WordPress 5.4 “Adderley”

https://wordpress.org/news/2020/03/adderley/
Here it is! Named “Adderley” in honor of Nat Adderley, the latest and greatest version of WordPress is available for download or update in your dashboard. Say hello to more and better. More ways to make your pages come alive. With easier ways to get it all done and looking better than ever—and boosts in speed you can feel. Welcome to WordPress 5.4 Every major release adds more to the block editor. More ways to make posts and pages come alive with your best images. More ways to bring your visitors in, and keep them engaged, with the richness of embedded media […]

Critical Vulnerabilities Affecting Over 200,000 Sites Patched in Rank Math SEO Plugin

https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/
On March 23, 2020, our Threat Intelligence team discovered 2 vulnerabilities in WordPress SEO Plugin – Rank Math, a WordPress plugin with over 200,000 installations. The most critical vulnerability allowed an unauthenticated attacker to update arbitrary metadata, which included the ability to grant or revoke administrative privileges for any registered user on the site. The second vulnerability allowed an unauthenticated attacker to create redirects from almost any location on the site to any destination of their choice. We reached out to the plugin’s developer the next day, on March 24, 2020, and received a response within 24 hours. We privately […]

WordPress 5.4 RC5

https://wordpress.org/news/2020/03/wordpress-5-4-rc5/
The fifth release candidate for WordPress 5.4 is live! WordPress 5.4 is currently scheduled to land on March 31 2020, and we need your help to get there—if you haven’t tried 5.4 yet, now is the time! You can test the WordPress 5.4 release candidate in two ways: Try the WordPress Beta Tester plugin (choose the “bleeding edge nightlies” option) Or download the release candidate here (zip). For details about what to expect in WordPress 5.4, please see the first release candidate post. Plugin and Theme Developers Please test your plugins and themes against WordPress 5.4 and update the Tested up to version in the readme to 5.4. The priority […]

WordPress activity logs for newbies

https://www.wpsecurityauditlog.com/wordpress-admin/wordpress-activity-logs-newbies/
WordPress activity logs help site administrators better manage their WordPress websites and users, and keep them secure. Activity logs are also very helpful in a post hack scenario, to identify the source of the attack. If you are new to WordPress activity logs, this article is for you. We will explain what activity logs are, what’s their role on a WordPress website, and what are the benefits of keeping a record of all user and site changes. We will also explain how you can easily keep an activity log on your WordPress website. Let’s start! What are activity logs? Activity […]

Vulnerabilities Patched in IMPress for IDX Broker

https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-impress-for-idx-broker/
On February 28, 2020, the Wordfence Threat Intelligence team became aware of a newly patched stored Cross-Site Scripting (XSS) vulnerability in IMPress for IDX Broker, a WordPress plugin with over 10,000 installations. Although all Wordfence users, including those still using the free version of Wordfence, were already protected from this vulnerability by the Web Application Firewall’s built-in XSS protection, we investigated the plugin further and discovered an additional stored XSS vulnerability. We also found a flaw that would allow an authenticated attacker with minimal, subscriber-level permissions to permanently delete any page or post on the site, in addition to creating […]

Episode 71: Hackers Targeting COVID-19 Fears

https://www.wordfence.com/blog/2020/03/episode-71-hackers-targeting-covid-19-fears/
With many of us under either lockdown or shelter-in-place orders due to the COVID-19/Corona virus, fear and stress are rampant. This additional stress lowers our critical thinking capabilities and increases our vulnerability. Hackers targeting these human vulnerabilities are using the global pandemic to attempt exploitation through numerous scams and phishing campaigns. We also cover plugin vulnerabilities affecting tens of thousands of sites as well as a new product from Wordfence, Fast or Slow, a global website speed profiler. Here are timestamps and links in case you’d like to jump around, and a transcript is below.2:05 Coronavirus scams found and explained4:48 […]

WordPress 5.4 RC4

https://wordpress.org/news/2020/03/wordpress-5-4-rc4/
The fourth release candidate for WordPress 5.4 is live! WordPress 5.4 is currently scheduled to land on March 31 2020, and we need your help to get there—if you haven’t tried 5.4 yet, now is the time! You can test the WordPress 5.4 release candidate in two ways: Try the WordPress Beta Tester plugin (choose the “bleeding edge nightlies” option) Or download the release candidate here (zip). For details about what to expect in WordPress 5.4, please see the first release candidate post. RC4 commits the new About page and updates the editor packages. Plugin and Theme Developers Please test your plugins and themes against WordPress 5.4 and update […]

Vulnerabilities Patched in the Data Tables Generator by Supsystic Plugin

https://www.wordfence.com/blog/2020/03/vulnerabilities-patched-in-the-data-tables-generator-by-supsystic-plugin/
A few weeks ago, we disclosed several flaws that were patched in the Pricing Table by Supsystic plugin. On January 20th, our Threat Intelligence team discovered several similar vulnerabilities present in another product from Supsystic: Data Tables Generator by Supsystic, a WordPress plugin installed on over 30,000 sites. These flaws were very similar and allowed an attacker to execute several AJAX actions, inject malicious Javascript, and forge requests on behalf of an authenticated site user. However, in the Data Tables Generator plugin, these flaws required an attacker to be logged in as a user with subscriber or above permissions on […]

WordPress Redirect Hack – Correction des redirections de spam dans WordPress

https://www.getastra.com/blog/911/redirection-piratee-wordpress/
Votre site Web WordPress redirige-t-il les utilisateurs vers des sites inconnus et non sécurisés? Si oui, votre site Web pourrait être piraté . De telles attaques de redirection piratées WordPress sont assez courantes lorsque le malware redirige les visiteurs d’un …

Penetration testing for WordPress websites

https://www.wpwhitesecurity.com/penetration-testing-for-wordpress-websites/
WordPress powers a lot of websites on the Internet. So it’s no surprise that seasoned attackers and “script-kiddies” like to target WordPress websites. Whether you’re a webmaster, or a security professional, when tasked with assessing the security posture of a WordPress website, it tends to help to be aware of common security pitfalls attackers typically take advantage of. It is also important to use the right penetration testing tools. In this article, I’ll be covering a number of common security holes, malpractices and useful information an attacker may be able to abuse in many WordPress installations. I’ll also highlight a […]