10 Signs showing your WordPress Site is Hacked

Warning Signs of a WordPress Site been Hacked WordPress sites are notorious for getting hacked. There’s a popular misconception that WordPress is faulty and easy to hack. The truth is, WordPress is the most popular CMS powering close to 40% of all sites on the web. As such, we can expect that hackers will target it most often, statistically. Regardless of the fact that naysayers are wrong, the threat is real. You might be experiencing some issues or noticing weird things on your site and you are suspecting that it might be compromised. While it is sometimes easy to spot […]

How to Secure Your Online Store for the Holidays: A 10-Point Website Security Audit

If you are running an online store, you are likely to see a steep increase in traffic during the holiday season. With new customers entering their payment information and personal addresses onto your website, it’s more important than ever to secure your online store in preparation for the holidays. November and December are the busiest shopping months of the year, which makes any downtime related to a hack or security breach more expensive than any other time of year. Your website’s uptime has never been more valuable, and that is why this is the perfect time to perform a security […]

Jetpack 5.1-7.9 – Vulnerability in Embed Code


WP Maintenance <= 5.0.5 – Cross-Site Request Forgery to Stored Cross-Site Scripting


The Short History of Unauthenticated Site Options Update Vulnerabilities

2019 is coming to an end. Over the last year Pagely’s security team noticed a trend in WordPress related attacks targeting unauthenticated changes to a WordPress website’s options table. The […]

High Severity Vulnerability Patched in WP Maintenance Plugin

Description: Cross-Site Request Forgery to Stored Cross-Site ScriptingCVSS v3.0 Score: 8.8 (High)CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:HAffected Plugin: WP MaintenancePlugin Slug: wp-maintenanceAffected Versions: Patched Version: 5.0.6 On November 15th, 2019, our Threat Intelligence team identified a vulnerability present in WP Maintenance, a WordPress plugin with approximately 30,000+ active installs. This flaw allowed attackers to enable a vulnerable site’s maintenance mode and inject malicious code affecting site visitors. We disclosed this issue privately to the plugin’s developer who released a patch the next day. Plugin versions of WP Maintenance up to 5.0.5 are vulnerable to attacks against this flaw. All WP Maintenance users should update […]

WordPress 5.2.4 Update

Late-breaking news on the 5.2.4 short-cycle security release that landed October 14. When we released the news post, I inadvertently missed giving props to Simon Scannell of RIPS Technologies for finding and disclosing an issue where path traversal can lead to remote code execution. Simon has done a great deal of work on the WordPress project, and failing to mention his contributions is a huge oversight on our end. Thank you to all of the reporters for privately disclosing vulnerabilities, which gave us time to fix them before WordPress sites could be attacked.

Sassy Social Share <= 3.3.3 – Cross-Site Scripting (XSS)


Social Photo Gallery <= 1.0 – Remote Code Execution


WFCM 1.4 – Improved file changes coverage for WordPress websites

These last few weeks we have been busy working on our file integrity monitor plugin for WordPress: Website File Changes Monitor. In this update we focused on improving the coverage of the plugin, so it can detect file changes which it didn’t before. Let’s dive in and see what is new in update 1.4. Detect changes in files with special characters in the filename Up until update 1.4 the plugin ignored files with special characters in their name, such as ind+ex.php, or !hello.php. So we redesigned the file integrity monitor scanning engine to handle special characters. The result? Much improved file […]