Interesting story. Sounds like something someone should actually dig in and test, undercover of course. Sounds like some lawsuits might be in line. EIG takedown, anyone?
This will be a longer article explaining a common SCAM that was reported numerous times for multiple hosting providers. Even if you are not hosted with HostGator you still might want to read about it, for the future safety of your wallet. The short version of the story is at the bottom of the page. I have been a loyal customer of HostGator since at least 2005. Even after they were bought out by EIG back in 2014, even after their support and customer service started going downhill rapidly, I still decided to stick with them. At the time of writing this I have 3 separate accounts with them (2 shared + 1 VPS) and I pay around $875 / year for their services.
The HostGator + SiteLock SCAM
It all happened yesterday, 23/02/2016. At 17:37 I get an email from HostGator informing me that my account has been suspended because it was distributing malware. I should immediately take measures into resolving this issue.
Our Abuse department has received a report regarding malware being hosted on an account under your control. We have disabled site access for your account to prevent further complaints, and have provided a list of the reported content. Note that the below content is not a comprehensive
WordPress 4.2.3 has been release, it's now available at WordPress.org, this is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress 4.2.3 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.2.2 and earlier are affected by a critical cross-site scripting vulnerability, which could allow anonymous users to compromise a site. This was reported by Jon Cave of the WordPress Security Team, and fixed by Robert Chapin.
We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.
Our thanks to those who have practiced responsible disclosure of security issues.
WordPress 4.2.3 also contains fixes for 20 bugs from 4.2. For more information, see the release notes or consult the list of changes.
Download WordPress 4.2.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.3.
Thanks to everyone who contributed to 4.2.3:
Free HTTPS for all custom domains on .com via Let’s Encrypt project.
Today we are excited to announce free HTTPS for all custom domains hosted on WordPress.com. This brings the security and performance of modern encryption to every blog and website we host. Best of all, the changes are automatic — you won’t need to do a thing.
As the EFF points out as part of their Encrypt the Web initiative, strong encryption protects our users in various ways, including defending against surveillance of content and communications, cookie theft, account hijacking, and other web security flaws.
WordPress.com has supported encryption for sites using WordPress.com subdomains (like https://barry.wordpress.com/) since 2014. Our latest efforts now expand encryption to the million-plus custom domains (like automattic.com) hosted on WordPress.com.
The Let’s Encrypt project gave us an efficient and automated way to provide SSL certificates for a large number of domains. We launched the first batch of certificates in January 2016 and immediately starting working with Let’s Encrypt to make the process smoother for our massive and growing list of domains.
For you, the users, that means you’ll see secure encryption automatically deployed on every new site within minutes. We are
This rocks. Wasn't a fan of bluehost before, and probably still won't ever use them, but this ... this is very cool, and will make a very real difference. Good job, Bluehost.
After determining that a significant number of customers were running outdated versions of WordPress, Bluehost’s development team created a unique Perl script utilizing WP-CLI (WordPress-Command Line Interface) and custom code to update WordPress sites going back to version 1.0.2. Bluehost completed exhaustive tests and reviews to ensure the script resulted in minimal disruptions or site downtime. In this impressive undertaking, 99% of WordPress sites on Bluehost’s platform were upgraded successfully with fewer than 0.007% of customers reporting any issues. Since implementation, the company has seen a significant 18% reduction in technical support requests relating to WordPress. Bluehost has further implemented this new technology to continually update WordPress websites to ensure customers on its platform enjoy the security of an up-to-date WordPress site going forward.
BREAKING: Security breach in WP Engine. Their customers received an urgent notification in their inboxes Wednesday evening regarding a security breach. If you have accounts with them- update your passwords immediately, and take other measurements to keep yourself safe!
WP Engine customers received an urgent notification in their inboxes Wednesday evening regarding a security breach. At WP Engine we are committed to providing robust security. We are writing today to let you know that we learned of an exposure involving some of our customers’ credentials. Out of an abundance of caution, we are proactively taking security measures across our entire customer base.
WP Engine currently has no evidence that customer information was used inappropriately but has invalidated customer passwords as a precaution. The following five passwords associated with customer accounts will have to be reset:
WP Engine User Portal
Original WP-Admin Account
Password Protected Installs and Transferable Installs
The notice states that WP Engine is taking immediate action on their end but does not include any details. The company apologized for the inconvenience of having to invalidate all customer passwords.
Customers took to Twitter to express frustration and bemoaned the host’s lack of two-factor authentication.
@wpengine What's with the lack of 2FA?
— Jordan Felle (@jordanfelle) December 10, 2015
Representatives from WP Engine were not able to comment
Plugin Developers Demand a Better Security Release Process After WordPress 4.2.3 Breaks Thousands of Websites
Whilst the latest update was important, it wasn't without it's problems. "User confidence in WordPress’ automatic background updates took a dent with the 4.2.3 release." The update makes changes to the shortcode API which cause a lot of problems.
Plugin Developers Demand a Better Security Release Process After WordPress 4.2.3 Breaks Thousands of Websites
WordPress 4.2.3, a critical security release, was automatically pushed out to users yesterday to fix an XSS vulnerability. Shortly afterwards, the WordPress.org support forums were flooded with reports of websites broken by the update. Roughly eight hours later Robert Chapin (@miqrogroove) published a post to the Make.WordPress.org/Core blog, detailing changes to the Shortcode API that were included in the release. According to Chapin, these changes were necessary as part of the security fix:
Due to the nature of the fix – as is often the case with security fixes – we were unable to alert plugin authors ahead of time, however we did make efforts to scan the plugin directory for plugins that may have been affected.
With this change, every effort has been made to preserve all of the core features of the Shortcode API. That said, there are some new limitations that affect some rare uses of shortcodes.
The security team had no reasonable way of accounting for every single edge case, but the negative impact of these changes were far more wide-reaching than they had anticipated. This particular use case likely wasn’t covered in their testing. Unfortunately, plugin developers found out about
"During 16 hour window we saw a total of 6,611,909 attacks targeting 72,532 individual websites. We saw attacks during this time from 8,941 unique IP addresses and the average number of attacks per victim website was 6.26."
Last week in the President’s cyber security op-ed in the Wall Street Journal he implored Americans to move beyond simple passwords and to enable two factor authentication or cellphone sign-in. One of the things we monitor at Wordfence is the number of brute force attacks on WordPress websites. Brute force attacks are password guessing attacks, where an attacker tries to sign in as you by guessing your password.
To give you an idea of the level of attacks in the wild, we gathered data on brute force attacks across the sites we protect within a 16 hour Window starting Sunday until Monday (yesterday) at 2pm Pacific time.
Here are the highlights. Remember, this is only over a 16 hour window which is relatively short.
During this time we saw a total of 6,611,909 attacks targeting 72,532 individual websites. We saw attacks during this time from 8,941 unique IP addresses and the average number of attacks per victim website was 6.26.
The total number of attacking IP’s was actually 55,391 but we only counted IP’s that generated more than 10 failed logins across all sites. That way we excluded accidental login failures.
So where are these attacks coming from. The results are not what you would
Excellent investigation on a plugin hijacking. Really scary story but so glad quick action was taken.
Last summer we shared a story about the SweetCaptcha WordPress plugin injecting ads and causing malvertising problems for websites that leveraged the plugin. When this plugin was removed from the official WordPress Plugin directory, the authors revived another WordPress account with a long abandoned plugin and uploaded SweetCaptcha as a “new version” of that plugin. In the end of the SweetCaptcha saga, we gave this warning:
It’s quite a common scenario when criminals try to hijack or buy developer accounts of legitimate applications, or pay their developers to add some malicious code into their software, so some benign plugin or application may turn bad after an update — the only thing that protects you is the author reputation and the security screening and approval process in the repository.
This time we’ll tell you of another plugin that turned bad after an update.
Backdoor in Custom Content Type Manager
Custom Content Type Manager (CCTM) is a relatively popular plugin with three years of development, 10,000+ active installs, and a satisfaction rating of 4.8. It helps create custom post types. Website owners find the classical “blog format” too restrictive, use the plugin to add
Journey of a white hat WordPress hacker with practical examples how code cracks.
In this series of blog posts, Check Point vulnerability researcher Netanel Rubin tells a story in three acts – describing his long path of discovered flaws and vulnerabilities in core WordPress, leading him from a read-only ‘Subscriber’ user, through creating, editing and deleting posts, and all the way to performing SQL injection and persistent XSS attacks on 20% of the popular web. Executive Summary
A number of critical vulnerabilities exist in default WordPress installations, allowing potential compromise of millions of live web sites.
MITRE has assigned CVE-2015-5623, CVE-2015-2213, CVE-2015-5714, CVE-2015-5715, CVE-2015-5716 as identifiers for these vulnerabilities. * CVE-2015-2212 was marked as a duplicate of CVE-2015-5623.
The first vulnerability in this sequence (CVE-2015-5623) was patched in a recent WordPress security release (4.2.3).
Site administrators are urged to apply security updates as they are released (in case auto-update was disabled).
For further updates please follow our blog as well as upcoming WordPress security advisories.
Check Point customers are protected against the vulnerability sequence via IPS signatures.
WordPress is a PHP-based CMS (Content
10% of top 1000 plugins have an unpatched security vulnerability. Spanning over 4,000,000 installs. I hope Marcin can open-source his tool and that it can be become a part of the plugin screening process at wordpress.org
░▒▓█ Introduction I've been making php static code analysis tool for a while and few months ago I ran it against ~1000 (more or less) top wordpress plugins.
Scanning results were manually verified in my spare time and delivered to official email@example.com from 04.07.2015 to 31.08.2015. Most of reported plugins are already patched, some are not. Vulnerable and not patched plugins are already removed from official wordpress plugin repository.
103 plugins vulnerable with more than 4.000.000 active installations in total (~30.000.000 downloads)
List of reported plugins (original reports contain verification/reproduce sections and urls to plugin wordpress repository entries, where you can also verify changelog) :
Cross-Site Scripting (XSS) in Duplicator 0.5.24 [original report - Sat, 15 Aug 2015]
Cross-Site Scripting (XSS) in All In One WP Security 3.9.7 [original report - Thu, 13 Aug 2015]
Cross-Site Scripting (XSS) in AddThis 5.0.12 [original report - Tue, 11 Aug 2015]
Cross-Site Scripting (XSS) in Display Widgets 2.03 [original report - Tue, 11 Aug 2015]
Blind SQL injection in Pretty Link Lite 1.6.7 [original report - Wed, 8 Jul 2015]
Blind SQL injection in WP Statistics
WooCommerce Store Toolkit Plugin, WordPress User Meta Manager plugin & WP User Frontend plugin all should be updated right away.
The following three plugins contain severe vulnerabilities that have all been fixed within the past 24 hours. Details of these vulnerabilities have been released to the public so they are likely already being exploited. If you use any of these plugins, upgrade immediately. Please share with the larger WordPress community. WooCommerce Store Toolkit Plugin (A plugin for WooCommerce made by Visser Labs, not the core product) version 1.5.6 contains a privilege escalation vulnerability. The vulnerability allows a registered user to delete all posts, comments, products, orders, media and more. Upgraded to version 1.5.7 immediately to fix this issue.
WordPress User Meta Manager plugin version 3.4.6 contains an information disclosure vulnerability that allows an unprivileged user to download the user_meta table. It also contains a privilege escalation vulnerability that lets anyone upgrade themselves to admin along with a blind SQL injection vulnerability. These are fixed in 3.4.8. The fix was released within the last 24 hours. Upgrade immediately.
The WP User Frontend plugin version 2.3.10 and older contains an unrestricted file upload vulnerability that allows anyone to upload a file to your
ManageWP keeps getting better and pulling out new services to its Orion Platform. Raising the bar...
Bit of an in-depth one on improving the security of your WordPress website.
How many times have you walked out the front door of your house for just a few minutes and not bothered to lock the front door? Probably on more than one occasion, right? What about leaving your car unlocked for just a few minutes — seriously, who’s going to steal your car on a cold rainy morning while you take 2 minutes to grab a hot cup of coffee? It’s human nature. We rarely worry about managing a potential risk until it’s too late. Once someone breaks into your house, steals your car, or hacks into your WordPress website, then you start to worry.
The problem with all these scenarios is that by the time it happens, it’s too late. You’re left picking up the pieces, cleaning up the mess, and trying to minimize the damage. With just a little bit of planning and prevention, there is a good chance you could have averted the entire situation.
Obviously, this post isn’t about your car or your house, it’s about your WordPress website and the steps you can take to minimize your potential vulnerabilities. The thing is, security begins with having the right attitude. It’s an attitude where prevention and management are at the forefront – not crossing your fingers and hoping that it never happens
Jetpack by WordPress.com 4.0.3 May 26th, 2016 Important security update. Please upgrade immediately.
Couldn't find any more information on this, but figured it was important enough to share what little info I had.
Jetpack by WordPress.com 4.0.3 May 26th, 2016 Important security update. Please upgrade immediately.
Important security update. Please upgrade immediately. Release date: April 21st, 2016
Addresses an issue where Jetpack 4.0 caused a fatal error on sites with specific configurations.
Release date: April 20th, 2016
Protect: the routine that verifies your site is protected from brute-force attacks got some love and is more efficient.
Contact Forms: cleaning the database of spam form submission records is more efficient.
VideoPress: edit your VideoPress shortcode in the editor with a fancy new modal options window.
Custom Content Types are now classier: a new CSS class on Testimonial featured images — has-testimonial-thumbnail — allows you to customize Jetpack custom post types as you see fit.
Sharing: social icons are now placed under the "add to cart” singular product views in WooCommerce, making it easier for customers to share your products on social media.
Theme Tools: search engines will now have an easier time knowing what page they are on, and how that page relates to the other pages in your site hierarchy with improved schema.org microdata for breadcrumbs.
Widget Visibility: now you can select widgets
When wp security articles are a dime a dozen (and are the same old blah blah blah), it's nice to read something a little more on point. Nice.
Welcome to 2016, the year where WordPress powers more than a quarter of all websites on the Internet. For a lot us involved with the WordPress community, this was a fantastic piece of news. But for those concerned with WordPress security, it’s more of a nightmare. WordPress as a CMS always had a bad rep for being an unauthenticated remote shell that, as a useful side feature, also contains a blog. And despite the best effort by the WordPress community, this is truer now more than ever. The democratization of publishing has a nasty side effect: pretty much anyone can start a WordPress blog. As the entry bar gets lower, more and more websites fall prey to malicious attacks, simply because the blog owners are out of their depth when it comes to protecting their blog. And being the biggest CMS on the market, WordPress has a huge target painted on its back. One of the security reports stated that 78% of successful attacks were against WordPress websites. Another stated that 76% of WordPress users don’t use a backup plugin at all.
The blame, or at least most of the blame, lies with the throng of security articles on the web. Really good, in-depth articles are few and hard to find,
A case study of how WordPress nonces are being misused for security out in the wild.
Quick Page/Post Redirect Plugin: A Case Study Quick Page/Post Redirect Plugin has 200,000+ active installs, with version 5.1.5 and older vulnerable to an attacker setting redirects to any URLs in bulk.
And why? All because the developer thinks a 5-byte WordPress Nonce will stop the bulk redirect import functionality from running. Newsflash: It won’t…
Since this particular instance of the vulnerability has been patched, let’s look at how a hole can be poked in code that relies on Nonces to provide “security”. In a blatantly unfortunate way, with disregard for best practices (a series of rants left for another day), the developer decided to allow importing of a bulk redirects export file from any page on the site by hooking their ppr_parse_request_new function against the init hook, which happens to run pretty much anytime WordPress does anything.
add_action( 'init', array( $this, 'ppr_parse_request_new' ) );
So to get execution of the function we merely load up any page. Cool.
The next step is to satisfy the following condition:
elseif( isset( $_POST['import-quick-redrects-file'] ) && isset( $_FILES['qppr_file'] ) )
Easy. And thus, we, as an unauthenticated attacker, meet up against
When it comes to Internet security, it seems not to be a matter of if, but when a product will be hit.
Elegant Themes emailed its customers last night to inform them of a critical security vulnerability affecting a large segment of its product line. An information disclosure vulnerability was found in the Divi Builder (included in our Divi and Extra themes, as well as our Divi Builder plugin) which resulted in the potential for user privilege escalation. If properly exploited, it could allow registered users, regardless of role, on your WordPress installation to perform a subset of actions within the Divi Builder, including the ability to manipulate posts.
In addition to the Divi Builder, the vulnerability was also found in the Divi, Extra, and Divi 2.3 (legacy) themes and the Boom and Monarch plugins. It was privately disclosed and promptly patched by Elegant Themes with the help of a third-party security vendor. No known exploit attempts have been made.
Updating the themes and plugins will fix the vulnerability but the patches were created only for the most recent versions. Legacy theme customers now have an upgrade path, including a version that doesn’t add new functionality. Customers who are not ready to update are advised to turn registration off on their sites, as untrusted users
[note: runs in command line, more suited for developers] -- Use WPScan to scan your site for known vulnerabilities within the WordPress core, plugins, and themes. You can also find out if any weak passwords, users, and security configuration issues are present. This tool uses the WPScan Vulnerability Database (wpvulndb.com). There's detailed tutorials on how to install it, and how to run a scan.
When using WPScan you can scan your WordPress website for known vulnerabilities within the core version, plugins, and themes. You can also find out if any weak passwords, users, and security configuration issues are present. The database at wpvulndb.com is used to check for vulnerable software and the WPScan team maintains the ever-growing list of vulnerabilities. Last time, we taught you how to install WPScan on Mac and Linux.
This time we are going to dive into how to use WPScan with the most basic commands.
Updating WP Scan
You should always update WPScan to leverage the latest database before you scan your website for vulnerabilities.
Open Terminal and change your directory to the wpscan folder we downloaded in the first tutorial:
From this directory we can run a command to pull the latest update from Github, and then another command to update the database.
ruby wpscan.rb --update
You will see the WPScan logo and a note that the the database update has completed successfully.
Scanning for Vulnerabilities
Next we are going to point the WPScan application at your WordPress website. With a few commands we can check your website for vulnerable themes, plugins, and
Over 500,000 WP installs affected, rarely anyone pays attention these days.
This week we have several high profile plugin vulnerabilities we’d like to bring your attention to. If you are using one of these plugins, upgrade to the fixed version immediately. Fast Secure Contact Form (400,000+ active installs) version 4.0.37 and earlier contain an XSS vulnerability that was publicly announced on October 27th. This was fixed in version 4.0.38. Upgrade immediately if you haven’t already. Note that this plugin is very popular with over 400,000 active installs.
Bulletproof Security (100,000+ active installs) version .52.4 contains a XSS vulnerability that was publicly announced 2 weeks ago. Please upgrade to the newest version which fixes the issue if you haven’t already.
Blubrry PowerPress podcasting plugin (50,000+ active installs) version 6.0.4 and earlier contains an XSS vulnerability publicly announced on October 27th. Upgrade as soon as possible.
Form Manager version (30,000+ active installs) 1.7.2 and earlier contain an unauthenticated remote command execution (RCE) vulnerability published on October 23rd. This was fixed in 1.7.3. Upgrade as soon as possible.
WordPress Files Upload (10,000+ active installs) version 3.4.0 and earlier allowed a malicious executable
Big heads up to you Ninja Forms users. Bad vulnerability. Update now.
A few times a year we see very bad vulnerabilities come along. This is, unfortunately, one of those times. Ninja Forms versions 2.9.36 to 2.9.42 contain multiple vulnerabilities. One of the vulnerabilities results in an attacker being able to upload and execute a shell on WordPress sites using Ninja Forms. We have developed a working exploit for internal use at Wordfence. The only information the exploit needs is a URL on the target site that has a form powered by Ninja Forms version 2.9.36 to 2.9.42.
Wordfence Firewall already protects against uploading of malicious PHP files, so you were already protected against this attack while it was still a 0 day. As an additional precaution, this morning we have released three additional rules via the Wordfence Threat Defense Feed which are already active on our Wordfence Premium customer sites.
Ninja Forms has over 500,000 active installs, so the impact of this vulnerability is going to be fairly wide-spread.
We are monitoring attacks in real-time and are not yet seeing this being widely exploited yet. We suspect this is because an exploit has not shown up yet on exploit-db or other public exploit databases (as of 9am Pacific time on May 5th).
Siteground announces free SSL certificates through LetsEncrypt. It may not be ideal for ecommerce purposes but getting more sites on some form of encryption is a great step in the right direction.
In December 2015 the new certificate authority Let’s Encrypt entered Public Beta and caused a wave of excitement. The groundbreaking news meant that website owners can obtain security certificates for their websites for free instead of paying for traditional SSL certificates and install them much easier. Naturally since then many of you have asked us when we would introduce the certificates on our hosting platform. For all of you who have been eagerly awaiting this moment, we are happy to say that Let’s Encrypt certificates are now available at SiteGround! What you should know about Let’s Encrypt
is a free, automated, and open certificate authority (CA) that issues domain-validated security certificates. The main goal of the project, which SiteGround proudly sponsors, is to make encryption ubiquitous on the web so that all web browsing becomes safer.
The key benefits of the Let’s Encrypt certificates are:
no validation emails are sent
no dedicated IP required (which is extra money)
trusted by all major browsers
How to install Let’s Encrypt at SiteGround
You can install Let’s Encrypt certificates for free through the cPanel of your hosting account.
Not everyone is into WordPress security though many WordPress website owners do want to know more about it. Here is something that is useful to all those who find it hard to understand the lingo and terminology used in WordPress security readings etc.
As WordPress website owner you have definitely thought about the security of your blogs and websites. Most probably you have also read a few articles about WordPress security, or how to secure your WordPress. Though if WordPress security is not your cup of tea, you failed to understand half of the terms used in such documents, hence could not make sense of it all. Don’t fret though. Below is a glossary of WordPress security terminology and words, that explains them in very simple words for you, to help you better understand those security documents.
Table of Contents
Also commonly known as audit log, an audit trail is a security record that is used to keep evidence of a sequence of events. Therefore a WordPress audit trial is a log that can contain information on what the WordPress users did, such as when they logged in and from where, what content they changed, which plugins they installed, activated or upgraded etc. By default WordPress does not keep an audit trail though you can easily start keeping a record of all WordPress changes in an audit trail with a plugin. There are several benefits to keeping a WordPress audit trial and several regulatory compliance requirements
General roundup of general info and tips, usual to share with clients.
Having your WordPress site hacked is one of the biggest nightmares for any website owner. From one moment to the next, your site is shut down. Traffic plummets and all the energy, effort, time, and money you put into your site is on the brink of being lost entirely.
Finding and fixing the problem is hard work, however, not as hard as winning back your audience’s trust or getting your site off spam blacklists.
While getting hacked is never pleasant, it is much more common than you would think.
The ascent of WordPress has painted a large bullseye on the back of the CMS and turned it into a favorite target for hackers.
In 2012 alone, more than 170,000 WordPress websites were hacked — a number that is likely much higher by now.
To spare you this unpleasant experience, in this article we will look at the reasons hackers target WordPress websites, the most common ways they gain access and what measures you can take to protect yourself.
This is compulsory reading for any WordPress website owner, so take notice!
Why Would Anyone Want To Hack Your WordPress Site?
Especially owners of smaller websites often think themselves an unlikely target for hackers.
After all, why would anyone care about
Scary story on nulled WordPress Plugin or Themes. This story tracks down the real culprit behind all of this and dig really deep.
If you have been following our blog for some time, you know that we regularly warn about risks associated with the use of third-party software on your site. A benign plugin may sneakingly inject ads into your site which cause malvertising problems for the site visitors (e.g. SweetCaptcha). Other plugins may be hijacked by hackers or black hat freelancers too (remember the epic story of Wooranker?). Another common issue is the use of so-called “nulled” premium themes and plugins that usually come with backdoors, hidden links, unwanted ads and even pure malware (e.g CryptoPHP or fake jquery scripts). This time I’ll tell you one more story that combines all the above mentioned problems: nulled plugins, black hat SEO, malvertising, and a software development company that turned to the dark side.
Suspicious gma_footer Code
Recently the lead of our remediation team, Bruno Zanelato, cleaned a site and found this piece of code in one premium WordPress plugin:
Suspicious gma_footer code
The encrypted part decodes to hxxp://cdn .gomafia[.]com. As you might expect, he investigated what’s going on there.
That gma_footer function was hooked to the wp_footer action. As a result,