Welcome to ManageWP.org

Register to share, discuss and vote for the best WordPress stories every day, find new ideas and inspiration for your business and network with other members of the WordPress community. Join the #1 WordPress news community!

×

Security | ithemes.com | Oct. 14, 2016

How to Secure WordPress Quickly and Easily

Simple steps that anyone can do to secure a WordPress site.

How to Secure WordPress Quickly and Easily

Security | ithemes.com | Oct. 14, 2016

Knowing how to secure WordPress is one of the most important components of keeping your site safe and protected from hacks. In this post, we cover five quick and easy tips you can use today to secure your WordPress site. How to Secure WordPress: 5 WordPress Security Tips
1. Delete your “admin” user.
The username “admin” is just a generic name created by WordPress. The “admin” username is well-known and makes it simple for someone to potentially hack into your WordPress site.The “admin” username is well-known and makes it simple for someone to potentially hack into your WordPress site.
To remove the admin user, follow these steps:
Create a new user for yourself.It is important to come up with a username that is unique to make it more difficult for someone to figure out. (When coming up with your new username, you might also consider how you want your name displayed on the frontend of your site. For instance, if your name is John and that’s how it will be displayed on your posts, using John as your username would not be the best idea.)
Make sure you create a strong password for this user and set the role to admin.
Once you’ve

5 min read robert Abela
Security | wpwhitesecurity.com | Jul. 27, 2016

Crunching the Numbers - How Insecure WordPress Is?

WordPress has a reputation of being an insecure software, mainly because of the number of vulnerabilities that were reported in the last few years. Though how does it fare, security wise when compared to other software typically used in web environments?

Crunching the Numbers - How Insecure WordPress Is?

Security | wpwhitesecurity.com | Jul. 27, 2016

Since the beginning of WordPress, security researchers and developers have found gazillions of vulnerabilities in both the WordPress core and in many of the WordPress plugins and themes. These vulnerabilities has to some extend destroyed WordPress’ reputation, and are one of the main reasons why many shy away from using WordPress for their websites. Those who do not use WordPress are led, or better misled to believe that WordPress is insecure. And those who use WordPress are told to use the least possible plugins so their WordPress website is not vulnerable to some zero-day exploit a script kiddie discovered. Is WordPress and its ecosystem of plugins and themes really as bad as its reputation? As in, what about the other software ecosystems, don’t they have the same problem? What about Joomla!, Drupal and other software that is typically used in web hosting? Let’s dig deep into the history of some of the most popular software used in web hosting to better understand if the WordPress project is really in a bad shape from the security point of view or not.
What is a WordPress Core or WordPress Plugin Vulnerability?
First things first, for those who do not know a WordPress

2 min read Hesham
Security | wordpress.org | Jul. 23, 2015

WordPress 4.2.3 Security and Maintenance Release

WordPress 4.2.3 has been release, it's now available at WordPress.org, this is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress 4.2.3 Security and Maintenance Release

Security | wordpress.org | Jul. 23, 2015

WordPress 4.2.3 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.2.2 and earlier are affected by a critical cross-site scripting vulnerability, which could allow anonymous users to compromise a site. This was reported by Jon Cave of the WordPress Security Team, and fixed by Robert Chapin.
We also fixed an issue where it was possible for a user with Subscriber permissions to create a draft through Quick Draft. Reported by Netanel Rubin from Check Point Software Technologies.
Our thanks to those who have practiced responsible disclosure of security issues.
WordPress 4.2.3 also contains fixes for 20 bugs from 4.2. For more information, see the release notes or consult the list of changes.
Download WordPress 4.2.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.2.3.
Thanks to everyone who contributed to 4.2.3:

Security | secupress.me | Jun. 6, 2016

Jetpack 4.0.3 Security Patch

Jetpack 4.0.3 just fixed a security which allows a visitor to insert a shortcode containing some HTML attributes usually forbidden.

Jetpack 4.0.3 Security Patch

Security | secupress.me | Jun. 6, 2016

Jetpack 4.0.3 just fixed a security flaw named Stored XSS. It allows a visitor to insert a shortcode containing some HTML attributes usually forbidden. The vulnerability
According to Sam Hotchkiss, member of the Jetpack development team, this XSS vulnerability can be found in the shortcodes parsing method, a Jetpack’s one. A attacker could easily add some JavaScript code in your comments to hack your visitor’s browser.
The vulnerability has been patched of course, but keep in mind that all versions between Jetpack 2.0 from novembre 2012 and below 4.0.3 are in sight.
Today there is no way to know is this have already been used to hack websites, but now, it will, it’s just a question of time since the disclose have been made.
Some technique
If you like technical, here’s the code from the flaw (without code comments):
function vimeo_link( $content ) {
$shortcode = "(?:\[vimeo\s+[^0-9]*)([0-9]+)(?:\])";

$plain_url = "(?:[^'\">]?\/?(?:https?:\/\/)?vimeo\.com[^0-9]+)([0-9]+)(?:[^'\"0-9<]|$)";

return preg_replace_callback(
sprintf( '#%s|%s#i', $shortcode, $plain_url ),
'vimeo_link_callback',
$content
);
}
The patch added

Security | blog.cinu.pl | Nov. 24, 2015

10% of top 1,000 WordPress plugins have a security vulnerability

10% of top 1000 plugins have an unpatched security vulnerability. Spanning over 4,000,000 installs. I hope Marcin can open-source his tool and that it can be become a part of the plugin screening process at wordpress.org

10% of top 1,000 WordPress plugins have a security vulnerability

Security | blog.cinu.pl | Nov. 24, 2015

░▒▓█ Introduction I've been making php static code analysis tool for a while and few months ago I ran it against ~1000 (more or less) top wordpress plugins.
Scanning results were manually verified in my spare time and delivered to official plugins@wordpress.org from 04.07.2015 to 31.08.2015. Most of reported plugins are already patched, some are not. Vulnerable and not patched plugins are already removed from official wordpress plugin repository.
░▒▓█ Results
103 plugins vulnerable with more than 4.000.000 active installations in total (~30.000.000 downloads)
List of reported plugins (original reports contain verification/reproduce sections and urls to plugin wordpress repository entries, where you can also verify changelog) :
Cross-Site Scripting (XSS) in Duplicator 0.5.24 [original report - Sat, 15 Aug 2015]
Cross-Site Scripting (XSS) in All In One WP Security 3.9.7 [original report - Thu, 13 Aug 2015]
Cross-Site Scripting (XSS) in AddThis 5.0.12 [original report - Tue, 11 Aug 2015]
Cross-Site Scripting (XSS) in Display Widgets 2.03 [original report - Tue, 11 Aug 2015]
Blind SQL injection in Pretty Link Lite 1.6.7 [original report - Wed, 8 Jul 2015]
Blind SQL injection in WP Statistics

9 min read Donna Cavalier
Security | hermesthemes.com | Feb. 25, 2016

SCAM ALERT: How HostGator Attempted To Extort >$200 Out of Me for SiteLock

Interesting story. Sounds like something someone should actually dig in and test, undercover of course. Sounds like some lawsuits might be in line. EIG takedown, anyone?

SCAM ALERT: How HostGator Attempted To Extort >$200 Out of Me for SiteLock

Security | hermesthemes.com | Feb. 25, 2016

This will be a longer article explaining a common SCAM that was reported numerous times for multiple hosting providers. Even if you are not hosted with HostGator you still might want to read about it, for the future safety of your wallet. The short version of the story is at the bottom of the page. I have been a loyal customer of HostGator since at least 2005. Even after they were bought out by EIG back in 2014, even after their support and customer service started going downhill rapidly, I still decided to stick with them. At the time of writing this I have 3 separate accounts with them (2 shared + 1 VPS) and I pay around $875 / year for their services.
The HostGator + SiteLock SCAM
It all happened yesterday, 23/02/2016. At 17:37 I get an email from HostGator informing me that my account has been suspended because it was distributing malware. I should immediately take measures into resolving this issue.
Our Abuse department has received a report regarding malware being hosted on an account under your control. We have disabled site access for your account to prevent further complaints, and have provided a list of the reported content. Note that the below content is not a comprehensive

Security | codeseekah.com | Jan. 21, 2016

WordPress Nonce Vulnerabilities

A case study of how WordPress nonces are being misused for security out in the wild.

WordPress Nonce Vulnerabilities

Security | codeseekah.com | Jan. 21, 2016

Quick Page/Post Redirect Plugin: A Case Study Quick Page/Post Redirect Plugin has 200,000+ active installs, with version 5.1.5 and older vulnerable to an attacker setting redirects to any URLs in bulk.
And why? All because the developer thinks a 5-byte WordPress Nonce will stop the bulk redirect import functionality from running. Newsflash: It won’t…
Since this particular instance of the vulnerability has been patched, let’s look at how a hole can be poked in code that relies on Nonces to provide “security”. In a blatantly unfortunate way, with disregard for best practices (a series of rants left for another day), the developer decided to allow importing of a bulk redirects export file from any page on the site by hooking their ppr_parse_request_new function against the init hook, which happens to run pretty much anytime WordPress does anything.
add_action( 'init', array( $this, 'ppr_parse_request_new' ) );
So to get execution of the function we merely load up any page. Cool.
The next step is to satisfy the following condition:
elseif( isset( $_POST['import-quick-redrects-file'] ) && isset( $_FILES['qppr_file'] ) )
Easy. And thus, we, as an unauthenticated attacker, meet up against

4 min read Joe Casabona
Security | wpinonemonth.com | Sep. 21, 2017

Explaining WordPress Security Issues to Your Clients

Security has been on the minds of many lately, with Equifax, CCleaner, and Display Widgets all happening within the last 10 days or so. So what do you do when your client asks you about security in WordPress?

Explaining WordPress Security Issues to Your Clients

Security | wpinonemonth.com | Sep. 21, 2017

Security has been on the mind of a lot of people lately. Most prominently there’s there Equifax news. But a story today about CCleaner broke, the Display Options plugin for WordPress was compromised and subsequently banned from the WordPress Plugin Repository, and there’ve been many high profile security issues in the last few years. To compound the issue, you have organizations like Equifax using WordPress for parts of their online presence and then blaming open source software’s shoddy security. This could lead our clients to ask: Are there security issues with WordPress? How should we handle that?
There are Security Issues with all Software
The most important thing to remember is that this can and does happen to anyone. It’s not specifically a WordPress problem. For example, CCleaner is specifically a Windows application.
WordPress is software runs on millions of websites, and updates to those websites are not consistent (another common software problem). So yes, there are security issues with WordPress, like there are with everything. But that’s not exactly what you should tell your clients to put them at ease, or to sell them on a new project.
The

15 min read Alex Denning
Security | wpshout.com | Oct. 19, 2017

Preventing XSS Attacks in WordPress: Complete Guide to Validating, Sanitizing, and Escaping Data

Really interesting from David on WPShout, on how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress.

Preventing XSS Attacks in WordPress: Complete Guide to Validating, Sanitizing, and Escaping Data

Security | wpshout.com | Oct. 19, 2017

When it comes to making your WordPress site secure as a developer, probably the most impactful thing you can do is make sure you always clean up data they get from users. That means, generally, two things, validating or sanitizing it on the way into your system, and escaping it on the way out. In a recent survey of disclosed vulnerabilities in WordPress core, plugins, and themes, I did for WordPress Security with Confidence (my new course on WordPress security, launching next month), the most common type of vulnerability (about 33%) was cross-site scripting. Cross-site scripting vulnerabilities (often abbreviated XSS) are one where you make it possible for an attacker to execute unauthorized JavaScript to be run on your pages, because you failed to escape or sanitize something in your application’s data flow.
Today we’re going to cover how cross-site scripting is dangerous, and how to do validation, sanitization, and escaping in WordPress. But before we do, you can sign up to get a really interesting video from the course, which shows me executing an actual XSS attack on a WordPress site – thus showing why they’re important, and how to protect yourself against

3 min read Donna Cavalier
Security | wordpress.org | Sep. 22, 2017

New Owner Adds Malicious Code to Fast Secure Contact Form Plugin

Once again, another plugin has been purchased from the original owner, and the new owner has dropped malicious code into it. The plugin has been pulled from the repo, but as usual, if you are using this plugin, you won't be notified that it is f*#ked up! Hope you see this and delete it if you use it.

New Owner Adds Malicious Code to Fast Secure Contact Form Plugin

Security | wordpress.org | Sep. 22, 2017

I am the original author of Fast Secure Contact Form. This plugin had a new owner in June 2017 with a WP user profile name “fastsecure”. The new owner attempted to put code in several of his newly acquired WordPress plugins that would connect to a 3rd party server he also owned and place spam ads for payday loans and such in the WP posts. The new owner put spam code in versions 4.0.52 4.0.53 4.0.54 and 4.0.55 but it failed to display any spam because he put the code in the secureimage.php file. The malicious code required WordPress libraries to also be loaded to execute. The reason the spam code did not do anything at all is because the secureimage.php file is not included in the WordPress run time environment. The secureimage.php file is included from another file securimage_show.php that loads the captcha image directly from html img src outside of the WordPress run time. The spam code in this plugin was never activated, it would not have corrupted your posts or changed anything in the WordPress database. I am sorry for any inconvenience this has caused. The plugin was taken off the WordPress repository by WordPress staff until this can be sorted out. Perhaps a new version

3 min read Donna Cavalier
Security | wptavern.com | Apr. 27, 2015

Zero Day XSS Vulnerability in WordPress 4.2 Currently Being Patched

Duck and cover! We're patchless and vulnerable! Shut your comments off!

Zero Day XSS Vulnerability in WordPress 4.2 Currently Being Patched

Security | wptavern.com | Apr. 27, 2015

Klikki Oy is reporting a new comment XSS exploit vulnerability in WordPress 4.2, 4.1.2, 4.1.1, and 3.9.3, which allows an unauthenticated attacker to inject JavaScript into comments. If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.
Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.
This particular vulnerability is similar to one reported by Cedric Van Bockhaven in 2014, which was patched in the most recent WordPress 4.1.2 security release. That particular vulnerability was related to four-byte characters being inserted into comments, causing premature truncation by MySQL.
In this instance, an attacker posts an excessively long comment in order to trigger the MySQL TEXT type size limit, which truncates the comment as it is inserted into the database.
The truncation results in malformed HTML generated on the page. The attacker can supply any attributes in the allowed HTML tags, in the same way as with the two recently

3 min read Donna Cavalier
Security | wordpress.org | Mar. 6, 2017

WordPress 4.7.3 Security and Maintenance Release

Quite a few security issues fixed in this one, yikes.

WordPress 4.7.3 Security and Maintenance Release

Security | wordpress.org | Mar. 6, 2017

WordPress 4.7.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.2 and earlier are affected by six security issues:
Cross-site scripting (XSS) via media file metadata. Reported by Chris Andrè Dale, Yorick Koster, and Simon P. Briggs.
Control characters can trick redirect URL validation. Reported by Daniel Chatfield.
Unintended files can be deleted by administrators using the plugin deletion functionality. Reported by xuliang.
Cross-site scripting (XSS) via video URL in YouTube embeds. Reported by Daniel Cid.
Cross-site scripting (XSS) via taxonomy term names. Reported by Delta.
Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources. Reported by Sipke Mellema.
Thank you to the reporters for practicing responsible disclosure.
In addition to the security issues above, WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.
Download WordPress 4.7.3 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that

9 min read Donna Cavalier
Security | wordfence.com | Feb. 24, 2017

Cloudflare Data Leak: How to Secure Your Site

While much of this is a rehash of everything we have already seen covered, it does mention a way to search google to see if your site might have been affected. So...worth it for that I guess.

Cloudflare Data Leak: How to Secure Your Site

Security | wordfence.com | Feb. 24, 2017

Cloudflare has experienced a data leak over a 5 month period that mixed sensitive data between websites and visitors. A visitor to one website using Cloudflare may have seen data from another website using Cloudflare that was being sent to a completely different site visitor. Some of the leaked data has been indexed by search engines who have been working over the past few days to try and remove the data from their caches.
In this post I am going to explain in simple terms, what occurred and what you need to do about it.
If you are a WordPress user and simply want to know how to secure your site, you can skip to the What Should I Do section below. I have included some information for non-WordPress site owners in that section too.
Cloudflare provides a firewall and content distribution service. Their servers are between your website visitors and your own web server.
Under normal circumstances, cloudflare returns the data each site visitor requested to that visitor. This may be public or sometimes private information and it is usually done over a secure channel. Each website visitor only sees the data they requested.
From September 22nd, 2016 until February 18th 2017 (last Saturday),

Security | blog.sucuri.net | Feb. 1, 2017

Content Injection Vulnerability in WordPress 4.7 and 4.7.1

This covers more details about security vulnerabilities in WordPress 4.7 & 4.7.1 that just got fixed in 4.7.2. Here its comes from Sucuri who contributed in this finding and a solid good responsible disclosure.

Content Injection Vulnerability in WordPress 4.7 and 4.7.1

Security | blog.sucuri.net | Feb. 1, 2017

Security Risk: Severe Exploitation Level: Easy/Remote
DREAD Score: 9/10
Vulnerability: Privilege Escalation / Content Injection
Patched Version: 4.7.2
As part of a vulnerability research project for our Sucuri Firewall (WAF), we have been auditing multiple open source projects looking for security issues. While working on WordPress, we discovered was a severe content injection (privilege escalation) vulnerability affecting the REST API. This vulnerability allows an unauthenticated user to modify the content of any post or page within a WordPress site.
We disclosed the vulnerability to the WordPress Security Team who handled it extremely well. They worked closely with us to coordinate the disclosure timeline and get as many hosts and security providers aware and patched before this became public.
A fix for this was silently included on version 4.7.2 along with other less severe issues. This was done intentionally to give everyone time to patch. We are now disclosing the details because we feel there has been enough time for most WordPress users to update their sites.
Are You At Risk?
This privilege escalation vulnerability affects the WordPress REST API that was recently added and enabled

3 min read David Bisset
Security | en.blog.wordpress.com | Apr. 8, 2016

HTTPS Everywhere: Encryption for All WordPress.com Sites

Free HTTPS for all custom domains on .com via Let’s Encrypt project.

HTTPS Everywhere: Encryption for All WordPress.com Sites

Security | en.blog.wordpress.com | Apr. 8, 2016

Today we are excited to announce free HTTPS for all custom domains hosted on WordPress.com. This brings the security and performance of modern encryption to every blog and website we host. Best of all, the changes are automatic — you won’t need to do a thing.
As the EFF points out as part of their Encrypt the Web initiative, strong encryption protects our users in various ways, including defending against surveillance of content and communications, cookie theft, account hijacking, and other web security flaws.
WordPress.com has supported encryption for sites using WordPress.com subdomains (like https://barry.wordpress.com/) since 2014. Our latest efforts now expand encryption to the million-plus custom domains (like automattic.com) hosted on WordPress.com.
The Let’s Encrypt project gave us an efficient and automated way to provide SSL certificates for a large number of domains. We launched the first batch of certificates in January 2016 and immediately starting working with Let’s Encrypt to make the process smoother for our massive and growing list of domains.
For you, the users, that means you’ll see secure encryption automatically deployed on every new site within minutes. We are

4 min read Donna Cavalier
Security | make.wordpress.org | Feb. 1, 2017

Disclosure of Additional Security Fix in WordPress 4.7.2 (besides the 3 we knew about)

I have a feeling we'll end up seeing a lot more REST API vulnerabilities in the future. Just call it a gut feeling.

Disclosure of Additional Security Fix in WordPress 4.7.2 (besides the 3 we knew about)

Security | make.wordpress.org | Feb. 1, 2017

WordPress 4.7.2 was released last Thursday, January 26th. If you have not already updated, please do so immediately. In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed. There was an Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint. Previous versions of WordPress, even with the REST API Plugin, were never vulnerable to this.
We believe transparency is in the public’s best interest. It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.
On January 20th, Sucuri alerted us to a vulnerability discovered by one of their security researchers, Marc-Alexandre Montpas. The security team began assessing the issue and working on solutions. While a first iteration of a fix was created early on, the team felt that more testing was needed.
Meanwhile, Sucuri added rules to their Web Application Firewall (WAF) to block exploit attempts against their clients. This issue was found internally and no

2 min read Donna Cavalier
Security | blog.handbuilt.co | Feb. 12, 2016

Bluehost Develops Open Source Script To Update Two Million WordPress Sites

This rocks. Wasn't a fan of bluehost before, and probably still won't ever use them, but this ... this is very cool, and will make a very real difference. Good job, Bluehost.

Bluehost Develops Open Source Script To Update Two Million WordPress Sites

Security | blog.handbuilt.co | Feb. 12, 2016

After determining that a significant number of customers were running outdated versions of WordPress, Bluehost’s development team created a unique Perl script utilizing WP-CLI (WordPress-Command Line Interface) and custom code to update WordPress sites going back to version 1.0.2. Bluehost completed exhaustive tests and reviews to ensure the script resulted in minimal disruptions or site downtime. In this impressive undertaking, 99% of WordPress sites on Bluehost’s platform were upgraded successfully with fewer than 0.007% of customers reporting any issues. Since implementation, the company has seen a significant 18% reduction in technical support requests relating to WordPress. Bluehost has further implemented this new technology to continually update WordPress websites to ensure customers on its platform enjoy the security of an up-to-date WordPress site going forward.

Security | wordfence.com | Feb. 17, 2016

6 Million Password Attacks in 16 Hours and How to Block Them

"During 16 hour window we saw a total of 6,611,909 attacks targeting 72,532 individual websites. We saw attacks during this time from 8,941 unique IP addresses and the average number of attacks per victim website was 6.26."

6 Million Password Attacks in 16 Hours and How to Block Them

Security | wordfence.com | Feb. 17, 2016

Last week in the President’s cyber security op-ed in the Wall Street Journal he implored Americans to move beyond simple passwords and to enable two factor authentication or cellphone sign-in. One of the things we monitor at Wordfence is the number of brute force attacks on WordPress websites. Brute force attacks are password guessing attacks, where an attacker tries to sign in as you by guessing your password.
To give you an idea of the level of attacks in the wild, we gathered data on brute force attacks across the sites we protect within a 16 hour Window starting Sunday until Monday (yesterday) at 2pm Pacific time.
Here are the highlights. Remember, this is only over a 16 hour window which is relatively short.
During this time we saw a total of 6,611,909 attacks targeting 72,532 individual websites. We saw attacks during this time from 8,941 unique IP addresses and the average number of attacks per victim website was 6.26.
The total number of attacking IP’s was actually 55,391 but we only counted IP’s that generated more than 10 failed logins across all sites. That way we excluded accidental login failures.
So where are these attacks coming from. The results are not what you would

Security | wptavern.com | Sep. 23, 2016

ManageWP Launches Automated Security Scanning

ManageWP keeps getting better and pulling out new services to its Orion Platform. Raising the bar...

2 min read Donna Cavalier
Security | wordpress.org | May. 17, 2017

WordPress 4.7.5 Security and Maintenance Release

Release notes are out, and this release fixes 6 security issues.

WordPress 4.7.5 Security and Maintenance Release

Security | wordpress.org | May. 17, 2017

WordPress 4.7.5 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. WordPress versions 4.7.4 and earlier are affected by six security issues:
Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
A Cross Site Request Forgery (CRSF) vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.
Thank you to the reporters of these issues for practicing responsible disclosure.
In addition to the security issues above, WordPress 4.7.5 contains 3 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.
Download WordPress

2 min read Omaar Osmaan
Security | wptavern.com | Dec. 10, 2015

WP Engine Security Breach: Customer Credentials Exposed

BREAKING: Security breach in WP Engine. Their customers received an urgent notification in their inboxes Wednesday evening regarding a security breach. If you have accounts with them- update your passwords immediately, and take other measurements to keep yourself safe!

WP Engine Security Breach: Customer Credentials Exposed

Security | wptavern.com | Dec. 10, 2015

WP Engine customers received an urgent notification in their inboxes Wednesday evening regarding a security breach. At WP Engine we are committed to providing robust security. We are writing today to let you know that we learned of an exposure involving some of our customers’ credentials. Out of an abundance of caution, we are proactively taking security measures across our entire customer base.
WP Engine currently has no evidence that customer information was used inappropriately but has invalidated customer passwords as a precaution. The following five passwords associated with customer accounts will have to be reset:
WP Engine User Portal
WordPress Database
SFTP
Original WP-Admin Account
Password Protected Installs and Transferable Installs
The notice states that WP Engine is taking immediate action on their end but does not include any details. The company apologized for the inconvenience of having to invalidate all customer passwords.
Customers took to Twitter to express frustration and bemoaned the host’s lack of two-factor authentication.
@wpengine What's with the lack of 2FA?
— Jordan Felle (@jordanfelle) December 10, 2015
Representatives from WP Engine were not able to comment

6 min read Ryan Love
Security | wptavern.com | Jul. 25, 2015

Plugin Developers Demand a Better Security Release Process After WordPress 4.2.3 Breaks Thousands of Websites

Whilst the latest update was important, it wasn't without it's problems. "User confidence in WordPress’ automatic background updates took a dent with the 4.2.3 release." The update makes changes to the shortcode API which cause a lot of problems.

Plugin Developers Demand a Better Security Release Process After WordPress 4.2.3 Breaks Thousands of Websites

Security | wptavern.com | Jul. 25, 2015

WordPress 4.2.3, a critical security release, was automatically pushed out to users yesterday to fix an XSS vulnerability. Shortly afterwards, the WordPress.org support forums were flooded with reports of websites broken by the update. Roughly eight hours later Robert Chapin (@miqrogroove) published a post to the Make.WordPress.org/Core blog, detailing changes to the Shortcode API that were included in the release. According to Chapin, these changes were necessary as part of the security fix:
Due to the nature of the fix – as is often the case with security fixes – we were unable to alert plugin authors ahead of time, however we did make efforts to scan the plugin directory for plugins that may have been affected.
With this change, every effort has been made to preserve all of the core features of the Shortcode API. That said, there are some new limitations that affect some rare uses of shortcodes.
The security team had no reasonable way of accounting for every single edge case, but the negative impact of these changes were far more wide-reaching than they had anticipated. This particular use case likely wasn’t covered in their testing. Unfortunately, plugin developers found out about

4 min read Donna Cavalier
Security | wptavern.com | Feb. 14, 2017

Why Plugins Sometimes Disappear From the WordPress Plugin Directory

This is NOT a good enough answer! This is important and should not be pushed under the rug.

Why Plugins Sometimes Disappear From the WordPress Plugin Directory

Security | wptavern.com | Feb. 14, 2017

Nearly 50K publicly available plugins call the WordPress plugin directory home but once in awhile a few of them seem to disappear. There is usually a good reason for why this happens but the only information available to the public is a page that says the plugin cannot be found. If the plugin is popular enough, concerned users will contact us and ask to investigate what happened. Mika Epstein, Plugin Directory Representative, says there are a number of reasons for why a plugin can end up hidden from view, “The most well-known, but not the most common, is security issues,” Epstein said.
“Plugins are removed and, by default, hidden mostly because we’re on bbPress 1.0 and there is not as granular a control with post statuses when compared to WordPress itself.”
The plugin review team has three options to choose from when altering a plugin’s visibility, active, closed, and disabled. Although rarely used, when a plugin is disabled, it is hidden from view but updates are able to be pushed out.
I asked Epstein why there’s not more detailed information when a plugin is hidden and the answer is complex, “The lack of information is partly technical

5 min read Donna Cavalier
Security | wordfence.com | Dec. 27, 2016

Critical Vulnerability in PHPMailer. Affects WP Core.

I know it says not to panic, but my tummy took a tumble when reading this one. Hey, I'm not immune to fear. :)

Critical Vulnerability in PHPMailer. Affects WP Core.

Security | wordfence.com | Dec. 27, 2016

A critical remote code execution vulnerability in PHPMailer has been discovered by Polish researcher Dawid Golunski. The vulnerability was announced on legalhackers.com yesterday but proof of concept exploit details were not included. Unfortunately someone posted a proof of concept to exploit-db and to github a few hours ago demonstrating how the vulnerability can be exploited in the PHPMailer library, but not targeting any web application that is in use.
We are publishing this unscheduled update to give PHP developers and our community advance warning of this issue. We expect this story to continue to evolve rapidly as more developers and malicious actors look at this code.
PHPMailer is used by WordPress core to send email. You can find the code in the wp-includes/class-smtp.php core file.
Don’t Panic
NOTE: There is no known exploit publicly available for WordPress core or any WordPress theme or plugin at this time. The only exploit we have seen is where a researcher has built their own application and then exploited it, demonstrating the existence of this vulnerability in PHPMailer. (Details below)
Please don’t contact the WordPress core team, WordPress forum moderators