A newly published research from Defiant, a WordPress security firm, reveals that there is a botnet hunting for WordPress sites using over 20,000 already compromised WordPress sites. As the new sites are infected, these automatically become part of the bot army and start acting on the directions of the attackers to perform tasks like brute […]
A security flaw in a GDPR-themed WordPress plugin has been used by hackers to hijack websites, as per reports. A blog post by Defiant, a company that focuses on WordPress security, discusses this issue pertaining to the popular plugin WP GDPR Compliance in detail. Tomáš Foltýn, security writer at ESET, had also discussed the issue […]
WordPress websites are very common now. The WordPress CMS is immensely popular and it’s easy to use as well, even for beginners. However, WordPress security is an area that many users tend to take rather callously. Remember, you can’t just get a website done, go on updating it and sit back and take rest. You […]
Scan WordPress, Drupal, Joomla, vBulletin websites for Security issues. CMSScan provides a centralized Security Dashboard for CMS Security scans. It is powered by wpscan, droopescan, vbscan and joomscan. It supports both on demand and scheduled scans and has the ability to sent email reports. Install # Requires ruby, ruby-dev, gem, python3 and git git clone […]
WPSCAN:- WPScan finds vulnerabilities in wordpress websites. This tool is known for scanning vulnerabilities within the core version, plugins and themes of wordpress website. WPScan even finds weak passwords, users and security configuration issues that are present. As per research done by one of to ethical hacking researcher of International Institute of Cyber Security, most of […]
Update your GDPR Compliance plugin right now. Security researchers have identified a critical vulnerability in the popular WP GDPR Compliance plugin assisting over 100,000 website owners around the world to comply with European privacy regulations known as GDPR that was announced by European Union on May 25th, 2018. The vulnerability was discovered by researchers at Wordfence which allows hackers to […]
A flaw in how WordPress handles privileges can be exploited to take control of a domain A flaw in the WordPress process to manage user privilege assignments can be exploited to allow a malicious actor to hijack WooCommerce websites, as reported by specialists in digital forensics from the International Institute of Cyber Security. The security problem […]
WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites. INSTALL Prerequisites: Ruby >= 2.2.2 – Recommended: 2.3.3 Curl >= 7.21 – Recommended: latest – FYI the 7.29 has a segfault RubyGems – Recommended: latest From RubyGems: gem install […]
The issue impacts several content management systems, including Typo3 and WordPress, as well as widely-used PDF generation library TCPDF. Researchers have created a proof-of-concept exploit that would enable bad actors to target a severe vulnerability in the PHP programming language behind several major CMS companies, including WordPress. The vulnerability remains unresolved – more than a […]
Researchers specializing in enterprise data protection services claim to have discovered a new spam comments campaign taking advantage of the FIFA World Cup popularity to deceive people to click on links that lead them to gambling sites of dubious reputation. The campaign, which mainly aims at WordPress pages, is launched by a botnet and implemented in the form of […]
Quite recently, a simple but serious application-level DoS (Denial of Service) flaw has been discovered in the WordPress CMS platform; this DoS vulnerability could help anyone take down most WordPress websites, even with a single machine. In fact, there won’t be any need to hit with a massive amount of bandwidth as is the case […]
WordBrutePress is a Python-based Multithreaded WordPress bruteforcing tool. Features: Multithreading XML-RPC brute force mode HTTP and https protocols support Random User Agent Big wordlist support Usage: Standard login request: python wordbrutepress.py -S -t http[s]://target.com[:port] -u username -w wordlist [–timeout in sec] Xml-rpc login request: python wordbrutepress.py -X -t http[s]://target.com[:port] -u username -w wordlist [–timeout in […]
This post details the forensics performed by Information security trainingprofessional during the clean-up operation. The expert also note specific WordPress security recommendations based on analysis. Background The client had recently registered new domain name, set up some webspace on their VPS and then manually started installing the most recent version of WordPress. Before completing the install […]
WordPress is perhaps one of the most popular free, open source content management systems (CMS); it’s said that WordPress powers 30 percent of the internet. Now, let’s look at the other side of the picture; whatever is popular on the internet is likely to be targeted by cyber criminals as well. Well, they could only […]
New Ioncube Malware found on hundreds of WordPress and Joomla websites that infect with legitimate Ioncube encoded files. IonCube is a PHP Encoder that used for Encrypt and protect files with PHP encoding, encryption, obfuscation and licensing capabilities. This Malware infection discovered in both WordPress and Joomla websites along with thousands of files and it infect the files such as […]
WPSploit is intended for Penetration Testers who audit WordPress plugins or developers who wish to audit their own WordPress plugins. It checks for: Cross-Site Scripting (XSS) SQL Injection File Download File Inclusion File Manipulation Command Execution PHP Code Execution Authorisation Open Redirect Cross-Site Request Forgery (CSRF) SSL/TLS Usage $ git clone https://github.com/m4ll0k/wpsploit.git $ cd wpsploit […]
Over 2,000 WordPress sites are infected with a malicious script that can deliver both a keylogger and the in-browser cryptocurrency miner CoinHive. Researchers at Sucuri who made the discovery, said the recent campaign is tied to threat actors behind a December 2017 campaign that infected over 5,500 WordPress sites. Both incidents used a keylogger/cryptocurrency malware called cloudflare[.]solutions. The […]
Plecost is a vulnerability fingerprinting and vulnerability finder for WordPress blog engine. Installation Using Pypi: > python3 -m pip install plecost Remember that Plecost3 only runs in Python 3. Using Docker: You can run Plecost using Docker: > docker run –rm iniqua/plecost {ARGS} Where {ARGS} is any valid argument of Plecost. A real example could be: > […]
A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems. What do I need to run it? Ensure that you have Ruby >= 2.4.2 installed on your system and then install all required dependencies by opening a command prompt / terminal in the WPXF folder and running bundle install. If […]
Fortify the security of any WordPress installation. This tool releases new versions on a regular basis. Make sure to update your dependencies frequently to get the latest version. Check out the changelog or CHANGELOG.md to learn about the new features. Installation Installing WPHardening requires you to execute one console command: $ pip install -r requirements.txt […]
A warning has been issued by researchers disclosing the identification of a backdoor in yet another WordPress plugin called Captcha. This plugin already has nearly 300,000 installations, which shows how popular it is among the users. However, when WordFence identified that a backdoor was added to it after an update was released on December 4. […]