Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this […]
Archive by Author
Keeping Up With PHP Updates
Staying on top of critical security risks and vulnerabilities is imperative for the safety of your website. Some of the types of threats impacting our client sites include injections, broken authentication, cross site scripting, or even attackers targeting components with known vulnerabilities. In this post, we’ll be going over why outdated PHP versions can lead to […]
Poodle and Doodle, FUD and the Sucuri WAF
On any given day, Sucuri sees thousands of clients go through the PCI compliance process. The requirements outlined by the Payment Card Industry Data Security Standards (PCI DSS) are mandatory for any website accepting credit card payment, and this process can be very stressful for website owners not familiar with these guidelines. Failure to comply […]
Critical RCE Vulnerability in Elementor WordPress Plugin
Security Risk: High Exploitation Level: Easy CVSS Score: 9.9 Vulnerability: Remote code execution (RCE) Patched Version: 3.6.3 On April 12th, an important security update was released for the Elementor plugin patching a critical remote code vulnerability which allows all authenticated users, including subscribers, to upload and execute arbitrary PHP code on a vulnerable website. This […]
Sucuri WordPress Plugin += Sucuri WAF
Sucuri has always been a dedicated supporter of the WordPress community. Our free plugin was one of our first contributions to WordPress security (before bootstrapping our efforts into our WAF/CDN, Backups, and Malware Remediation services). However, over my many years involved in web application security, I’ve found that one of the most evasive aspects of […]
The Case for 2FA by Default for WordPress
Administrator panel compromises are one of the most common attacks that everyday WordPress website admins face. We work with thousands of clients who have encountered attacks on their websites and I’ve long ago lost count of the number of times that I’ve told clients that the point of entry was their WordPress login page. Brute […]
WordPress Overtakes Magento in Credit Card Skimmers
One of the most important monitoring tools in our security platform is our Sucuri SiteCheck scanner. It’s a free tool to scan your website for known malicious content and malware injections. The usage of SiteCheck also allows us to monitor trends in the website security landscape, and one of the things that it can spot […]
WordPress Popunder Malware Redirects to Scam Sites
Over the last year we’ve seen an ongoing malware infection which redirects website visitors to scam sites. So far this year our monitoring has detected over 3,000 websites infected with this injection this year and over 17,000 in total since we first detected it in March of 2021. The reported behaviour is always the same: […]
New Wave of AnonymousFox Cron Jobs
Recently our Remediation and Research teams have noticed a new wave of malicious cron jobs associated with the notorious AnonymousFox malware. The cron jobs are purpose-built to reinfect the victim websites and make removal of the infection more cumbersome and time-consuming. In this post we’ll investigate one of these malicious cron jobs, describe what it […]
Top 5 Topics to Discuss with Clients About Website Security
If you’re a website developer or server administrator it’s always a good idea to inform your clients about the basics in terms of their website’s security, and the inherent need for cautious security practices. Attacks and the methods of gaining access to a web server are always evolving, so it’s always in a client’s best […]
