Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Author Archive: Mikey Veenstra

Wordfence Blog

Vulnerabilities Patched in WP Cost Estimation Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on February 13, 2019 by Mikey Veenstra   2 Replies

At the end of January, Wordfence security analysts identified attackers exploiting vulnerabilities in outdated versions of the commercial plugin WP Cost Estimation & Payment Forms Builder, or WP Cost Estimation for short. These flaws were found and patched by the developer a few months ago, but no official public disclosure was made at the time. Following …
Read More

WordPress Sites Compromised via Zero-Day Vulnerabilities in Total Donations Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on January 25, 2019 by Mikey Veenstra   6 Replies

The Wordfence Threat Intelligence team recently identified multiple critical vulnerabilities in the commercial Total Donations plugin for WordPress. These vulnerabilities, present in all known versions of the plugin up to and including 2.0.5, are being exploited by malicious actors to gain administrative access to affected WordPress sites. We have reserved CVE-2019-6703 to track and reference these vulnerabilities …
Read More

A Tale of Two Vulnerabilities: Using Commercial Plugins Responsibly

This entry was posted in Vulnerabilities, WordPress Security on January 18, 2019 by Mikey Veenstra   10 Replies

As the most popular CMS on the market, one of the major draws of WordPress is a rich ecosystem of plugins made available by the community. The WordPress.org plugin repository makes the process of installing and updating plugins a seamless experience in the dashboard of a site, and a team of volunteers works to maintain …
Read More

Botnet of Infected WordPress Sites Attacking WordPress Sites

This entry was posted in Research, Wordfence, WordPress Security on December 05, 2018 by Mikey Veenstra   17 Replies

The Defiant Threat Intelligence team recently began tracking the behavior of an organized brute force attack campaign against WordPress sites. This campaign has created a botnet of infected WordPress websites to perform its attacks, which attempt XML-RPC authentication to other WordPress sites in order to access privileged accounts. Between Wordfence’s brute force protection and the premium real-time …
Read More

XSS Injection Campaign Exploits WordPress AMP Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on November 20, 2018 by Mikey Veenstra   19 Replies

News broke last week disclosing a number of vulnerabilities in the AMP For WP plugin, installed on over 100,000 WordPress sites. WordPress contributor Sybre Waaijer identified the security issue and confidentially disclosed it to the WordPress plugins team. To exploit the flaw, an attacker needs to have a minimum of subscriber-level access on a vulnerable site. The …
Read More

Trends Emerging Following Vulnerability In WP GDPR Compliance Plugin

This entry was posted in Research, Vulnerabilities, WordPress Security on November 09, 2018 by Mikey Veenstra   19 Replies

Earlier this week the WP GDPR Compliance plugin was briefly removed from the WordPress.org repository after the discovery of critical security issues impacting its users. In yesterday’s post, we provided some details regarding these issues and illustrated their severity. In the hours since that post was published, our team has continued tracking the adversaries seeking …
Read More

Privilege Escalation Flaw In WP GDPR Compliance Plugin Exploited In The Wild

This entry was posted in Vulnerabilities, WordPress Security on November 08, 2018 by Mikey Veenstra   23 Replies

After its removal from the WordPress plugin repository yesterday, the popular plugin WP GDPR Compliance released version 1.4.3, an update which patched multiple critical vulnerabilities. At the time of this writing, the plugin has been reinstated in the WordPress repository and has over 100,000 active installs. The reported vulnerabilities allow unauthenticated attackers to achieve privilege escalation, …
Read More

Defiant’s Top 5 Spooky Security Jokes

This entry was posted in Miscellaneous on October 31, 2018 by Mikey Veenstra   0 Replies

Among a plethora of reasons to enjoy working here, we at Defiant are particularly vocal about our love for the remote office. A team spread across timezones and continents might sound like a challenge in group cohesion, but even though we’re divided geographically, we’ve forged a great culture that a breakroom ping-pong table just can’t …
Read More

Three WordPress Security Mistakes You Didn’t Realize You Made

This entry was posted in General Security, WordPress Security on October 02, 2018 by Mikey Veenstra   20 Replies

Considering the amount of malicious activity that takes place on the internet, it’s no surprise that successful attacks on WordPress sites are launched across a wide variety of vectors. Whether outdated plugin code is to blame, or password reuse, or any number of other security flaws, no site owner sets out to introduce a vulnerability …
Read More

Yes, You Should Probably Have A TLS Certificate

This entry was posted in General Security, WordPress Security on September 18, 2018 by Mikey Veenstra   13 Replies

Last week’s article covering the decision to distrust Symantec-issued TLS certificates generated a great response from our readers. One common question we received, and one that pops up just about any time SSL/TLS comes up, is how to determine when a site does and does not need such a certificate. Spoiler: Your site should probably …
Read More


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 100 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates