During a recent plugin audit, we noticed a weird pattern among many plugins responsible for performing a specific task: Duplicating a page or a post. With a bit of research, we came to the following conclusion: Many of these plugins came from the same source — and contained the same vulnerabilities. SQL Injections in Vulnerable […]
Tag Archives: WordPress Security
Obfuscated WordPress Malware Dropper
It goes without saying that evasive maneuvering is at the top of a hacker’s priority list. Most often, they try to evade detection by obfuscating their malicious code to make it unreadable to the naked eye. In our recent post we demonstrated how the PHP function file_put_contents is used to inject malicious data into a […]
OneTone Vulnerability Leads to JavaScript Cookie Hijacking
A vulnerability in the discontinued WordPress theme OneTone has been added to an ongoing campaign that is targeting vulnerable WordPress websites and causes malicious redirects through domains like ischeck[.]xyz. This specific wave uses the XSS vulnerability to inject malicious JavaScript and redirect visitors to the attacker’s landing page. The malware also detects and leverages existing […]
Analysis of a WordPress Credit Card Swiper
While working on a recent case, I found something on a WordPress website that is not as common as on Magento environments: A credit card swiper injection. Typically this type of malware targets dedicated ecommerce platforms such as Magento and Prestashop (due to their focus in handling payment information, which we have documented extensively in […]
Throwback Threat Thursday: WordPress 4.7 WP-JSON Content Injection Vulnerability
Throwback Threat Thursday is a series of posts where we recall older vulnerabilities that have since been patched by their developers. In the past, these vulnerabilities caused significant impacts to the security of website owners. Some vulnerable sites may still be found in the wild. Back in early 2017, our research team was looking into […]
WordPress Database Brute Force and Backdoors
We regularly talk about brute force attacks on WordPress sites and explain why WordPress credentials should always be unique, complex, and hard to guess. However, the WordPress login is not the only point of entry that hackers use to break into sites. Since the WordPress CMS stores most of its settings in a database, attackers […]
7 Tips for Protecting Your Website
For many people, website security is an intimidating topic. It seems like there’s an endless list of things necessary for protecting your website. And while resources like our Website Security Guide cut through much of the clutter of the threat landscape, some folks might need it simplified even further. Okay, we hear ya. If you’re […]
How to Find & Remove SEO Spam on WordPress
Perhaps the best way to dive into the subject of finding and removing SEO spam on WordPress is with a quick experiment — probably one you’ll want to conduct at a private location. Run a Google search with the terms buy viagra cialis. Without clicking anything (seriously, don’t), take a close look at the results. […]
6 Simple Steps for Hardening your WordPress Security
Having a secure WordPress site does not need to be a challenge. Hardening a website means adding security layers to reduce the risks of attacks and hacks. 6 ways to Harden WordPress Security You can harden your WordPress site by following these six simple steps: 1 – Keep WordPress updated It is important to keep […]
Hacked Website Threat Report – 2019
The threat landscape for website owners is constantly shifting on a regular basis — and it’s becoming increasingly more complex. As attackers continue to develop tools and find new vulnerabilities to massively exploit, our team works diligently around the clock to identify, analyze, and protect website owners from compromise. Education is key to protecting yourself […]
