WordPress Vulnerability Roundup: November 2020, Part 2


New WordPress plugin and theme vulnerabilities were disclosed during the second half of November. This post covers the recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website. The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes. In the November, Part 2 Report WordPress Core Vulnerabilities Good news! No new WordPress core vulnerabilities disclosed in November. Keep in mind that WordPress 5.6 is due out December 8, so mark your calendars. WordPress Plugin Vulnerabilities 1. Good LMS Good […]

How to keep a log & track 404 errors in WordPress


When it comes to annoying website errors, not many are more irritating to your visitors than 404 error pages. In most cases, your visitor will have clicked through from either a search result or an internal link placed on another page or post, only to find that there’s nothing there. For potential customers visiting your website for the first time, it doesn’t leave a good first impression. But it hurts your WordPress site in other ways too. By keeping a log of 404 errors, not only will you improve your website’s user experience, but you’ll also be able to: Quickly […]

Hidden SEO Spam Link Injections on WordPress Sites


Often when a website is injected with SEO spam, the owner is completely unaware of the issue until they begin to receive warnings from search engines or blacklists. This is by design — attackers intentionally try to prevent detection by arranging injected links so they are not visible to average human traffic. One of the techniques attackers use is to “push” the injected SEO spam links off the visible portion of the website. Continue reading Hidden SEO Spam Link Injections on WordPress Sites at Sucuri Blog.

PHP 8: What WordPress Users Need to Know


PHP 8.0 is set to be released on November 26, 2020. As the programming language powering WordPress sites, PHP’s latest version offers new features that developers will find useful and improvements that promise to greatly enhance security and performance in the long run. It also fully removes a number of previously deprecated functions. PHP 8 is a massive change from previous versions. In this article, we hope to provide insights detailing what this means for WordPress site owners, including recommended adoption strategies. Should I upgrade right away? No. The upcoming major version of WordPress, 5.6, is intended to be “beta […]

Episode 96: Hosting Provider Failures and Incident Response Preparedness


Two hosting providers experienced outages this week. GoDaddy had a brief outage affecting numerous systems on Tuesday, November 17. Managed.com had an extensive outage due to ransomware that affected all systems. We discuss what types of incident response preparations site owners should consider when events beyond their control occur. We also discuss a large-scale attack targeting themes using the Epsilon Framework, the new head of security at Twitter, and an Android chat app exposing private messages. Here are timestamps and links in case you’d like to jump around, and a transcript is below. 0:26 Large-Scale Attacks Target Epsilon Framework Themes […]

Wordfence Site Cleaning Guarantee Extended to 1 Year


Today, we’re pleased to announce that all customers of Wordfence site cleaning services receive an annual clean site guarantee. If your site is compromised again after our team has cleaned and secured your WordPress site, we’ll clean it again for free. Additionally, we’re expanding our Security Services Team coverage to 24/7 effective immediately. The Wordfence Security Services Team is a group of highly experienced and deeply technical individuals from around the world who help Wordfence customers recover and secure their sites after their WordPress sites are hacked. They’ve helped thousands of customers thwart hackers, protect their WordPress sites, and deepen […]

Keeping Plugins Updated Is Important, a Managed WordPress Host Can Help


A recent zero-day vulnerability that affected hundreds of thousands of WordPress sites offers some insight into why a growing number of businesses are looking to managed WordPress hosting from companies like WP Engine for more than just fast-loading, highly-available websites.      What Went Wrong With File Manager Plugin 6.4? The critical vulnerability was introduced back in… The post Keeping Plugins Updated Is Important, a Managed WordPress Host Can Help appeared first on WP Engine.

PrestaShop SuperAdmin Injector and Login Stealer


According to W3Tech’s data, PrestaShop is among the most popular CMS choices for existing ecommerce websites, so it should come as no surprise that malware has been created to specifically target these environments. We recently came across an infected PrestaShop website with malware which was automatically injecting a super admin PrestaShop user whenever the website owner logged into the backend. The malware was found injected into the following existing PrestaShop core files: ./controllers/admin/AdminLoginController.php ./classes/Employee.php The injected PHP code works by checking the $email variable contents — which, by default, stores the email address used when trying to log into PrestaShop. […]

iThemes Security Pro Feature Spotlight – Website Security Grade Report


In the Feature Spotlight posts, we will highlight a feature in the iThemes Security Pro plugin and share a bit about why we developed the feature, who the feature is for, and how to use the feature. Today we are going to cover the WordPress Security Grade Report, a quick and easy way to audit the performance of your website’s security. Feature Spotlight: Security Grade Report Why You Need a Website Security Grade Report All WordPress sites need a solid WordPress security strategy, but how do you know how your security efforts are actually going? The iThemes Security Pro Grade […]

Evasive Maneuvers in Data Stealing Gateways


We have already shared examples of many kinds of malware that rely on an external gateway to receive or return data, such as different malware payloads. During a recent investigation, we came across this example of a PHP script that attackers use for many different purposes. What makes the sample interesting is that alongside this PHP, we also found a few data-stealing scripts indicating that the code might have been used to send sensitive data to the attackers. Continue reading Evasive Maneuvers in Data Stealing Gateways at Sucuri Blog.