We often find various fake WordPress plugins installed by hackers during website cleanups. Recently, we’ve noticed a new wave of infections that install fake plugins with backdoor functionality. Malicious Plugins Sourced from UpdraftPlus Attackers have been using different names for these fake plugins, including initiatorseo or updrat123—but any title can be used. While their code […]
Tag Archives: Website Security
Cryptominers & Backdoors Found in Fake Plugins
When cleaning websites, we regularly find phishing pages, malicious code injected into files, and SEO spam. However, over the past couple of months we’ve also noticed a considerable increase in the number of malicious plugins which have been added to compromised websites as well. These plugins appear to be legitimate, but inspecting the code reveals […]
Top 10 Website Hardening Tips
Website hardening means adding layers of protection to reduce the risk of website attacks, a process known as “defense in depth.” Here are our top 10 virtual hardening principles: 1 – Keep your website updated Every single piece of software required to run your application needs to be kept up to date with the latest […]
What Are Ethical Hackers?
There’s an issue with how some people define the word “hacker.” For some, it’s a word synonymous with “cybercriminal,” but not in the infosec community. White hat hackers (the good guys) are the ones who find security issues so they can be fixed. The world is a lot better off because of them. Every day […]
An Indirect Way to Change cPanel Passwords
There’s no doubt that the ubiquitous “forgot your password?” feature has helped many users who’ve misplaced their password or otherwise forgotten it, however—the tradeoff is that it can result in bugs that help bad actors. As demonstrated in this article, an attacker can use cPanel’s “forgot your password?” feature to reset a user password and […]
What is the Cost of Cybercrimes & Attacks
The word cybercrime is no longer just a word you hear coming from Fortune 500 CEOs anymore. This word has being flashed on every good morning news show and radio channel. Cybercrime can target any business or website owner. Even the average person who thought they were safe from hackers because they didn’t own a […]
Down the Malware Rabbit Hole – Part 1
It’s common for malware to be encoded to hide itself—or its true intentions—but have you ever given thought to what lengths attackers will go to hide their malicious code? In our first post in this series, we’ll describe how bad actors hide their malicious code and the steps taken to reveal its true form. Malware […]
A New Wave of Buggy WordPress Infections
We’ve been following an ongoing malware campaign for the past couple of years now. This campaign is renowned for its prompt addition of exploits for newly discovered WordPress theme and plugin vulnerabilities. Every other week, the attackers introduce new domain names and slightly change the obfuscation of their scripts to prevent detection. For example, last […]
National Cybersecurity Awareness Month
Since 2003, October has been recognized as National Cybersecurity Awareness Month. It is an annual campaign to raise awareness about the importance of cybersecurity and being a better digital citizen. October has just started and a majority of security companies are promoting internet security. With the holidays fast approaching, it is a crucial time for […]
Zero-Day RCE in vBulletin v5.0.0-v5.5.4
A new remote code execution (RCE) zero-day vulnerability has been disclosed by an anonymous researcher on the Full Disclosure mailing list this past Monday. This vulnerability is extremely severe. It allows any website visitors to run PHP code and shell commands on the site’s underlying server. Am I At Risk? At the time of writing this, […]