High-Severity Vulnerabilities Patched in Discount Rules for WooCommerce


On August 20, 2020, the Wordfence Threat Intelligence team was made aware of several vulnerabilities that had been patched in Discount Rules for WooCommerce, a WordPress plugin installed on over 40,000 sites. We released a firewall rule to protect against these vulnerabilities the same day. During our investigation, we also discovered a separate set of vulnerabilities in the plugin that were not yet patched, and released a firewall rule to protect against these separate vulnerabilities the next day, on August 21, 2020. We reached out to the plugin’s team at Flycart on August 21, 2020, and received a response almost […]

New! Banned Users Gets an Upgrade in iThemes Security Pro 6.7.0


The iThemes Security Pro Banned Users feature just got an upgrade. Banned Users version now gives you more flexibility on how bans are enforced on your website. Plus, with the new Banned Users Security Card, you can manage your bans directly from your WordPress Security Dashboard. Current iThemes Security Pro, Plugin Suite & Toolkit customers will find version 6.7.0 of the iThemes Security Pro plugin available as an automatic update from your WordPress dashboard or as a manual download from the iThemes Member Panel. Save time by updating all your sites at once from the iThemes Sync dashboard. What is the Banned Users […]

The Hacker Motive: What Attackers Are Doing with Your Hacked Site


Yesterday, September 15, 2020, the Wordfence Live team covered The Hacker Motive: What Attackers Are Doing with Your Hacked Site. This companion blog post reviews the motives we discussed live during Wordfence Live and dives deeper into the minds of attackers. You can watch the video of Wordfence Live below. Timestamps You can click on these timestamps to jump around in the video. 00:00 Introduction 6:45 How the Wordfence site cleaning process works 10:45 How the Wordfence real-time blacklist works 14:06 Updates on the WordPress File Manager plugin vulnerability 19:16 Backdoors 27:00 Defacements 35:51 SEO Spam links 39:00 Spam pages […]

iThemes Security Pro Feature Spotlight – Privilege Escalation


In the Feature Spotlight posts, we are going to highlight a feature in iThemes Security Pro and share a bit about why we developed the feature, who the feature is for, and how to use the feature. Today we are going to cover Privilege Escalation, the most underutilized feature in iThemes Security Pro. Why We Developed Privilege Escalation Anytime you create a new user, you are adding another entry point that a hacker could exploit. But there will likely be times you may need some outside help for your website, like when you are seeking support or after hiring an independent […]

Episode 86: War of the Hackers


Millions of attacks have been targeting the recent File Manager plugin zero-day vulnerability discovered last week. Two attackers are vying for control over sites compromised through the vulnerability. A security researcher has revealed that specially crafted Windows 10 themes can be used to perform Pass-the-Hash attacks. A database belonging to the Digital Point webmaster forum leaked records of over 800,000 web professionals that are members of the forum. Visa is warning of a new Baka Javascript credit card skimmer that removes itself from memory after exfiltrating stolen data, making it difficult to detect. Here are timestamps and links in case […]

Why a strong password policy is so important for your WordPress website


If you’ve been managing a WordPress site for a while, you may be wondering why a strong password policy is so important. Surely, users are aware that they need to use strong passwords? Unfortunately, many users knowingly use weak passwords, putting your WordPress site at risk. There are differing reasons why this continues to occur. Some don’t want to have to remember a complex password. Whereas others like to reuse the same password across multiple sites. Either way, enforcing a strong password policy protects you against users’ poor password choices such as password123. In this post, we will explain why password security is […]

Attackers Fight for Control of Sites Targeted in File Manager Vulnerability


Last week, we covered a vulnerability in the File Manager plugin installed on over 700,000 WordPress sites. By Friday, September 4, 2020, we recorded attacks on over 1.7 million sites, and by today, September 10, 2020 the total number of sites attacked has increased to over 2.6 million. We’ve seen evidence of multiple threat actors taking part in these attacks, including minor efforts by the threat actor previously responsible for attacking millions of sites, but two attackers have been the most successful in exploiting vulnerable sites, and at this time, both attackers are password protecting vulnerable copies of the connector.minimal.php […]

PPMWP 2.3.1: improved support for third party plugins


Today we are excited to announce update 2.3.1 of the Password Policy Manager plugin. The highlight of this update is improved support for other third party plugins, such as login redirects, e-Commerce and membership type plugins. Even though this update is a maintenance release, it still packs a punch. Let’s dive right in to see what’s new and improved in this update. Improved support for third party plugins Many site administrators use the Password Policy Manager plugin to configure password policies on membership, subscription and e-Commerce sites. So since the plugin is used alongside other plugins such as WooCommerce, Login […]

WordPress Vulnerability Roundup: September 2020, Part 1


New WordPress plugin and theme vulnerabilities were disclosed during the first half of September, so we want to keep you aware. In this post, we cover recent WordPress plugin, theme, and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website. The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes. In the August, Part 2 Report WordPress Core Vulnerabilities No WordPress core vulnerabilities were disclosed in the first half of September. However, a new minor version of WordPress was released on September […]

iThemes Security Pro Feature Spotlight – Version Management


In the Feature Spotlight posts, we highlight a feature in iThemes Security Pro and share a bit about why we developed the feature, who the feature is for, and how to use the feature. Today we are going to cover Version Management, a great tool that makes managing updates of WordPress or themes and plugins a breeze. Why We Developed Version Management Keeping software updated is an essential part of any security strategy. Updates aren’t just for bug fixes and new features. Updates can also include critical security patches. Without that patch, you are leaving your phone, computer, server, router, or […]