This entry was posted in Vulnerabilities, WordPress Security on October 12, 2017 by Dan Moen 5 Replies
As you probably know we launched Gravityscan this May. Gravityscan is a security scanner for any website that serves as a great complement to Wordfence. Yesterday we were analyzing aggregate scan result data from Gravityscan, and we noticed data that surprised us: 12.8% of sites we scan have at least one sensitive file visible to anyone on the internet....read more
We have received a number of questions regarding the Postman SMTP plugin which was removed from the WordPress.org directory this week. According to an archived snapshot, the plugin is installed on over 100,000 websites. We assume it was removed because it contains a publicly known reflected cross-site scripting (XSS) vulnerability that has not been fixed. Both Wordfence Free and Premium users who have the firewall enabled have been protected against attempts to exploit this vulnerability from day one. In addition, we alerted all Wordfence users who have the plugin installed when it was removed from the plugin directory....read more
This edition of the WordPress Attack Report is a continuation of the monthly series we've been publishing since December 2016. Reports from the previous months can be found here....read more
This entry was posted in Wordfence, WordPress Security on September 19, 2017 by Dan Moen 12 Replies
WordPress sites are under constant attack by criminals around the world. It is unnerving to see them at work, looking for security vulnerabilities to exploit and trying thousands of passwords. And when they are successful, they inflict pain in the form of lost revenue, damaged reputation and clean-up expenses. It's no wonder that Wordfence users love our blocking features. There's nothing more satisfying than taking direct action against an evil adversary....read more
This is the ninth edition of the WordPress Attack Report series we've been publishing since December 2016. You can find reports from the previous months here:...read more
This post is a continuation of the WordPress Attack Report series we've been publishing since December 2016. Reports from previous months can be found here:...read more
Today's post is a continuation of the WordPress Attack Report series we've been publishing since December 2016. Previous months' reports can be found here:...read more
This entry was posted in Wordfence, WordPress Security on June 20, 2017 by Dan Moen 22 Replies
On Thursday of last week, we released Wordfence 6.3.11 which included a really exciting new feature: we are now alerting you if you are running a plugin that either appears to be abandoned or has been removed from the WordPress.org plugin directory. In this post, we explain how each of these new alerts work and why they're so important to the security of your website....read more
This entry was posted in Research, WordPress Security on June 15, 2017 by Dan Moen 18 Replies
Yesterday at 7pm UTC (noon PDT) we saw the volume of brute force attacks on the WordPress sites that we protect more than double from the average for the previous 24 hours. The number of attacking IPs more than tripled....read more
This entry was posted in WordPress Security on June 8, 2017 by Dan Moen 10 Replies
On this blog, we often talk about employing a "defense in depth" approach to WordPress security. The majority of our focus is on the prevention and detection features offered by the Wordfence plugin. Today we turn our attention to WordPress backups, an incredibly important remediation topic....read more
