Based on statistical data gathered by Sucuri from 7,937 compromised websites, WordPress, Joomla, and Magento, in this order, continued to be the most hacked CMS platforms in the third quarter of 2016 (months of July, August, and September). Among all hacked websites, 74% ran WordPress, which isn’t surprising if we take into account the CMS’ […]
User Enumeration is the capacity to automatically figure out if a given account is valid on a system. By enumerating client accounts, you are at danger of locking out accounts after a predefined number of failed attempts. Stop User Enumeration is a module stops client count dead , and furthermore it will log an event in your System […]
Do you own a WordPress site? Congratulations, the advanced security features of the platform will protect you for life…or so you’d like to think. Unlike ready SaaS solutions, online website builders with centralized management, WordPress is a popular open-source CMS with open code with lots of security vulnerabilities. And believe me, these vulnerabilities can be […]
When a site gets hacked, the attack doesn’t end with the malicious payload or spam content. Hackers know that most website administrators will clean up the infection and look no further. Many go on to patch vulnerable software, change their passwords, and perform other post-hack steps. All of this is good, but hackers who follow […]
Experts from the White Fir Design discovered cybe rcriminals exploited a zero-day flaw in an e-commerce plugin for WordPress to upload a backdoor. According to the experts from the firm White Fir Design, crooks exploited a zero-day flaw in an e-commerce plugin for WordPress to upload backdoors to affected websites. The plugin is WP Marketplace, a […]
In this tutorial we are going to show you how to use free SSL on your wordpress site using Cloudflare’s Free Flexible SSL Note: Make sure you take a backup of your website first in case something goes wrong! How to: Step 1: Create an account at Cloudflare. Step 2: Add your website and select […]
One of the worst feelings a website owner can experience is discovering that your site has been hacked. Without propersecurity measures in place, even website owners with the best intentions can lose control of their website. When hackers gain access to your site, they can use it to host phishing content, distribute malware, steal sensitive […]
WordPress is a free, open source content management system (CMS) for creating websites, and is considered to be the most popular blogging system in use. WordPress’ appeal to website developers stems from its free plugins and themes that are easily installed over the basic platform. These add-ons allow WordPress users to personalize and expand their websites and blogs. […]
Last summer we shared a story about the SweetCaptcha WordPress plugin injecting ads and causing malvertising problems for websites that leveraged the plugin. When this plugin was removed from the official WordPress Plugin directory, the authors revived another WordPress account with a long abandoned plugin and uploaded SweetCaptcha as a “new version” of that plugin. In […]
We first disclosed that the WordPress pingback method was being misused to perform massive layer 7 Distributed Denial of Service (DDoS) attacks back in March 2014. The problem being that any WordPress website with the pingback feature enabled (its default setting) could be used to attack the availability of other websites. The attacks would inundate the web server with Layer […]
Attackers are adding unauthorized code at the top of infected websites, over 3,500 8sites already infected. Alarms are ringing in Symantec’s offices, as its research team has discovered a massive Web injection campaign that’s currently infecting Web servers around the Internet. According to telemetry data received from Symantec security products, the company’s staff has identified […]
Developers at Automattic, the parent company behind the blogging platform WordPress, fixed a nasty stored cross-site scripting error this week in Akismet, an anti-spam plugin that figures into millions of websites. The bug was fixed Tuesday in an update, 3.1.5, according to Christopher Finke, an engineer at Automattic that works on Akismet. Akismet filters spam […]
Hackers are hiding hundreds or thousands of username/password combinations in one single XML-RPC request. WordPress sites are being abused once again and there is no surprise since the platform is the most popular CMS on the Internet, and the attack surface is literally enormous when compared to other website-building solutions. This time around, Sucuri’s security researchers […]
After a few critical bugs were recently discovered and patched in the core WordPress engine—a rarity with WordPress-related security issues—order has apparently been restored with the discovery of a critical vulnerability in a popular plugin. Insecure plugins have been at the heart of numerous attacks launched from compromised WordPress site. One was patched this week in […]
Compromised WordPress websites are delivering spyware and PUAs (potentially unwanted applications) to users via fake Flash update messages and fake browser plugins. Zscaler researchers have uncovered a covert spyware distribution campaign that relies on hacked WordPress websites to redirect users to spyware-infested URLs. According to their findings, the campaign has been active since the first […]
15-day-old campaign has spiked in past 48 hours, with >5,000 new infections daily. Attackers have hijacked thousands of websites running the WordPress content management system and are using them to infect unsuspecting visitors with potent malware exploits, researchers said Thursday. The campaign began 15 days ago, but over the past 48 hours the number of […]
WordPress core engine security vulnerabilities aren’t rare, but they are uncommon. Most issues affecting the integrity of sites running on the content management system are introduced by third-party plugins and put those sites at risk for a host of attacks. Today WordPress upgraded to version 4.3.1 which patched three vulnerabilities, two of which were reported […]
Short Bytes: WordPress high CPU load bug – We faced it and I am guessing thousands of other blogs hosted on WordPress faced it too, when they upgraded to WordPress 4.3 “Billie”. If not a million-dollar bug, I can definitely call it a bug that almost screwed my several nights as I was trying to fix it. Usually a blog is managed by […]
Heimdal Security researchers have observed a new ransomware campaign that utilizes the Neutrino exploit kit to deliver Teslacrypt ransomware to victims via websites running older version of the WordPress CMS. Researchers also don’t rule out that the attack is carried out via other content management systems (CMSs) or outdated CMS plugins, but most of the […]
Researchers have identified a relatively “common” cross-site scripting flaw (XSS) in some famous WordPress plugins — A coordinated plugin update has been released to address the detected cross-site scripting vulnerability. In case you are using any of the WordPress plugins mentioned below you must install the update released today to eliminate the “common” cross-site scripting vulnerability. Here […]
The US Federal Bureau of Investigation (FBI) has warned the WordPress users and urged them to patch their plugins of the content management system in the wake of recent ISIS hacks and future possibilities. In the recent past, the ISIS supporting cyber criminals have hacked the self-hosted WordPress websites and because of the unpatched plugins […]