What is the Principle of Least Privilege?

If you own a website and collaborate with other people, the Principle of Least Privilege (PoLP) is a crucial security concept which has applications and benefits to strengthen your website security posture. Let’s dive in! Contents: Definition PoLP & Website Security Example of Principle of Least Privilege Default WordPress User Roles How PoLP Affects Websites […]

How to Stop a DDoS Attack in 5 Steps

As a webmaster, keeping your site online during large traffic spikes is what you strive for. But how can you be sure traffic spikes are legitimate? And more importantly, how do you react when they aren’t? The unfortunate reality is DDoS attacks can be a threat for websites big and small. In this post, we’ll […]

WordPress Vulnerability & Patch Roundup December 2023

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this […]

New Guide: Broken Access Control

The complexity of modern websites exposes countless potential vulnerabilities to lurking attackers. One of the most underestimated threats? Broken Access Control (BAC). The risk lies within the very machinations of your website — the systems managing who can interact with what. When correctly set, they keep unauthorized users out; when broken… Well, let’s not give […]

MageCart WordPress Plugin Injects Malicious User & Credit Card Skimmer

One of our analysts recently found an interesting malicious plugin injected into a WordPress / WooCommerce ecommerce website which both creates and conceals a bogus administrator user. It was also found injecting sophisticated credit card skimming JavaScript into the website’s checkout page. This plugin includes an interesting sample of malicious code which goes to great […]

What is a Content Security Policy (CSP)

It’s always a good idea to be aware of the security issues that might affect your site. For example, cross-site scripting (XSS) attacks consist of injecting malicious client-side scripts into a website and using the site as a propagation method for other malicious behavior. XSS attacks are possible because browsers trust all requests that come […]

Analysis of the Fake WordPress CVE-2023-46182 Patch Plugin & Phishing Campaign 

On December 1, 2023, several security researchers reported about a new phishing campaign targeting WordPress administrators. WordPress sites owners had started receiving emails from WordPress.com with the following message: “The WordPress Security Team has discovered a Remove Code Execution (RCE) vulnerability on your site, which allows attackers to execute malwares and steal your data, user […]

Critical RCE Vulnerability Patched in Backup Migration Plugin

On December 6th, 2023, the WordPress plugin Backup Migration received a critical security patch for a remote code execution vulnerability. Details were released five days later after users were given an opportunity to install the patch, although the official CVE is still locked down in “reserved” mode. Website administrators are advised to update to the […]

Cloudflare 2023 Year in Review

The 2023 Cloudflare Radar Year in Review is our fourth annual review of Internet trends and patterns observed throughout the year at both a global and country/region level across a variety of metrics. Below, we present a summary of key findings, and then explore them in more detail in subsequent sections. Key findings Traffic Insights […]