Interesting story. Sounds like something someone should actually dig in and test, undercover of course. Sounds like some lawsuits might be in line. EIG takedown, anyone?
This will be a longer article explaining a common SCAM that was reported numerous times for multiple hosting providers. Even if you are not hosted with HostGator you still might want to read about it, for the future safety of your wallet. The short version of the story is at the bottom of the page. I have been a loyal customer of HostGator since at least 2005. Even after they were bought out by EIG back in 2014, even after their support and customer service started going downhill rapidly, I still decided to stick with them. At the time of writing this I have 3 separate accounts with them (2 shared + 1 VPS) and I pay around $875 / year for their services.
The HostGator + SiteLock SCAM
It all happened yesterday, 23/02/2016. At 17:37 I get an email from HostGator informing me that my account has been suspended because it was distributing malware. I should immediately take measures into resolving this issue.
Our Abuse department has received a report regarding malware being hosted on an account under your control. We have disabled site access for your account to prevent further complaints, and have provided a list of the reported content. Note that the below content is not a comprehensive
Free HTTPS for all custom domains on .com via Let’s Encrypt project.
Today we are excited to announce free HTTPS for all custom domains hosted on WordPress.com. This brings the security and performance of modern encryption to every blog and website we host. Best of all, the changes are automatic — you won’t need to do a thing.
As the EFF points out as part of their Encrypt the Web initiative, strong encryption protects our users in various ways, including defending against surveillance of content and communications, cookie theft, account hijacking, and other web security flaws.
WordPress.com has supported encryption for sites using WordPress.com subdomains (like https://barry.wordpress.com/) since 2014. Our latest efforts now expand encryption to the million-plus custom domains (like automattic.com) hosted on WordPress.com.
The Let’s Encrypt project gave us an efficient and automated way to provide SSL certificates for a large number of domains. We launched the first batch of certificates in January 2016 and immediately starting working with Let’s Encrypt to make the process smoother for our massive and growing list of domains.
For you, the users, that means you’ll see secure encryption automatically deployed on every new site within minutes. We are
WordPress 4.2.3 has been release, it's now available at WordPress.org, this is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress 4.2.3 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.2.2 and earlier are affected by a critical cross-site scripting vulnerability, which could allow anonymous users to compromise a site. This was reported by Jon Cave of the WordPress Security Team, and fixed by Robert Chapin.
We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.
Our thanks to those who have practiced responsible disclosure of security issues.
WordPress 4.2.3 also contains fixes for 20 bugs from 4.2. For more information, see the release notes or consult the list of changes.
Download WordPress 4.2.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.3.
Thanks to everyone who contributed to 4.2.3:
This rocks. Wasn't a fan of bluehost before, and probably still won't ever use them, but this ... this is very cool, and will make a very real difference. Good job, Bluehost.
After determining that a significant number of customers were running outdated versions of WordPress, Bluehost’s development team created a unique Perl script utilizing WP-CLI (WordPress-Command Line Interface) and custom code to update WordPress sites going back to version 1.0.2. Bluehost completed exhaustive tests and reviews to ensure the script resulted in minimal disruptions or site downtime. In this impressive undertaking, 99% of WordPress sites on Bluehost’s platform were upgraded successfully with fewer than 0.007% of customers reporting any issues. Since implementation, the company has seen a significant 18% reduction in technical support requests relating to WordPress. Bluehost has further implemented this new technology to continually update WordPress websites to ensure customers on its platform enjoy the security of an up-to-date WordPress site going forward.
BREAKING: Security breach in WP Engine. Their customers received an urgent notification in their inboxes Wednesday evening regarding a security breach. If you have accounts with them- update your passwords immediately, and take other measurements to keep yourself safe!
WP Engine customers received an urgent notification in their inboxes Wednesday evening regarding a security breach. At WP Engine we are committed to providing robust security. We are writing today to let you know that we learned of an exposure involving some of our customers’ credentials. Out of an abundance of caution, we are proactively taking security measures across our entire customer base.
WP Engine currently has no evidence that customer information was used inappropriately but has invalidated customer passwords as a precaution. The following five passwords associated with customer accounts will have to be reset:
WP Engine User Portal
Original WP-Admin Account
Password Protected Installs and Transferable Installs
The notice states that WP Engine is taking immediate action on their end but does not include any details. The company apologized for the inconvenience of having to invalidate all customer passwords.
Customers took to Twitter to express frustration and bemoaned the host’s lack of two-factor authentication.
@wpengine What's with the lack of 2FA?
— Jordan Felle (@jordanfelle) December 10, 2015
Representatives from WP Engine were not able to comment
Plugin Developers Demand a Better Security Release Process After WordPress 4.2.3 Breaks Thousands of Websites
Whilst the latest update was important, it wasn't without it's problems. "User confidence in WordPress’ automatic background updates took a dent with the 4.2.3 release." The update makes changes to the shortcode API which cause a lot of problems.
Plugin Developers Demand a Better Security Release Process After WordPress 4.2.3 Breaks Thousands of Websites
WordPress 4.2.3, a critical security release, was automatically pushed out to users yesterday to fix an XSS vulnerability. Shortly afterwards, the WordPress.org support forums were flooded with reports of websites broken by the update. Roughly eight hours later Robert Chapin (@miqrogroove) published a post to the Make.WordPress.org/Core blog, detailing changes to the Shortcode API that were included in the release. According to Chapin, these changes were necessary as part of the security fix:
Due to the nature of the fix – as is often the case with security fixes – we were unable to alert plugin authors ahead of time, however we did make efforts to scan the plugin directory for plugins that may have been affected.
With this change, every effort has been made to preserve all of the core features of the Shortcode API. That said, there are some new limitations that affect some rare uses of shortcodes.
The security team had no reasonable way of accounting for every single edge case, but the negative impact of these changes were far more wide-reaching than they had anticipated. This particular use case likely wasn’t covered in their testing. Unfortunately, plugin developers found out about
"During 16 hour window we saw a total of 6,611,909 attacks targeting 72,532 individual websites. We saw attacks during this time from 8,941 unique IP addresses and the average number of attacks per victim website was 6.26."
Last week in the President’s cyber security op-ed in the Wall Street Journal he implored Americans to move beyond simple passwords and to enable two factor authentication or cellphone sign-in. One of the things we monitor at Wordfence is the number of brute force attacks on WordPress websites. Brute force attacks are password guessing attacks, where an attacker tries to sign in as you by guessing your password.
To give you an idea of the level of attacks in the wild, we gathered data on brute force attacks across the sites we protect within a 16 hour Window starting Sunday until Monday (yesterday) at 2pm Pacific time.
Here are the highlights. Remember, this is only over a 16 hour window which is relatively short.
During this time we saw a total of 6,611,909 attacks targeting 72,532 individual websites. We saw attacks during this time from 8,941 unique IP addresses and the average number of attacks per victim website was 6.26.
The total number of attacking IP’s was actually 55,391 but we only counted IP’s that generated more than 10 failed logins across all sites. That way we excluded accidental login failures.
So where are these attacks coming from. The results are not what you would
Excellent investigation on a plugin hijacking. Really scary story but so glad quick action was taken.
Last summer we shared a story about the SweetCaptcha WordPress plugin injecting ads and causing malvertising problems for websites that leveraged the plugin. When this plugin was removed from the official WordPress Plugin directory, the authors revived another WordPress account with a long abandoned plugin and uploaded SweetCaptcha as a “new version” of that plugin. In the end of the SweetCaptcha saga, we gave this warning:
It’s quite a common scenario when criminals try to hijack or buy developer accounts of legitimate applications, or pay their developers to add some malicious code into their software, so some benign plugin or application may turn bad after an update — the only thing that protects you is the author reputation and the security screening and approval process in the repository.
This time we’ll tell you of another plugin that turned bad after an update.
Backdoor in Custom Content Type Manager
Custom Content Type Manager (CCTM) is a relatively popular plugin with three years of development, 10,000+ active installs, and a satisfaction rating of 4.8. It helps create custom post types. Website owners find the classical “blog format” too restrictive, use the plugin to add
ManageWP keeps getting better and pulling out new services to its Orion Platform. Raising the bar...
10% of top 1000 plugins have an unpatched security vulnerability. Spanning over 4,000,000 installs. I hope Marcin can open-source his tool and that it can be become a part of the plugin screening process at wordpress.org
░▒▓█ Introduction I've been making php static code analysis tool for a while and few months ago I ran it against ~1000 (more or less) top wordpress plugins.
Scanning results were manually verified in my spare time and delivered to official firstname.lastname@example.org from 04.07.2015 to 31.08.2015. Most of reported plugins are already patched, some are not. Vulnerable and not patched plugins are already removed from official wordpress plugin repository.
103 plugins vulnerable with more than 4.000.000 active installations in total (~30.000.000 downloads)
List of reported plugins (original reports contain verification/reproduce sections and urls to plugin wordpress repository entries, where you can also verify changelog) :
Cross-Site Scripting (XSS) in Duplicator 0.5.24 [original report - Sat, 15 Aug 2015]
Cross-Site Scripting (XSS) in All In One WP Security 3.9.7 [original report - Thu, 13 Aug 2015]
Cross-Site Scripting (XSS) in AddThis 5.0.12 [original report - Tue, 11 Aug 2015]
Cross-Site Scripting (XSS) in Display Widgets 2.03 [original report - Tue, 11 Aug 2015]
Blind SQL injection in Pretty Link Lite 1.6.7 [original report - Wed, 8 Jul 2015]
Blind SQL injection in WP Statistics
Journey of a white hat WordPress hacker with practical examples how code cracks.
In this series of blog posts, Check Point vulnerability researcher Netanel Rubin tells a story in three acts – describing his long path of discovered flaws and vulnerabilities in core WordPress, leading him from a read-only ‘Subscriber’ user, through creating, editing and deleting posts, and all the way to performing SQL injection and persistent XSS attacks on 20% of the popular web. Executive Summary
A number of critical vulnerabilities exist in default WordPress installations, allowing potential compromise of millions of live web sites.
MITRE has assigned CVE-2015-5623, CVE-2015-2213, CVE-2015-5714, CVE-2015-5715, CVE-2015-5716 as identifiers for these vulnerabilities. * CVE-2015-2212 was marked as a duplicate of CVE-2015-5623.
The first vulnerability in this sequence (CVE-2015-5623) was patched in a recent WordPress security release (4.2.3).
Site administrators are urged to apply security updates as they are released (in case auto-update was disabled).
For further updates please follow our blog as well as upcoming WordPress security advisories.
Check Point customers are protected against the vulnerability sequence via IPS signatures.
WordPress is a PHP-based CMS (Content
WooCommerce Store Toolkit Plugin, WordPress User Meta Manager plugin & WP User Frontend plugin all should be updated right away.
The following three plugins contain severe vulnerabilities that have all been fixed within the past 24 hours. Details of these vulnerabilities have been released to the public so they are likely already being exploited. If you use any of these plugins, upgrade immediately. Please share with the larger WordPress community. WooCommerce Store Toolkit Plugin (A plugin for WooCommerce made by Visser Labs, not the core product) version 1.5.6 contains a privilege escalation vulnerability. The vulnerability allows a registered user to delete all posts, comments, products, orders, media and more. Upgraded to version 1.5.7 immediately to fix this issue.
WordPress User Meta Manager plugin version 3.4.6 contains an information disclosure vulnerability that allows an unprivileged user to download the user_meta table. It also contains a privilege escalation vulnerability that lets anyone upgrade themselves to admin along with a blind SQL injection vulnerability. These are fixed in 3.4.8. The fix was released within the last 24 hours. Upgrade immediately.
The WP User Frontend plugin version 2.3.10 and older contains an unrestricted file upload vulnerability that allows anyone to upload a file to your
Quite a few security issues fixed in this one, yikes.
WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.2 and earlier are affected by six security issues:
Cross-site scripting (XSS) via media file metadata. Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
Control characters can trick redirect URL validation. Reported by Daniel Chatfield.
Unintended files can be deleted by administrators using the plugin deletion functionality. Reported by xuliang.
Cross-site scripting (XSS) via video URL in YouTube embeds. Reported by Daniel Cid.
Cross-site scripting (XSS) via taxonomy term names. Reported by Delta.
Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources. Reported by Sipke Mellema.
Thank you to the reporters for practicing responsible disclosure.
In addition to the security issues above, WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.
Download WordPress 4.7.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that
Bit of an in-depth one on improving the security of your WordPress website.
How many times have you walked out the front door of your house for just a few minutes and not bothered to lock the front door? Probably on more than one occasion, right? What about leaving your car unlocked for just a few minutes — seriously, who’s going to steal your car on a cold rainy morning while you take 2 minutes to grab a hot cup of coffee? It’s human nature. We rarely worry about managing a potential risk until it’s too late. Once someone breaks into your house, steals your car, or hacks into your WordPress website, then you start to worry.
The problem with all these scenarios is that by the time it happens, it’s too late. You’re left picking up the pieces, cleaning up the mess, and trying to minimize the damage. With just a little bit of planning and prevention, there is a good chance you could have averted the entire situation.
Obviously, this post isn’t about your car or your house, it’s about your WordPress website and the steps you can take to minimize your potential vulnerabilities. The thing is, security begins with having the right attitude. It’s an attitude where prevention and management are at the forefront – not crossing your fingers and hoping that it never happens
Jetpack by WordPress.com 4.0.3 May 26th, 2016 Important security update. Please upgrade immediately.
Couldn't find any more information on this, but figured it was important enough to share what little info I had.
Jetpack by WordPress.com 4.0.3 May 26th, 2016 Important security update. Please upgrade immediately.
Important security update. Please upgrade immediately. Release date: April 21st, 2016
Addresses an issue where Jetpack 4.0 caused a fatal error on sites with specific configurations.
Release date: April 20th, 2016
Protect: the routine that verifies your site is protected from brute-force attacks got some love and is more efficient.
Contact Forms: cleaning the database of spam form submission records is more efficient.
VideoPress: edit your VideoPress shortcode in the editor with a fancy new modal options window.
Custom Content Types are now classier: a new CSS class on Testimonial featured images — has-testimonial-thumbnail — allows you to customize Jetpack custom post types as you see fit.
Sharing: social icons are now placed under the "add to cart” singular product views in WooCommerce, making it easier for customers to share your products on social media.
Theme Tools: search engines will now have an easier time knowing what page they are on, and how that page relates to the other pages in your site hierarchy with improved schema.org microdata for breadcrumbs.
Widget Visibility: now you can select widgets
When wp security articles are a dime a dozen (and are the same old blah blah blah), it's nice to read something a little more on point. Nice.
Welcome to 2016, the year where WordPress powers more than a quarter of all websites on the Internet. For a lot us involved with the WordPress community, this was a fantastic piece of news. But for those concerned with WordPress security, it’s more of a nightmare. WordPress as a CMS always had a bad rep for being an unauthenticated remote shell that, as a useful side feature, also contains a blog. And despite the best effort by the WordPress community, this is truer now more than ever. The democratization of publishing has a nasty side effect: pretty much anyone can start a WordPress blog. As the entry bar gets lower, more and more websites fall prey to malicious attacks, simply because the blog owners are out of their depth when it comes to protecting their blog. And being the biggest CMS on the market, WordPress has a huge target painted on its back. One of the security reports stated that 78% of successful attacks were against WordPress websites. Another stated that 76% of WordPress users don’t use a backup plugin at all.
The blame, or at least most of the blame, lies with the throng of security articles on the web. Really good, in-depth articles are few and hard to find,
Release notes are out, and this release fixes 6 security issues.
WordPress 4.7.5 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.4 and earlier are affected by six security issues:
Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.
Thank you to the reporters of these issues for practicing responsible disclosure.
In addition to the security issues above, WordPress 4.7.5 contains 3 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.
This covers more details about security vulnerabilities in WordPress 4.7 & 4.7.1 that just got fixed in 4.7.2. Here its comes from Sucuri who contributed in this finding and a solid good responsible disclosure.
Security Risk: Severe Exploitation Level: Easy/Remote
DREAD Score: 9/10
Vulnerability: Privilege Escalation / Content Injection
Patched Version: 4.7.2
As part of a vulnerability research project for our Sucuri Firewall (WAF), we have been auditing multiple open source projects looking for security issues. While working on WordPress, we discovered was a severe content injection (privilege escalation) vulnerability affecting the REST API. This vulnerability allows an unauthenticated user to modify the content of any post or page within a WordPress site.
We disclosed the vulnerability to the WordPress Security Team who handled it extremely well. They worked closely with us to coordinate the disclosure timeline and get as many hosts and security providers aware and patched before this became public.
A fix for this was silently included on version 4.7.2 along with other less severe issues. This was done intentionally to give everyone time to patch. We are now disclosing the details because we feel there has been enough time for most WordPress users to update their sites.
Are You At Risk?
This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled
When it comes to Internet security, it seems not to be a matter of if, but when a product will be hit.
Elegant Themes emailed its customers last night to inform them of a critical security vulnerability affecting a large segment of its product line. An information disclosure vulnerability was found in the Divi Builder (included in our Divi and Extra themes, as well as our Divi Builder plugin) which resulted in the potential for user privilege escalation. If properly exploited, it could allow registered users, regardless of role, on your WordPress installation to perform a subset of actions within the Divi Builder, including the ability to manipulate posts.
In addition to the Divi Builder, the vulnerability was also found in the Divi, Extra, and Divi 2.3 (legacy) themes and the Boom and Monarch plugins. It was privately disclosed and promptly patched by Elegant Themes with the help of a third-party security vendor. No known exploit attempts have been made.
Updating the themes and plugins will fix the vulnerability but the patches were created only for the most recent versions. Legacy theme customers now have an upgrade path, including a version that doesn’t add new functionality. Customers who are not ready to update are advised to turn registration off on their sites, as untrusted users
Big heads up to you Ninja Forms users. Bad vulnerability. Update now.
A few times a year we see very bad vulnerabilities come along. This is, unfortunately, one of those times. Ninja Forms versions 2.9.36 to 2.9.42 contain multiple vulnerabilities. One of the vulnerabilities results in an attacker being able to upload and execute a shell on WordPress sites using Ninja Forms. We have developed a working exploit for internal use at Wordfence. The only information the exploit needs is a URL on the target site that has a form powered by Ninja Forms version 2.9.36 to 2.9.42.
Wordfence Firewall already protects against uploading of malicious PHP files, so you were already protected against this attack while it was still a 0 day. As an additional precaution, this morning we have released three additional rules via the Wordfence Threat Defense Feed which are already active on our Wordfence Premium customer sites.
Ninja Forms has over 500,000 active installs, so the impact of this vulnerability is going to be fairly wide-spread.
We are monitoring attacks in real-time and are not yet seeing this being widely exploited yet. We suspect this is because an exploit has not shown up yet on exploit-db or other public exploit databases (as of 9am Pacific time on May 5th).
A case study of how WordPress nonces are being misused for security out in the wild.
Quick Page/Post Redirect Plugin: A Case Study Quick Page/Post Redirect Plugin has 200,000+ active installs, with version 5.1.5 and older vulnerable to an attacker setting redirects to any URLs in bulk.
And why? All because the developer thinks a 5-byte WordPress Nonce will stop the bulk redirect import functionality from running. Newsflash: It won’t…
Since this particular instance of the vulnerability has been patched, let’s look at how a hole can be poked in code that relies on Nonces to provide “security”. In a blatantly unfortunate way, with disregard for best practices (a series of rants left for another day), the developer decided to allow importing of a bulk redirects export file from any page on the site by hooking their ppr_parse_request_new function against the init hook, which happens to run pretty much anytime WordPress does anything.
add_action( 'init', array( $this, 'ppr_parse_request_new' ) );
So to get execution of the function we merely load up any page. Cool.
The next step is to satisfy the following condition:
elseif( isset( $_POST['import-quick-redrects-file'] ) && isset( $_FILES['qppr_file'] ) )
Easy. And thus, we, as an unauthenticated attacker, meet up against
Siteground announces free SSL certificates through LetsEncrypt. It may not be ideal for ecommerce purposes but getting more sites on some form of encryption is a great step in the right direction.
In December 2015 the new certificate authority Let’s Encrypt entered Public Beta and caused a wave of excitement. The groundbreaking news meant that website owners can obtain security certificates for their websites for free instead of paying for traditional SSL certificates and install them much easier. Naturally since then many of you have asked us when we would introduce the certificates on our hosting platform. For all of you who have been eagerly awaiting this moment, we are happy to say that Let’s Encrypt certificates are now available at SiteGround! What you should know about Let’s Encrypt
is a free, automated, and open certificate authority (CA) that issues domain-validated security certificates. The main goal of the project, which SiteGround proudly sponsors, is to make encryption ubiquitous on the web so that all web browsing becomes safer.
The key benefits of the Let’s Encrypt certificates are:
no validation emails are sent
no dedicated IP required (which is extra money)
trusted by all major browsers
How to install Let’s Encrypt at SiteGround
You can install Let’s Encrypt certificates for free through the cPanel of your hosting account.
Not everyone is into WordPress security though many WordPress website owners do want to know more about it. Here is something that is useful to all those who find it hard to understand the lingo and terminology used in WordPress security readings etc.
As WordPress website owner you have definitely thought about the security of your blogs and websites. Most probably you have also read a few articles about WordPress security, or how to secure your WordPress. Though if WordPress security is not your cup of tea, you failed to understand half of the terms used in such documents, hence could not make sense of it all. Don’t fret though. Below is a glossary of WordPress security terminology and words, that explains them in very simple words for you, to help you better understand those security documents.
Table of Contents
Also commonly known as audit log, an audit trail is a security record that is used to keep evidence of a sequence of events. Therefore a WordPress audit trial is a log that can contain information on what the WordPress users did, such as when they logged in and from where, what content they changed, which plugins they installed, activated or upgraded etc. By default WordPress does not keep an audit trail though you can easily start keeping a record of all WordPress changes in an audit trail with a plugin. There are several benefits to keeping a WordPress audit trial and several regulatory compliance requirements
I have a feeling we'll end up seeing a lot more REST API vulnerabilities in the future. Just call it a gut feeling.
WordPress 4.7.2 was released last Thursday, January 26th. If you have not already updated, please do so immediately. In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed. There was an Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint. Previous versions of WordPress, even with the REST API Plugin, were never vulnerable to this.
We believe transparency is in the public’s best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.
On January 20th, Sucuri alerted us to a vulnerability discovered by one of their security researchers, Marc-Alexandre Montpas. The security team began assessing the issue and working on solutions. While a first iteration of a fix was created early on, the team felt that more testing was needed.
Meanwhile, Sucuri added rules to their Web Application Firewall (WAF) to block exploit attempts against their clients. This issue was found internally and no