Tag Archives: WordPress Security

WP-CLI Guide: Connect to WordPress via SSH Intro

Do you use the WordPress dashboard to update plugins and themes? How do you back up your database? If you have not used it yet, WP-CLI is an efficient way to manage your WordPress installation using a command line interface, meaning you type text commands like these two: wp core update wp plugin update-all YouRead […]

10 Tips to Improve Your Website Security

In recent years there has been a proliferation of great tools and services in the web development space. Content management systems (CMS) like WordPress, Joomla!, Drupal and so many other allow business owners to quickly and efficiently build their online presences. Their highly extensible architectures, rich plugin, module, extension ecosystem have made it easier thanRead […]

Security Advisory: Object Injection Vulnerability in WooCommerce

Security Risk: Dangerous Exploitation Level: Easy/Remote DREAD Score: 8/10 Vulnerability: Object Injection Patched Version:  2.3.11 During a routine audit for our WAF, we discovered a dangerous Object Injection vulnerability which could, in certain contexts, be used by an attacker to download any file on the vulnerable server. Are you at risk? The vulnerability is onlyRead […]

Fake jQuery Scripts in Nulled WordPress Pugins

We recently investigated some random redirects on a WordPress website that would only happen to certain visitors. Traffic analysis showed us that it was not a server-side redirect, rather it happened due to some script loaded by the web pages. A quick look through the HTML code revealed this script: It was very suspicious forRead […]

JetPack and TwentyFifteen Vulnerable to DOM-based XSS – Millions of WordPress Websites Affected

Any WordPress Plugin or theme that leverages the genericons package is vulnerable to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an insecure file included with genericons. So far, the JetPack plugin (reported to have over 1 million active installs) and the TwentyFifteen theme (installed by default) are found to be vulnerable. The exact countRead […]

Hacked Websites Redirect to Bitcoin.org

Recently, we began to notice that some hacked websites were redirecting traffic from certain browsers to the BitCoin site, bitcoin.org. What’s going on? Is Bitcoin using black hat SEO? Is their site malicious? As you can see, the hacked website doesn’t redirect to bitcoin.org directly. It first redirects to “194 .6 .233 .7/mxjbb . cgi?default“, whichRead […]

Security Advisory: XSS Vulnerability Affecting Multiple WordPress Plugins

Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress. The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers toRead […]

FBI Public Service Annoucement: Defacements Exploiting WordPress Vulnerabilities

The US Federal Bureau of Investigation (FBI) just released a public service announcement (PSA) to the public about a large number of websites being exploited and compromised through WordPress plugin vulnerabilities: Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and […]

Security Advisory: Persistent XSS in WP-Super-Cache

Security Risk: Dangerous Exploitation level: Very Easy/Remote DREAD Score: 8/10 Vulnerability: Persistent XSS Patched Version:  1.4.4 During a routine audit for our Website Firewall (WAF), we discovered a dangerous Persistent XSS vulnerability affecting the very popular WP-Super-Cache plugin (more than a million active installs according to wordpress.org). The security issue, as well as another bug-fix […]