Updates on WordPress security, Wordfence and what we're cooking in the lab today.

WordPress 5.0.1 Security Release – Immediate Update Recommended

This entry was posted in WordPress Security on December 13, 2018 by Dan Moen   2 Replies

WordPress 5.0.1 was released Wednesday night, less than a week after the much anticipated release of WordPress 5.0. This security release fixes seven security vulnerabilities, a few of which are quite serious. Sites running versions in the 4.x branch of WordPress core are also impacted by some of the issues. WordPress 4.9.9 was released along …
Read More

WordCamp US Recap

This entry was posted in Miscellaneous on December 13, 2018 by Mark Maunder   3 Replies

WordCamp US was held in Nashville, Tennessee this year. We sponsored the event, had a booth and of course provided lock picking lessons, as has become our tradition at WordCamps. Our goal is to get you to think like a hacker, so that you can better secure your sites. Picking a lock really gets you …
Read More

How We Think About WordPress Security and Research

This entry was posted in General Security, Wordfence, WordPress Security on December 10, 2018 by Mark Maunder   3 Replies

This weekend I had a really fun conversation with Doc Pop from Torque Magazine. Torque is a great news source for WordPress news. They are part of WP Engine, but maintain editorial independence. I chatted with Doc in Nashville, in the Music City Center where WordCamp US was being held. Music City Center is an …
Read More

Botnet of Infected WordPress Sites Attacking WordPress Sites

This entry was posted in Research, Wordfence, WordPress Security on December 05, 2018 by Mikey Veenstra   17 Replies

The Defiant Threat Intelligence team recently began tracking the behavior of an organized brute force attack campaign against WordPress sites. This campaign has created a botnet of infected WordPress websites to perform its attacks, which attempt XML-RPC authentication to other WordPress sites in order to access privileged accounts. Between Wordfence’s brute force protection and the premium real-time …
Read More

WordPress 5.0: How and When to Update

This entry was posted in Miscellaneous on December 05, 2018 by Mark Maunder   46 Replies

WordPress 5.0 is being released tomorrow, December 6th. This release contains a major change to the WordPress editor. The new editor, code-named Gutenberg, is a substantial leap forward in functionality. It uses a new block-based system for editing which allows you to embed a wide range of content in your posts and pages, and gives …
Read More

XSS Injection Campaign Exploits WordPress AMP Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on November 20, 2018 by Mikey Veenstra   19 Replies

News broke last week disclosing a number of vulnerabilities in the AMP For WP plugin, installed on over 100,000 WordPress sites. WordPress contributor Sybre Waaijer identified the security issue and confidentially disclosed it to the WordPress plugins team. To exploit the flaw, an attacker needs to have a minimum of subscriber-level access on a vulnerable site. The …
Read More

Trends Emerging Following Vulnerability In WP GDPR Compliance Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on November 09, 2018 by Mikey Veenstra   19 Replies

Earlier this week the WP GDPR Compliance plugin was briefly removed from the WordPress.org repository after the discovery of critical security issues impacting its users. In yesterday’s post, we provided some details regarding these issues and illustrated their severity. In the hours since that post was published, our team has continued tracking the adversaries seeking …
Read More

Privilege Escalation Flaw In WP GDPR Compliance Plugin Exploited In The Wild

This entry was posted in Vulnerabilities, WordPress Security on November 08, 2018 by Mikey Veenstra   23 Replies

After its removal from the WordPress plugin repository yesterday, the popular plugin WP GDPR Compliance released version 1.4.3, an update which patched multiple critical vulnerabilities. At the time of this writing, the plugin has been reinstated in the WordPress repository and has over 100,000 active installs. The reported vulnerabilities allow unauthenticated attackers to achieve privilege escalation, …
Read More

Defiant’s Top 5 Spooky Security Jokes

This entry was posted in Miscellaneous on October 31, 2018 by Mikey Veenstra   0 Replies

Among a plethora of reasons to enjoy working here, we at Defiant are particularly vocal about our love for the remote office. A team spread across timezones and continents might sound like a challenge in group cohesion, but even though we’re divided geographically, we’ve forged a great culture that a breakroom ping-pong table just can’t …
Read More

Using PHP 5 Becomes Dangerous in 2 Months

This entry was posted in General Security, WordPress Security on October 30, 2018 by Mark Maunder   0 Replies

WordPress, Joomla, Drupal and many other popular website CMSs were written in a programming language called PHP. PHP version 5 is about to reach end-of-life and will stop receiving security updates in two months. Many WordPress and other PHP websites remain on version 5.6 or older. Once support for PHP 5 ends in two months, …
Read More


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 90 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates