Welcome to ManageWP.org

Register to share, discuss and vote for the best WordPress stories every day, find new ideas and inspiration for your business and network with other members of the WordPress community. Join the #1 WordPress news community!

×

8 min read Eric Karkovack
Security | wordfence.com | 5 days ago

The WPSetup Attack: New Campaign Targets Fresh WordPress Installs

It's not safe to upload WordPress without installing it. There's a new attack to worry about.

The WPSetup Attack: New Campaign Targets Fresh WordPress Installs

Security | wordfence.com | 5 days ago

At Wordfence, we track millions of attacks from a wide variety of sources every day. From this data we create a list of the worst-of-the-worst attackers and add those to our IP blacklist to protect our Premium customers. We also carefully monitor the activity that those known bad IP addresses engage in. In May and June, we saw our worst-of-the-worst IPs start using a new kind of attack targeting fresh WordPress installations. We also had our first site cleaning customer that was hit by this attack.
Attackers scan for the following URL:
/wp-admin/setup-config.php
This is the setup URL that new installations of WordPress use. If the attacker finds that URL and it contains a setup page, it indicates that someone has recently installed WordPress on their server but has not yet configured it. At this point, it is very easy for an attacker to take over not just the new WordPress website, but the entire hosting account and all other websites on that hosting account.
The graph below shows the campaign we tracked and the number of scans per day for /wp-admin/setup-config.php that we saw from several known bad IPs:
How the WPSetup Attack Works
There are several ways you can install WordPress.

8 min read Eric Karkovack
Security | wordfence.com | 5 days ago

The WPSetup Attack: New Campaign Targets Fresh WordPress Installs

The lesson here is don't upload WP files without then setting it up. There are no shortage of ways to attack a site.

The WPSetup Attack: New Campaign Targets Fresh WordPress Installs

Security | wordfence.com | 5 days ago

At Wordfence, we track millions of attacks from a wide variety of sources every day. From this data we create a list of the worst-of-the-worst attackers and add those to our IP blacklist to protect our Premium customers. We also carefully monitor the activity that those known bad IP addresses engage in. In May and June, we saw our worst-of-the-worst IPs start using a new kind of attack targeting fresh WordPress installations. We also had our first site cleaning customer that was hit by this attack.
Attackers scan for the following URL:
/wp-admin/setup-config.php
This is the setup URL that new installations of WordPress use. If the attacker finds that URL and it contains a setup page, it indicates that someone has recently installed WordPress on their server but has not yet configured it. At this point, it is very easy for an attacker to take over not just the new WordPress website, but the entire hosting account and all other websites on that hosting account.
The graph below shows the campaign we tracked and the number of scans per day for /wp-admin/setup-config.php that we saw from several known bad IPs:
How the WPSetup Attack Works
There are several ways you can install WordPress.

3 min read David Bisset
Security | blog.sucuri.net | 21 day ago

SQL Injection Vulnerability in WP Statistics

If you or your customers use WP Statistics (plugin is currently installed on 300,000+ websites) then read more about this discovered SQL Injection vulnerability.

SQL Injection Vulnerability in WP Statistics

Security | blog.sucuri.net | 21 day ago

Security Risk: Dangerous Exploitation Level: Easy/Remote
DREAD Score: 7/10
Vulnerability: SQL Injection
Patched Version: 12.0.8
As part of a vulnerability research project for our Sucuri Firewall, we have been auditing popular open source projects looking for security issues.
While working on the WordPress plugin WP Statistics, we discovered a SQL Injection vulnerability. This plugin is currently installed on 300,000+ websites.
Are You at Risk?
This vulnerability is caused by the lack of sanitization in user provided data. An attacker with at least a subscriber account could leak sensitive data and under the right circumstances/configurations compromise your WordPress installation.
If you have a vulnerable version installed and your site allows user registration, you are definitely at risk.
Technical Details
WordPress provides an API that enables developers to create content that users can inject to certain pages just using a simple shortcode:
[shortcode atts_1=”test” atts_2=”test”]
Among other functionalities, WP Statistics allows admin users to get detailed information related with the number of visits by just calling the shortcode below:
As you can see on

9 min read robert Abela

Creating Your Own WordPress Intrusion Detection System (IDS)

A new take on WordPress security; WordPress firewalls and security hardening plugins are common, but what about Intrusion Detection Systems? It is now possible to build one for WordPress, with WordPress.

Creating Your Own WordPress Intrusion Detection System (IDS)

What is an Intrusion Detection System? An Intrusion Detection System is a software that monitors a host and notifies you of suspicious activity, in this case your WordPress website. Such suspicious activity can be a sign that attackers are trying to find a security hole to exploit on your WordPress website, or have already hacked into it.
It is of utmost importance to be notified as early as possible about possible attacks, so you can take the necessary evasive actions to thwart the attack, or to limit the damage in case of a successful hack. This article explains how you can build an intrusion detection system for your WordPress websites and WordPress multisite network with the WP Security Audit Log plugin, WordPress’ most comprehensive audit trail solution.
Detecting And Getting Notified of WordPress Hack Attempts
Prevention is better than cure, so let’s start with the prevention first. What do malicious hackers typically do to find vulnerabilities or security weaknesses on your WordPress websites? They:
Use an automated scanners (such as WPScan) and scripts to scan your website and detect possible old and vulnerable plugins, themes or WordPress core.
Use automated software

3 min read Jake Jackson
Security | getkeyy.com | Jun. 2, 2017

Clef Replacement, Keyy, now Available

Much like Clef, Keyy gives you 2-factor authentication with a difference. It replaces passwords with sophisticated RSA public-key cryptography, which results in stronger security and a better user experience.

Clef Replacement, Keyy, now Available

Security | getkeyy.com | Jun. 2, 2017

This is version 1 of the software. Please don’t hit us with a bad review, but we’re very eager for your feedback in the support channel. In the coming weeks and months we will: Replace the QR code (current version) with a “Keyy wave” – an animated barcode which was a loved feature of Clef
Launch a single-sign on feature, so logging into one site with Keyy logs you into all sites on that device
Announce many more soon!
It replaces typing usernames, passwords and the usual two factor tokens with a simple cryptograph that users sync to an app on their mobile phone.
It makes logging in both incredibly safe and unbelievably easy. Keyy instantly boosts user account security and protects the site.
Everyone wins, except for the hackers!
The threat of hacking has never been stronger, and it’s constantly evolving in both scale and sophistication.
There’s a bewildering array of online security solutions and best-practices out there. The trouble is, most of them have flaws and loopholes that criminals are always looking to exploit.
What’s more, implementing them is a pain. Who wants to remember yet another password? And who wants to go fumbling about

4 min read David Bisset
Security | halfelf.org | Jun. 21, 2017

Secure Mindsets in Plugins

Mika explains why it's natural to NOT write secure code and why It's time to get into a clear mindset of security when coding.

Secure Mindsets in Plugins

Security | halfelf.org | Jun. 21, 2017

At WordCamp Europe last week, I talked about the basics of plugin development. Since I had a mixed bag of experiences, I decided not to actually write a plugin in the class, but instead I took Hello Dolly and edited it. I discussed how the plugin worked, that an action called a function, which returned a value, and showed the interconnectivity. In this way, the attendees could understand the big picture of how code comes together. But at the end, with five minutes, I touched on an important aspect of plugins that Hello Dolly doesn’t do much with, because it doesn’t have to.
I talked about security.
Past You
In the past, you probably done insecure things. Have you ever left your car unlocked in the driveway while you ran the groceries inside? We all do things that are insecure or unsafe. This is normal. Similarly, we have done insecure code. In the past, all of us, when we begin, we write code to perform actions without thinking about how it will be used globally. We don’t worry about safe, we worry about functions.
There’s nothing wrong with this. We are often focus driven designers, fueled by passion and desire, so we want to do and not worry about the details.

2 min read Donna Cavalier
Security | wordpress.org | May. 17, 2017

WordPress 4.7.5 Security and Maintenance Release

Release notes are out, and this release fixes 6 security issues.

WordPress 4.7.5 Security and Maintenance Release

Security | wordpress.org | May. 17, 2017

WordPress 4.7.5 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.4 and earlier are affected by six security issues:
Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.
Thank you to the reporters of these issues for practicing responsible disclosure.
In addition to the security issues above, WordPress 4.7.5 contains 3 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.
Download WordPress

8 min read Donna Cavalier
Security | gravityscan.com | May. 16, 2017

Introducing Gravityscan - malware / vulnerability scanner that works on any website

Pretty darn impressive! Running a scan on one of my sites right now. This is nice!

Introducing Gravityscan - malware / vulnerability scanner that works on any website

Security | gravityscan.com | May. 16, 2017

This morning I am incredibly excited to introduce you to a project that the Wordfence team has been working on for almost a year. A few moments ago we officially launched Gravityscan.com, a malware and vulnerability scanner that works on any website. Gravityscan is free. You don’t need to install any software to use it. Simply visit https://www.gravityscan.com/ and enter your website URL. Then hit the “Launch Scan” button and Gravityscan will start examining your website to find out if you have been hacked, or if you have any security vulnerabilities. Go and run your first scan now! I’ll be here when you get back.
A Malware and Vulnerability Scanner for Websites
Gravityscan is designed specifically for websites. It is smart enough to detect if you are running WordPress, Joomla, Drupal, Magento or vBulletin. Then it carefully examines each of those applications you have installed to find out if they have any vulnerabilities. It even detects the extensions you are running in each application and checks them for vulnerabilities.
Gravityscan also performs a comprehensive scan for malware on your site. It does a great job if you simply run a regular scan on any website.

7 min read Donna Cavalier
Security | gravityscan.com | May. 17, 2017

Gravityscan's First Day Results: In a Word - Wow!

That is a lot of activity for a first day of a launch.

Gravityscan's First Day Results: In a Word - Wow!

Security | gravityscan.com | May. 17, 2017

You only realize how incredibly impressive a team is on launch day. The Gravityscan team worked steadily for almost a year, consistently producing releases that added features as Gravityscan grew and became a product. Then, through the QA cycle, the team steadily burned down bugs and made the product rock-solid and ready for launch. Here Are the Numbers
In the first 24 hours since Gravityscan launched, we processed 26,153 scans.
12,596 unique sites have been added to users’ accounts.
Of those, 6,007 sites had their site ownership verified with Google Analytics, which is by far the fastest and easiest method to verify site ownership. Remember: you need to verify site ownership to see vulnerabilities. We do this to make sure unauthorized users can’t see your site’s vulnerabilities.
We already have our first Pro customers, and many have upgraded multiple sites – in some cases, those upgrades numbered in the double digits – to Gravityscan Pro for faster scans and all the other benefits of Pro.
We have a total of 4,052 registered users now – and climbing.
The Craziness of Launch Day
Yesterday morning starting at 7am Pacific Time, we launched. We let our

13 min read Jan Östlund
Security | wordfence.com | Jun. 1, 2017

7 Popular WordPress Security Myths

A good summary of points and good to know not getting a false sense of security.

7 Popular WordPress Security Myths

Security | wordfence.com | Jun. 1, 2017

Because of its incredible popularity as a platform, WordPress enjoys a sizable, generous community of users that spend their time sharing information, resources, tips and insights with other WordPress users online. Understandably, online security is at the forefront of concerns for many site owners, and a lot of the online conversation about WordPress centers around the best ways to keep your site safe from hackers and security breaches. Despite the best of intentions from most users, there are a few myths surrounding WordPress security that persist and spread like wildfire, even if the recommendations they make don’t do anything to keep your site safe. 1. Moving or Hiding ‘wp-admin’ Will Stop Brute Force Attacks
Brute force attacks occur when malicious bots hammer your login pages over and over attempting to guess your username and password in order to get admin access to your website’s back-end. From there, they can lock you out, compromise your data and deface or even take down your website. Most commonly, these bots try common usernames like “admin” alongside tens of thousands of passwords, hoping that one of them will work and allow them access

Security | bynicolas.com | May. 17, 2017

WordPress Nonces: What Are They Really And How they Work?

In depth explanation of the concept of WordPress Nonces, why WordPress nonces are not real nonces and how their lifespan is not really 24 hours, but more around 12 hours.

WordPress Nonces: What Are They Really And How they Work?

Security | bynicolas.com | May. 17, 2017

WordPress nonces are an easy piece of security measure you can implement into your plugins or themes to prevent your users from Cross Site Request Forgery attacks. But how do WordPress nonces really work? You heard they were valid for 24 hours? Are they really? How can they be called nonces if they can be reused? Let’s dive right into in and see how WordPress nonces are not pure nonces but still are useful to provide an higher level of security to your website’s users.
What is a Nonce?
A nonce simply stands for a Number used ONCE. It’s a unique token used to add a layer of security to your application and also to validate the intent of a user initiated action.
This Nonce is generated by a server-side application, stored on the server and sent to the client to be part of the payload it’s going to send back to the server. This way, you have a way to validate the payload and have a higher level of certainty that the request was actually made by the client.
Why use a Nonce?
A nonce could be seen as a one time password for user initiated actions. May it be sending a form, encrypting data or executing an action, the nonce adds a level of security by preventing a malicious

12 min read Anthony Randall
Security | makeawebsitehub.com | May. 30, 2017

16 htaccess Hacks to Speed Up, Optimize and Secure WordPress

Quick guide on .htaccess files to help speed up and secure WP sites.

16 htaccess Hacks to Speed Up, Optimize and Secure WordPress

Security | makeawebsitehub.com | May. 30, 2017

1. Create a blacklist to prevent site access from certain IP addresses.Websites are made to have visitors. However, those guests can occasionally become a problem. Sometimes, there are certain site visitors that are no longer welcome. Htaccess files can be used to block those particular visitors. This is also useful to keep bots away from your site. The code used to create your blacklist is as follows: <limit get="GET" post="POST" put="PUT">
order allow,deny
allow from all
deny from 123.456.789
deny from 93.121.788
deny from 223.956.789
deny from 128.456.780
</limit>
You can add as many IP addresses as you want this way to keep your site free of troublemakers. If someone is spamming your site, this little piece of code is your new best friend.
2. Create a redirect while performing site maintenance.
While you’re performing site maintenance, you want visitors to be redirected to a page that lets them now what’s going on and maybe when your site is expected to be open to visitors again. You can use the htaccess file to accomplish this using the following code:
RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$

4 min read Jan Östlund
Security | wordfence.com | Jun. 15, 2017

Home Router Botnet Resumes Attacks

I think this is only the beginning of these sort of attacks when Internet of Things becomes even more popular.

Home Router Botnet Resumes Attacks

Security | wordfence.com | Jun. 15, 2017

Yesterday at 7pm UTC (noon PDT) we saw the volume of brute force attacks on the WordPress sites that we protect more than double from the average for the previous 24 hours. The number of attacking IPs more than tripled. The chart below shows the count of attacks per hour from June 12th onward. You can see a very obvious spike followed by about a 10-hour pull-back, and then another surge almost back to the high we saw with the spike.
Home Routers Again?
Back in April, we wrote about a home router botnet that was being used to attack WordPress websites. Many of those attacks were originating from IPs that had a specific port (7547) open and were running a vulnerable version of remote management software called Rompager. We published a list of 28 ISPs with suspicious attack patterns indicating compromised routers and built a tool that checks if your router is vulnerable. In early May we wrote about that same botnet shutting down.
In the table below we show the top 20 ISPs by number of IP addresses involved in the latest surge and actively attacking. We also show the average number of hourly attacks per IP. Please note the the average is likely understated, as we accumulated attacks during

3 min read Donna Cavalier
Security | wordpress.org | Mar. 6, 2017

WordPress 4.7.3 Security and Maintenance Release

Quite a few security issues fixed in this one, yikes.

WordPress 4.7.3 Security and Maintenance Release

Security | wordpress.org | Mar. 6, 2017

WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.2 and earlier are affected by six security issues:
Cross-site scripting (XSS) via media file metadata. Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
Control characters can trick redirect URL validation. Reported by Daniel Chatfield.
Unintended files can be deleted by administrators using the plugin deletion functionality. Reported by xuliang.
Cross-site scripting (XSS) via video URL in YouTube embeds. Reported by Daniel Cid.
Cross-site scripting (XSS) via taxonomy term names. Reported by Delta.
Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources. Reported by Sipke Mellema.
Thank you to the reporters for practicing responsible disclosure.
In addition to the security issues above, WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.
Download WordPress 4.7.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that

Security | fixmywp.com | May. 16, 2017

Extra Hardening: Take care your HTTP Security Headers

There are millions of websites around the globe that are publicly available. Due to this public availability of websites they have become an active targets for hackers. Hence website owners are constantly trying to understand the threat landscape and develop solutions for threats mitigation. HTTP Security Headers provide mitigation solutions of various threats including cross site scripting, click jacking, code injection and drive by downloads attacks etc. This article will describe the most used HTTP security headers, their methodology of threat mitigation and their configuration guides for Apache and NGINX web-servers.

Extra Hardening: Take care your HTTP Security Headers

Security | fixmywp.com | May. 16, 2017

There are millions of websites around the globe that are publicly available. Due to this public availability of websites they have become an active targets for hackers. Hence website owners are constantly trying to understand the threat landscape and develope solutions for threats mitigation. HTTP Security Headers provide mitigation solutions of various threats including cross site scripting, click jacking, code injection and drive by downloads attacks etc.
This article will describe the most used HTTP security headers, their methodology of threat mitigation and their configuration guides for Apache and NGINX web-servers.
List of HTTP Security Headers that are covered in this article:
Content Security Policy (CSP)
>X-XSS-Protection
X Frame Options
X Content Type Options
HTTP Public Key Pins (HPKP)
HTTP Strict Transport Security (HSTS)
Content Security Policy (CSP)
Overview
The web browsers trust all the contents of a website including its web pages, style sheets, fonts and java script files etc. Due to this trust relationship the browsers loads and executes all the content of a website without any content authentication. This browser behavior can be exploited by hackers in running

Security | thehackernews.com | May. 5, 2017

Unpatched WordPress Flaw Could Allow Hackers To Reset Admin Password

Since the vulnerability has now been publically disclosed with no patch available from WordPress. WordPress admins are advised to update their server configuration.

Unpatched WordPress Flaw Could Allow Hackers To Reset Admin Password

Security | thehackernews.com | May. 5, 2017

WordPress, the most popular CMS in the world, is vulnerable to a logical vulnerability that could allow a remote attacker to reset targeted users’ password under certain circumstances. The vulnerability (CVE-2017-8295) becomes even more dangerous after knowing that it affects all versions of WordPress — including the latest 4.7.4 version.
The WordPress flaw was discovered by Polish security researcher Dawid Golunski of Legal Hackers last year in July and reported it to the WordPress security team, who decided to ignore this issue, leaving millions of websites vulnerable.
"This issue has been reported to WordPress security team multiple times with the first report sent back in July 2016. It was reported both directly via security contact email, as well as via HackerOne website," Golunski wrote in an advisory published today. "As there has been no progress, in this case, this advisory is finally released to the public without an official patch."
Golunski is the same researcher who discovered a critical vulnerability in the popular open source PHPMailer libraries that allowed malicious actors to remotely execute arbitrary code in the context of the web server

12 min read Tom Zsomborgi
Security | kinsta.com | Mar. 16, 2017

Why You Should Be Using Supported PHP Versions

Did you know that anyone running on a version of PHP below 5.6 no longer has security support?

Why You Should Be Using Supported PHP Versions

Security | kinsta.com | Mar. 16, 2017

PHP is one of the most popular scripting languages on the web today. According to W3Techs, PHP is used by over 82% of all the websites who use a server-side programming language. This means for every 8 out of 10 websites you visit, they are most likely utilizing PHP in some form or another. And of course, it plays a very vital role as it pertains to the WordPress ecosystem, as the entire CMS is built on PHP. A dilemma we are facing today is that many businesses, developers, and hosts have fallen behind when it comes to supporting the latest PHP versions. Some of the statistics below might even shock you. Today we want to discuss some of the reasons why it is so important that everyone use the latest PHP versions, not only for security reasons, but also for better performance and support.
Old PHP Versions
As with any piece of software, PHP has a release life cycle in which has has to adhere to in order to keep pushing things forward and making improvements. Each major release of PHP is typically fully supported for two years after its release. During that time, bugs and security issues are fixed and patched on a regular basis.
As of right now, anyone running on a version of PHP below

Security | fixmywp.com | 28 days ago

How Find Out If Your Website Is Hacked

If you think your website has been hacked, it's good to determine the nature of the hack as soon as possible. There's many different types of hacks and some hacks can be malicious. Other hacks are just defacements to your actual webpages. This article lists some of the strongest indicators of a hacked website(WordPress or not).

How Find Out If Your Website Is Hacked

Security | fixmywp.com | 28 days ago

If you think your website has been hacked, it's good to determine the nature of the hack as soon as possible. There's many different types of hacks and some hacks can be malicious. Other hacks are just defacements to your actual webpages. Indicators of compromise
Some hacks are quite apparent since they deface your page, while others are more subtle. Here are some common signs that your website has been compromised:
Your home page has changed. If you visit your website, and instead of seeing the page you have created you see something entirely different it's likely that your page has been "defaced." Normally, these types of hackers will have a "hacked by..." message displaying to take credit for the hack.
Your access to admin pages no longer exists. If you cannot access your admin section of your website, it's possible the hacker has gained access to the adminsitrator account or cpanel and altered the passwords.
Your computer's anti-virus software warns you when you visit your website. This is a typical situation where your website is trying to install a trojan or another type of virus on your local computer.
A page will not load but it used to. If you haven't changed

9 min read Donna Cavalier
Security | wordfence.com | Feb. 24, 2017

Cloudflare Data Leak: How to Secure Your Site

While much of this is a rehash of everything we have already seen covered, it does mention a way to search google to see if your site might have been affected. So...worth it for that I guess.

Cloudflare Data Leak: How to Secure Your Site

Security | wordfence.com | Feb. 24, 2017

Cloudflare has experienced a data leak over a 5 month period that mixed sensitive data between websites and visitors. A visitor to one website using Cloudflare may have seen data from another website using Cloudflare that was being sent to a completely different site visitor. Some of the leaked data has been indexed by search engines who have been working over the past few days to try and remove the data from their caches.
In this post I am going to explain in simple terms, what occurred and what you need to do about it.
If you are a WordPress user and simply want to know how to secure your site, you can skip to the What Should I Do section below. I have included some information for non-WordPress site owners in that section too.
Cloudflare provides a firewall and content distribution service. Their servers are between your website visitors and your own web server.
Under normal circumstances, cloudflare returns the data each site visitor requested to that visitor. This may be public or sometimes private information and it is usually done over a secure channel. Each website visitor only sees the data they requested.
From September 22nd, 2016 until February 18th 2017 (last Saturday),

4 min read Donna Cavalier
Security | wptavern.com | Feb. 14, 2017

Why Plugins Sometimes Disappear From the WordPress Plugin Directory

This is NOT a good enough answer! This is important and should not be pushed under the rug.

Why Plugins Sometimes Disappear From the WordPress Plugin Directory

Security | wptavern.com | Feb. 14, 2017

Nearly 50K publicly available plugins call the WordPress plugin directory home but once in awhile a few of them seem to disappear. There is usually a good reason for why this happens but the only information available to the public is a page that says the plugin cannot be found. If the plugin is popular enough, concerned users will contact us and ask to investigate what happened. Mika Epstein, Plugin Directory Representative, says there are a number of reasons for why a plugin can end up hidden from view, “The most well-known, but not the most common, is security issues,” Epstein said.
“Plugins are removed and, by default, hidden mostly because we’re on bbPress 1.0 and there is not as granular a control with post statuses when compared to WordPress itself.”
The plugin review team has three options to choose from when altering a plugin’s visibility, active, closed, and disabled. Although rarely used, when a plugin is disabled, it is hidden from view but updates are able to be pushed out.
I asked Epstein why there’s not more detailed information when a plugin is hidden and the answer is complex, “The lack of information is partly technical

Security | blog.sucuri.net | Feb. 1, 2017

Content Injection Vulnerability in WordPress 4.7 and 4.7.1

This covers more details about security vulnerabilities in WordPress 4.7 & 4.7.1 that just got fixed in 4.7.2. Here its comes from Sucuri who contributed in this finding and a solid good responsible disclosure.

Content Injection Vulnerability in WordPress 4.7 and 4.7.1

Security | blog.sucuri.net | Feb. 1, 2017

Security Risk: Severe Exploitation Level: Easy/Remote
DREAD Score: 9/10
Vulnerability: Privilege Escalation / Content Injection
Patched Version: 4.7.2
As part of a vulnerability research project for our Sucuri Firewall (WAF), we have been auditing multiple open source projects looking for security issues. While working on WordPress, we discovered was a severe content injection (privilege escalation) vulnerability affecting the REST API. This vulnerability allows an unauthenticated user to modify the content of any post or page within a WordPress site.
We disclosed the vulnerability to the WordPress Security Team who handled it extremely well. They worked closely with us to coordinate the disclosure timeline and get as many hosts and security providers aware and patched before this became public.
A fix for this was silently included on version 4.7.2 along with other less severe issues. This was done intentionally to give everyone time to patch. We are now disclosing the details because we feel there has been enough time for most WordPress users to update their sites.
Are You At Risk?
This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled

4 min read Donna Cavalier
Security | make.wordpress.org | Feb. 1, 2017

Disclosure of Additional Security Fix in WordPress 4.7.2 (besides the 3 we knew about)

I have a feeling we'll end up seeing a lot more REST API vulnerabilities in the future. Just call it a gut feeling.

Disclosure of Additional Security Fix in WordPress 4.7.2 (besides the 3 we knew about)

Security | make.wordpress.org | Feb. 1, 2017

WordPress 4.7.2 was released last Thursday, January 26th. If you have not already updated, please do so immediately. In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed. There was an Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint. Previous versions of WordPress, even with the REST API Plugin, were never vulnerable to this.
We believe transparency is in the public’s best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.
On January 20th, Sucuri alerted us to a vulnerability discovered by one of their security researchers, Marc-Alexandre Montpas. The security team began assessing the issue and working on solutions. While a first iteration of a fix was created early on, the team felt that more testing was needed.
Meanwhile, Sucuri added rules to their Web Application Firewall (WAF) to block exploit attempts against their clients. This issue was found internally and no

Security | blogvault.net | Feb. 6, 2017

Blogvault hacked

WordPress backup and security service had a security breach; hackers installing malware on hacked sites.

Blogvault hacked

Security | blogvault.net | Feb. 6, 2017

Or Contact us via the chat channel on any page of the BlogVault website or on the BlogVault dashboard.
If you have questions about the security issue we’re currently facing, please click on the button above, for some of the common queries our customers have had.
If your question isn’t here, please do get in touch with us. We’re here to help.
Hi,
I’m Akshat, the founder of BlogVault. Here at BlogVault we have been committed to providing highly secure backups.
Unfortunately, I am reaching out to let you know that some of the data on our systems may have been exposed. We are investigating the issue, and will ensure to keep you updated as and when we have more details.
Meanwhile, we have undertaken a list of precautionary measures and we’re sharing what we already know with our entire customer base.
What We Are Doing to Secure Your Website
Due to the breach, some of our customers’ websites were accessed without authorization. After further investigation we found out that these sites had been injected with malware. We have taken immediate action and we are extensively scanning all those identified sites. We are also conducting granular analyses of our

12 min read David Bisset
Security | aarondcampbell.com | Apr. 4, 2017

Website Security – Simple Steps to Take

Aaron shows how a little extra effort and a few wise decisions can drastically up your online security game.

Website Security – Simple Steps to Take

Security | aarondcampbell.com | Apr. 4, 2017

Website security is important. We all know it. For many though, it’s a topic they prefer not to talk or think too much about. They don’t really consider it in very many areas as they build or manage their site. Why? Security is Scary
You know you want to be secure, so you start to check out this weird security thing. Brute force? You can handle that; good passwords, limit login attempts, maybe even two factor authentication. Then you suddenly become aware of cross-site scripting (XSS), SQL injection (SQLi), cross-site request forgery (CSRF), remote code execution (RCE), and potentially so many more that you’re simply terrified. You begin to buy into “ignorance is bliss”. But website security doesn’t have to be scary.
Security is Something You Can Handle
you can drastically increase your online security.
When you start to research website security it’s easy to become overwhelmed as you’re slowly exposed to all the various forms of attacks. Each can be nuanced, complex, and confusing. The good news is, you don’t need to know how every vulnerability works in order to increase your security. Many of them can be prevented by following