Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

PHP 8: What WordPress Users Need to Know

This entry was posted in WordPress Security on November 23, 2020 by Ram Gall   14 Replies

PHP 8.0 is set to be released on November 26, 2020. As the programming language powering WordPress sites, PHP’s latest version offers new features that developers will find useful and improvements that promise to greatly enhance security and performance in the long run. It also fully removes a number of previously deprecated functions. PHP 8 …
Read More

Episode 96: Hosting Provider Failures and Incident Response Preparedness

This entry was posted in Podcasts on November 20, 2020 by Ram Gall   0 Replies

Two hosting providers experienced outages this week. GoDaddy had a brief outage affecting numerous systems on Tuesday, November 17. Managed.com had an extensive outage due to ransomware that affected all systems. We discuss what types of incident response preparations site owners should consider when events beyond their control occur. We also discuss a large-scale attack …
Read More

Wordfence Site Cleaning Guarantee Extended to 1 Year

This entry was posted in Wordfence, WordPress Security on November 19, 2020 by Kathy Zant   0 Replies

Today, we’re pleased to announce that all customers of Wordfence site cleaning services receive an 1-year clean site guarantee. If your site is compromised again after our team has cleaned and secured your WordPress site, we’ll clean it again for free. Additionally, we’re expanding our Security Services Team coverage to 24/7 effective immediately. The Wordfence …
Read More

Large-Scale Attacks Target Epsilon Framework Themes

This entry was posted in Research, Vulnerabilities, WordPress Security on November 17, 2020 by Ram Gall   6 Replies

On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework, which we estimate are installed on over 150,000 sites. So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites …
Read More

Episode 95: Critical Privilege Escalation Vulnerabilities Affect Over 100K WordPress Sites

This entry was posted in Podcasts on November 13, 2020 by Kathy Zant   0 Replies

Three critical privilege escalation vulnerabilities in the Ultimate Member plugin put over 100,000 sites at risk. We also talk about the Page Experience metric to be added as a ranking signal for Google search in May 2021 and what this means for WordPress sites using page builders or Gutenberg. Microsoft warns against using telephone/SMS-based multi-factor …
Read More

Critical Privilege Escalation Vulnerabilities Affect 100K Sites Using Ultimate Member Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on November 09, 2020 by Chloe Chamberland   4 Replies

On October 23, 2020, our Threat Intelligence team responsibly disclosed several vulnerabilities in Ultimate Member, a WordPress plugin installed on over 100,000 sites. These flaws made it possible for attackers to escalate their privileges to those of an administrator and take over a WordPress site. We initially reached out to the plugin’s developer on October …
Read More

Episode 94: Hosting Provider Exposed 63 Million Customer Records

This entry was posted in Podcasts on November 06, 2020 by Ram Gall   0 Replies

A hosting provider exposed over 63 million customer records via an open elastic search database containing verbose logs with plain-text username/password credentials for numerous WordPress, Magento and other sites. We also talk about the security updates in WordPress 5.5.2/5.5.3 and the accidental 5.5.3-alpha autoupdate. We talk about object injection vulnerabilities like the one discovered in …
Read More

Object Injection Vulnerability in Welcart e-Commerce Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on November 05, 2020 by Ram Gall   2 Replies

On October 6, 2020, our Threat Intelligence team discovered a High-Severity Object Injection vulnerability in Welcart e-Commerce, a WordPress plugin with over 20,000 installations that claims top market share in Japan. After we finished our investigation, we contacted the plugin’s publisher, Collne Inc. on October 9, 2020. Full disclosure was sent on October 12, 2020, …
Read More

Unpacking the WordPress 5.5.2/5.5.3 Security Release

This entry was posted in WordPress Security on November 02, 2020 by Chloe Chamberland   0 Replies

On Thursday, October 29, the WordPress core team released WordPress version 5.5.2. This was a minor release containing bug fixes and security enhancements to the core WordPress content management system powering over one-third of the internet. There was a subsequent 5.5.3 release one day later; you can read about the emergency WP 5.5.3 release here. …
Read More

Episode 93: Nitro Documents on the Dark Web and Botnets Targeting Older Vulnerabilities

This entry was posted in Podcasts on October 31, 2020 by Kathy Zant   1 Reply

We cover a couple of breaking stories this week, including the emergency release of WordPress 5.5.3 on Friday, October 30. In preparation for this, a number of sites autoupdated to version 5.5.3-alpha. We also look at the the defacement of the Trump Campaign website, and how 2-Factor Authentication could have prevented this. We also look …
Read More

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates