recently had the opportunity to interview Brad Williams, the co-founder of WebDevStudios, a WordPress development company that’s thirty employees strong. He’s also a podcaster and co-author of Professional WordPress and Professional WordPress Plugin Development. He shares his advice on how to protect your site from cyber criminals. A Little Bit About Brad
Brad set up his first website when he was a sophomore in high school (when AOL came free on a floppy disk). From then on, his interest in computers and the Internet skyrocketed. “Being able to connect with people all over the world was fascinating. Back then it was the Wild West,” Brad says.
After high school, Brad joined the Marines to explore computer programming. He eventually taught himself ASP and .NET, which launched his career in web programming. At his first job out of the Marines, he learned business and how companies can use the web both for marketing and to improve operations.
Brad

7 min read robert Abela
Security | godaddy.com | Jan. 10, 2018

How to decode your security logs to improve WordPress security - The Garage

Logs contain a wealth of information and are not just there for forensics reasons. Logs can help you improve the security posture of your WordPress website. Good read.

How to decode your security logs to improve WordPress security - The Garage

Security | godaddy.com | Jan. 10, 2018

Your security logs offer a wealth of information about how your site is being accessed and how data is processed under the hood, so it’s important to learn how to read those logs. Based on the four principles of WordPress security, it’s recommended that you keep a dedicated audit trail. An audit trail essentially is a record of all the changes that happen on your WordPress website, enabling you to review every action taken.
You can begin keeping a record of all changes with a plugin, but there’s much more to consider than simply which solution you choose to create your security audit log. For this piece, we’ll first look at what a security logs record and why it’s essential that you keep one. We’ll then discuss a few solutions for implementing this feature on your WordPress website, before laying out the elements you should be looking for (and how to optimally leverage them) in order to secure your website.
An introduction to WordPress security logs (and what they record)
First, WordPress security logs record practically every action on your website (depending on its capabilities). Some audit-trail plugins keep a record of just about every detail,

5 min read robert Abela
Security | wpwhitesecurity.com | May. 3, 2018

The Importance of Using a Unique WordPress User per Person

A few good reasons why you should never share WordPress logins with contributors - instead create a unique login for every contributor.

The Importance of Using a Unique WordPress User per Person

Security | wpwhitesecurity.com | May. 3, 2018

A WordPress security best practice that is easy to implement is having a unique WordPress login (username and password) for every person who accesses your website or multisite network. Sharing the same WordPress login details with groups of people can lead to a number of security issues and increases the maintenance of the website, as this post explains. Use of Weak Passwords
As a WordPress website administrator you know very well how important it is to use strong and complex passwords. In fact, most probably you use a password manager so you can use very long passwords which are impossible to remember. Though if you have a common WordPress login for a group of people, since many still do not use password managers, and because you do not want to hassle with support, you use an easy password for the shared WordPress users.
Easy to guess passwords were and still are the most common source of WordPress websites hacks. So avoid using shared WordPress logins and always encourage your contributors to use a password manager to reduce the use of weak and easy to guess passwords.
More Complex operations & high maintenance websites
Managing shared WordPress logins is more complex and requires

8 min read John Locke
Security | blog.ripstech.com | Jun. 27, 2018

WARNING: WordPress File Delete to Code Execution

This seems like something that needs attention. Sites with multiple user accounts would be affected by this potential vulnerability.

WARNING: WordPress File Delete to Code Execution

Security | blog.ripstech.com | Jun. 27, 2018

WordPress is the most popular CMS on the web. According to w3tech, it is used by approximately 30% of all websites1. This wide adoption makes it an interesting target for cyber criminals. In this blog post we are going to introduce an authenticated arbitrary file deletion vulnerability in the WordPress core that can lead to attackers executing arbitrary code. The vulnerability was reported 7 months ago to the WordPress security team but still remains unpatched. The long time elapsed since the initial reporting without any patch or concrete plans has led us to the decision to make it public. Who is affected
At the time of writing no patch preventing this vulnerability is available. Any WordPress version, including the current 4.9.6 version, is susceptible to the vulnerability described in this blogpost.
For exploiting the vulnerability discussed in the following an attacker would need to gain the privileges to edit and delete media files beforehand. Thus, the vulnerability can be used to escalate privileges attained through the takeover of an account with a role as low as Author, or through the exploitation of another vulnerability/misconfiguration.
Impact - What can an attacker do
Exploiting

Security | wordfence.com | May. 25, 2018

Hijacked WordPress.com Accounts Being Used To Infect Sites

There's no security beach on WordPress.com. but if your individual account is compromised, it could mean your self-hosted sites are as well, if you've connected them via JetPack.

4 min read Joe Casabona
Security | wpinonemonth.com | Sep. 21, 2017

Explaining WordPress Security Issues to Your Clients

Security has been on the minds of many lately, with Equifax, CCleaner, and Display Widgets all happening within the last 10 days or so. So what do you do when your client asks you about security in WordPress?

Explaining WordPress Security Issues to Your Clients

Security | wpinonemonth.com | Sep. 21, 2017

Security has been on the mind of a lot of people lately. Most prominently there’s there Equifax news. But a story today about CCleaner broke, the Display Options plugin for WordPress was compromised and subsequently banned from the WordPress Plugin Repository, and there’ve been many high profile security issues in the last few years. To compound the issue, you have organizations like Equifax using WordPress for parts of their online presence and then blaming open source software’s shoddy security. This could lead our clients to ask: Are there security issues with WordPress? How should we handle that?
There are Security Issues with all Software
The most important thing to remember is that this can and does happen to anyone. It’s not specifically a WordPress problem. For example, CCleaner is specifically a Windows application.
WordPress is software runs on millions of websites, and updates to those websites are not consistent (another common software problem). So yes, there are security issues with WordPress, like there are with everything. But that’s not exactly what you should tell your clients to put them at ease, or to sell them on a new project.
The

10 min read Web News Insider
Security | born2invest.com | May. 29, 2018

Beginners' guide to a secure WordPress website

The risk of cyberattack is always there. Here’s how you can ensure your WordPress website remains secured against hacking incidents.

Beginners' guide to a secure WordPress website

Security | born2invest.com | May. 29, 2018

WordPress is an established authority in the content management universe—powering almost a third of all websites on the internet. The size, however, comes at a certain cost. According to research, more than 70 percent of all websites are vulnerable to hacker attacks.
Most people would now ask the logical question: With so many safety threats, how come WordPress is not losing supremacy among content management systems?
The answer is very simple. The problem lies not in WordPress but rather in webmasters who don’t protect their sites regularly.
For instance, as much as 8 percent of WordPress security breaches happen as the result of a weak password. Although improving a password is the easiest thing in the world, some people still find it too boring to deal with it, which is exactly the kind of mistake hackers are hoping for.
If you want your website protected, then you need to learn several methods of securing your websites against hackers. In this post, we will show you 20 ways to secure a WordPress site.
Let’s hop right in.
1. Limit login attempts
The first tip on our list is one of the golden rules of WordPress security. You should limit the number of login attempts

6 min read Eric Karkovack
Security | speckyboy.com | Sep. 28, 2017

Malicious Code in Previously Trusted WordPress Plugins: A New Reality

My take on the recent issues with malicious code in plugins and the importance of getting the word out to users.

Malicious Code in Previously Trusted WordPress Plugins: A New Reality

Security | speckyboy.com | Sep. 28, 2017

In case you missed it, three widely-used WordPress plugins were recently found to have malicious code included with recent updates. Display Widgets, Fast Secure Contact Form and SI CAPTCHA Anti-Spam were each removed from the official WordPress Plugin Repository due to SEO spam discovered by users. One thing each plugin has in common was that they were all previously trusted and generally considered secure. More recently, they were sold by their original authors to a new developer, who used these popular plugins to spread payday loan spam posts. In fact, security plugin company Wordfence recently reported that up to 9 plugins have been found with malicious code added through various means.
While many web designers and developers have become more proactive in securing their sites against typical threats like brute force attacks, etc. – malicious plugins appear to be a whole new ballgame. We’re used to defending against security holes, but not authors who are intentionally trying to propagate malware. And in the case of the plugins mentioned above, immediately updating to the latest version was the worst thing we could have done since that was how the code was installed.
The