Welcome to ManageWP.org

Register to share, discuss and vote for the best WordPress stories every day, find new ideas and inspiration for your business and network with other members of the WordPress community. Join the #1 WordPress news community!

×

Community | secupress.me | Sep. 23, 2016

W3 Total Cache Vulnerable to XSS – High Risk

Since 22th September, W3 Total Cache is vulnerable to XSS, at a High Risk level. Discover how you can be a target and what will happen to the plugin.

W3 Total Cache Vulnerable to XSS – High Risk

Community | secupress.me | Sep. 23, 2016

W3 Total Cache aka W3TC is a famous caching plugin, created on 2009 by Frederick Townes. W3TC is known by everyone in the WordPress community and it’s a recommended plugin, it’s always in the top 5 caching plugins, always in good posts about performance, and even in books. W3TC and Durability
Few months ago, on Marth 2016, Frederick has to post an explanation on WPTavern saying that his plugin was not abandoned, I personally think that if you need to post this, your plugin is already abandoned. At the moment of this post, the code of the plugin has not been updated since one year, and the support has not been done by the author itself. Only users helping each others, which is cool.
W3TC and Web Security
Like every plugin, an author can encounter some security issues, usually reported respecting a non disclose clause from the security consultant or team. As you browse all the changelogs, you can see how many security issues has been fixed during the last years, which is also cool.
But today W3TC is vulnerable to a XSS flaw, high risk rated. So, what’s next? Who will fix the issue in the repository? You may know (or not) that this plugin exists on github and has been

Security | secupress.me | Feb. 10, 2017

WordPress 4.7.1, the REST API Vulnerability explained

Update your website now! The REST API flaw is critical, read more here.

WordPress 4.7.1, the REST API Vulnerability explained

Security | secupress.me | Feb. 10, 2017

Update your website now! Yes, this is the first and last thing I have to tell you, stay updated, above all if you’re using WordPress 4.7 or 4.7.1. Older versions are not affected, even if they are using the old “REST API” plugin.
This post could only be a tweet, but I wanted to give you more informations.
About WordPress
On January 26th, WordPress 4.7.2 was released as a security update, the release notes only mentioned 3 fixes about vulnerabilities but a week later, the security team disclosed another vulnerability, much more critical than the 3 others, and it was also patched in this version 4.7.2.
Why not discloses the 4 flaws in the same time? Aaron Campbell said “We believe transparency is in the public’s best interest […] It is our stance that security issues should always be disclosed. In this case, we intentionally delayed disclosing this issue by one week to ensure the safety of millions of additional WordPress sites.”
And he’s right, I just agree with that, the usual “the sooner the better” is not welcome here.
About The Vulnerability
It’s located in the REST API core. It leads to 2 new vulnerabilities: Remote

3 min read robert Abela
Community | secupress.me | Aug. 1, 2017

SecuPress has left WP Media

For those interested in following WordPress businesses, Julio Potier, one of the co-founders of WP Media (the company behind WP Rocket) has left WP Media and will be now solely responsible for SecuPress, a WordPress security plugin.

SecuPress has left WP Media

Community | secupress.me | Aug. 1, 2017

Some History Back in 2014, Jonathan, Jean-Baptiste and me co-founded WP Media. We almost had the same creation way in mind. WP Rocket was our first product, and then we created 2 more products.
This error, the creation of Imagify and SecuPress at the same time, cost us a lot and we think it’s a fail today.
The Errors
It is hard to create 2 products at the same time, remember that WP Rocket still had to grow to pay everyone and more for the 2 other products now. Then WP Media grown in people, we had to manage that too.
The other error is that we did not budgetize the product creation, so SecuPress gave the impression to eat eat eat on WP Rocket. The product still needed some resources that WP Media could not afford. The ROI date streched out.
Time Flies
With time, we 3 co-founders had more accurate opinions and most of the time opposite ones. This lead us to a deadend even with our open mind, all is not easy with open minds too.
Jonathan and Jean-Baptiste announced me that they wanted to stop the collaboration between WP Media and me, but they handed SecuPress over because they know that SecuPress is “my” product..
It’s true that since 2012 this idea was in my

Community | secupress.me | Sep. 27, 2016

W3TC 0.9.4.1 – 4 other security flaws

W3TC 0.9.4.1 is again on the radar today with these 4 new vulnerabilities. Discover them now!

W3TC 0.9.4.1 – 4 other security flaws

Community | secupress.me | Sep. 27, 2016

On friday, 23th September 2016 we talked about a High Risk XSS vulnerability in W3TC, and like I said at the end of this post “security consultant will try to find more“, well, I did. I did it because we, at WP Media, think it’s important for everyone to have a secure website, whatever the plugin they’re using. Every month we do some security audit on a few plugins from the free WordPress repository just to test, just to be sure that everyone is safe.
4 New Vulnerabilities
There is many different ways to find vulnerabilities in a plugin, sometimes you fall on them, sometimes you look for some bad patterns or echoing stuff.
For me, the goal was to find something very harmful so I focused on user’s file and PHP code.
You can find the 4 reports on wpvulndb:
https://wpvulndb.com/vulnerabilities/8626
https://wpvulndb.com/vulnerabilities/8627
https://wpvulndb.com/vulnerabilities/8628
https://wpvulndb.com/vulnerabilities/8629
Security Token ByPass
The /pub/apc.php file is useful to empty the OPCache/APC. The script seems protected by a nonce (aka security token):
$nonce = W3_Request::get_string('nonce');
$uri = $_SERVER['REQUEST_URI'];

if (wp_hash($uri) == $nonce)

Security | secupress.me | Jun. 6, 2016

Jetpack 4.0.3 Security Patch

Jetpack 4.0.3 just fixed a security which allows a visitor to insert a shortcode containing some HTML attributes usually forbidden.

Jetpack 4.0.3 Security Patch

Security | secupress.me | Jun. 6, 2016

Jetpack 4.0.3 just fixed a security flaw named Stored XSS. It allows a visitor to insert a shortcode containing some HTML attributes usually forbidden. The vulnerability
According to Sam Hotchkiss, member of the Jetpack development team, this XSS vulnerability can be found in the shortcodes parsing method, a Jetpack’s one. A attacker could easily add some JavaScript code in your comments to hack your visitor’s browser.
The vulnerability has been patched of course, but keep in mind that all versions between Jetpack 2.0 from novembre 2012 and below 4.0.3 are in sight.
Today there is no way to know is this have already been used to hack websites, but now, it will, it’s just a question of time since the disclose have been made.
Some technique
If you like technical, here’s the code from the flaw (without code comments):
function vimeo_link( $content ) {
$shortcode = "(?:\[vimeo\s+[^0-9]*)([0-9]+)(?:\])";

$plain_url = "(?:[^'\">]?\/?(?:https?:\/\/)?vimeo\.com[^0-9]+)([0-9]+)(?:[^'\"0-9<]|$)";

return preg_replace_callback(
sprintf( '#%s|%s#i', $shortcode, $plain_url ),
'vimeo_link_callback',
$content
);
}
The patch added

Security | secupress.me | Jun. 10, 2016

Don't use a password protection on wp-admin folder

You will find many posts that explain how to use a password protection on your back-end using a auth password but it's not the good solution!

Don't use a password protection on wp-admin folder

Security | secupress.me | Jun. 10, 2016

On the Internets you will find many posts that explain how to use a password protection on your back-end using a auth password. There is a problem
But there is one big problem with that is it will break all your admin-ajax.php and admin-post.php requests.
In the WordPress Codex you will find a page that will explains how to implement AJAX. You’ll read that admin-ajax.php lives in /wp-admin/.
Using a password protection for this directory, you’re blocking access to that file which means that all AJAX requests will be broken.
There is a solution
You can correctly do this, but there is only one good way:
AuthType Basic
AuthName "Protected page"
AuthUserFile /home/.htpasswd

Require valid-user
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
<Files admin-post.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
<Files "\.(css|gif|png|js)$">
Order allow,deny
Allow from all
Satisfy any
</Files>
Doing that, you’ll block your/wp-admin folder but NOT for theajax/post and content files likejpg/css/js. This, is the way to do it.
You can use htaccesstools.com to generate you

Community | secupress.me | Aug. 8, 2016

How a WordPress Website can be Hacked?

So many ways to hack a WordPress Website. Do you know to be protected?

How a WordPress Website can be Hacked?

Community | secupress.me | Aug. 8, 2016

There is so many ways to hack a WordPress Website, pirates already know it better than anyone else. But do you know it too? Do you know against what you need to be protected? It’s important to learn how a website can be broken, stolen, how intruders can take your place.
Here’s some stats from our clients since 2010:
60% of hacked people don’t even know what happened,
25% of pirates exploited a vulnerability in a plugin or theme,
6,5% came with your password, found by brute-force,
3% used a flaw from the WordPress core not updated,
1,5% get hacked because of their host provider,
0,6% of websites still had old installation files,
0,5% because of bad files permissions (chmod),
0,5 because of a stolen password (without brute-force)
0,4% sharing other reasons like computer without antivirus, answer to a phishing mail, outdated server softwares or FTP software, etc
Hacking Statistics since 6 years
Don’t Know What Happened
This is badly common, but for more than a half of WordPress hacked websites – 61% –, the source of the issue is not clear. It’s even difficult to know how it happened, where is the entry point, where are the hints, who and why they

Security | secupress.me | Jun. 21, 2016

Where to start to secure WordPress? Part 1

The waves of attacks on WordPress Websites came sometimes, and it’s very hard or even impossible to predict. Check these 4 easy rules to secure your website.

Where to start to secure WordPress? Part 1

Security | secupress.me | Jun. 21, 2016

Secure WordPress is an everyday work. I’m not talking about WordPress core but the whole Website. There is things you can do once, but sometimes check if this rules are still efficients.
The waves of attacks on WordPress Websites came sometimes, and it’s very hard or even impossible to predict.
4 easy rules to do once
Change the Database Prefix
You may already know, you shouldn’t use neither wp_ neither wordpress_ as a database prefix. But do you know why?
The explanation is relatively simple. When a SQL Injection vulnerability is exploited, the attacker needs to target your tables, for example he needs wp_users to read your informations. But what if the prefix wasn’t wp_ then he’ll got errors, only.
The security tip will be to use a long or random prefix. Remember that you won’t have to actually remember it, even if you’re a developper. Secure WordPress is also about securing your database!
Using SecuPress this fix is automatic:
Before the fix After the fix
Avoid the Directory Listing
In most of installations it’s possible to access to the content of your folders. It might seems harmless but it’s strongly advised to not let this

Security | secupress.me | Aug. 2, 2016

10 signs that show that your WordPress website is hacked

Web is huge, the number of websites is growing everyday. Discover 10 points to keep an eye on to avoid having a WordPress hacked website.

10 signs that show that your WordPress website is hacked

Security | secupress.me | Aug. 2, 2016

Web is huge, the number of websites is growing everyday. More than 1 website on 4 is running WordPress, this is also growing. Badly, the number of WordPress hacked website is increasing everyday, even if you’re not using WordPress in fact …
Did you know that every second in the world, a website is hacked?* And even if nobody wants that, keep in mind that any website can become the target of attacks.
You just need a blog, a e-commerce, a showcase, a corporate, you have to check your six to avoid strange behaviors.
10 points to keep an eye on to avoid having a WordPress hacked website
Your homepage has been defaced
Your website can be unrecognizable, a black page, with red or lime messages, with pictures out of usual context.
Or it can still be your website, but with ads where you didn’t want to, with unexpected popups or even bad links in your footer.
You got a traffic spike, sometimes on unknown pages
Once a WordPress is hacked, the attacker will use it to spread his contents. It can be viruses hosted on your website or phishing pages.
This contents will be sent by spam all over the world, and each person that will click on it will trigger an unexpected visit.
Your