Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Wordfence 7 Update

This entry was posted in Wordfence on February 16, 2018 by Dan Moen   29 Replies

It has now been a few weeks since we launched Wordfence 7. Overall we are confident that the change was a good one. The product is now cleaner, more modern and is much easier for a new user to navigate....read more

Cryptomining Supply Chain Attack Hits Government Websites

This entry was posted in General Security, WordPress Security on February 11, 2018 by Mark Maunder   17 Replies

In the past 24 hours, Security researcher Scott Helme discovered that a third party accessibility plugin called 'Browsealoud' had their servers compromised. The plugin relies on a website including Javascript in their content in order to work. This compromise resulted in over 4,000 websites serving up cryptomining malware....read more

Service Vulnerabilities: 3 Hosting Companies Fix NFS Permissions Problem

This entry was posted in Vulnerabilities, WordPress Security on February 8, 2018 by Brad Haas   37 Replies

In mid-December we updated our Vulnerability Disclosure Policy to include Service Vulnerabilities. A service vulnerability is any issue with a technology service that represents an exploitable security risk for its users. We made this update in response to a growing trend of security issues we've been discovering in commercial services, most often WordPress hosting providers....read more

WordPress Update Breaks Future Auto-Updates. Manually Update Now!

This entry was posted in WordPress Security on February 8, 2018 by Mark Maunder   49 Replies

[Update at 10:50am PST: Based on the comments we've received below, it sounds like this problem only affects certain sites.  We have received several reports of successful updates, although some of these may be the hosting provider updating WordPress installs manually. Overall this looks like good news for the WordPress team who reported this as a severe bug. If you have been impacted by this, let us know in the comments.]...read more

Introducing Wordfence 7

This entry was posted in Wordfence on January 24, 2018 by Dan Moen   72 Replies

Wordfence is the most popular WordPress security software in the world for good reason. The protection offered by the endpoint firewall outperforms alternatives. The scanner delivers the best detection in the industry. A long list of other features like country blocking, two-factor authentication and password auditing make Wordfence the best and most comprehensive security solution available for WordPress....read more

WordPress Supply Chain Attacks: An Emerging Threat

This entry was posted in WordPress Security on January 3, 2018 by Dan Moen   22 Replies

In the last few months, we have discovered a number of supply chain attacks targeting WordPress plugins. In this post, we explain what a supply chain attack is, why WordPress is an attractive target for them, and what you can do to protect your site....read more

Wordfence Now Includes 1.4 Billion Leaked Passwords in Password Auditing Feature

This entry was posted in Wordfence, WordPress Security on December 28, 2017 by Matt Barry   7 Replies

Last week, we reported a massive upsurge in brute force login attempts following the leak of a database of 1.4 billion clear text credentials. No one had seen 14% of the exposed username/password pairs before, making this a ripe opportunity for hackers to attempt to break into WordPress sites....read more

Three Plugins Backdoored in Supply Chain Attack

This entry was posted in Research, WordPress Security on December 27, 2017 by Dan Moen   54 Replies

In the last two weeks, the WordPress.org repository has closed three plugins because they contained content-injection backdoors. "Closing" a plugin means that it is no longer available for download from the repository, and will not show up in WordPress.org search results. Each of them had been purchased in the previous six months as part of the same supply chain attack, with the goal of injecting SEO spam into the sites running the plugins....read more

Massive Cryptomining Campaign Targeting WordPress Sites

This entry was posted in Research, WordPress Security on December 19, 2017 by Brad Haas   31 Replies

On Monday we wrote about the massive spike in brute force attacks on WordPress sites that we observed. As reported, it was the most intense period of attacks we had ever recorded. We believe that a single botnet is behind the attacks....read more

Backdoor in Captcha Plugin Affects 300K WordPress Sites

This entry was posted in WordPress Security on December 19, 2017 by Matt Barry   105 Replies

The WordPress repository recently removed the plugin Captcha over what initially appeared to be a trademark issue with the current author using "WordPress" [Editors note: the original page has been removed, we're now linking to a screen shot.] in their brand name....read more

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.