Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Category Archive: General Security

Wordfence Blog

It’s Not You. It’s Them. On Hacking and Responsible Disclosure.

This entry was posted in General Security, PSA on October 15, 2021 by Mark Maunder   17 Replies

A story was recently posted to Hacker News celebrating a hack of IoT devices at a school that let a student and their friends rickroll the school via a video system. On the one hand, this guy is my personal hero and I want to be them. But I’m a cybersecurity professional, I run a …
Read More

You’ve Found a Vulnerability! Now What? A Guide to Responsible Disclosure.

This entry was posted in General Security, WordPress Security on July 28, 2021 by Chloe Chamberland   0 Replies

Information security researchers make a valuable contribution to our online security by finding vulnerabilities and facilitating getting them fixed. Wordfence has been finding and disclosing vulnerabilities in WordPress core, WordPress plugins, and WordPress themes since 2011. Our research has exposed vulnerabilities in the core infrastructure that powers WordPress, organized crime exploiting plugins for profit, and …
Read More

Nulled WordPress Plugins – Dangers and Downsides

This entry was posted in General Security, WordPress Security on July 21, 2021 by Ram Gall   12 Replies

In our 2020 Threat Report, the Wordfence Threat Intelligence Team identified malware distributed via nulled, pirated, or counterfeit plugins and themes as one of the largest threats facing the WordPress ecosystem. Many site owners are unaware of the risks associated with using nulled plugins, and in many cases, they may not even be aware that …
Read More

Common WordPress Vulnerabilities and Prevention Through Secure Coding Best Practices

This entry was posted in General Security, Vulnerabilities, WordPress Security on July 13, 2021 by Chloe Chamberland   4 Replies

WordPress has experienced exponential growth in the past several years and now holds over 42% of the CMS market share for all major sites. There are over 50,000 plugins available to download in the WordPress repository. That does not include the thousands of premium or open source plugins available outside of the repository, along with …
Read More

Wordfence is now a CVE Numbering Authority (CNA)

This entry was posted in General Security, WordPress Security on June 10, 2021 by Chloe Chamberland   5 Replies

Today, we are excited to announce that Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA, or CVE Numbering Authority. As a CNA, Wordfence can now assign CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes. WordPress powers over 40% of the World Wide Web in …
Read More

Ten Password Mistakes That Could Get Your WordPress Site Hacked

This entry was posted in General Security, Wordfence, WordPress Security on April 07, 2021 by Chloe Chamberland   2 Replies

A few months ago on Wordfence Live, we reviewed some of the worst website hacks we’ve ever seen. Every one of them started with poor password choices and escalated into a disastrous event for the site owner. From these common hacks, we have many cautionary tales of site security that could have been prevented by …
Read More

PHP Compromised: What WordPress Users Need to Know

This entry was posted in General Security, Research, WordPress Security on March 29, 2021 by Chloe Chamberland   16 Replies

Late Sunday night, on March 28, 2021, Nikita Popov, a core PHP committer, released a statement indicating that two malicious commits had been pushed to the php-src git repository. These commits were pushed to create a backdoor that would have effectively allowed attackers to achieve remote code execution through PHP and an HTTP header. Remote …
Read More

The Wordfence 2020 WordPress Threat Report

This entry was posted in General Security, Research, Wordfence, WordPress Security on January 27, 2021 by Ram Gall   4 Replies

Over the course of 2020, and in the process of protecting over 4 million WordPress customers, the Wordfence Threat Intelligence team gathered a massive amount of raw data from attacks targeting WordPress and infection trends, in addition to the malware samples gathered by our Site Cleaning team. Attacks on WordPress can be categorized in three …
Read More

Who Attacked SolarWinds and Why WordPress Users Need to Know

This entry was posted in General Security, Research, WordPress Security on December 24, 2020 by Chloe Chamberland   18 Replies

Chloe Chamberland is a threat analyst and member of the Wordfence Threat Intelligence Team. She holds the following certifications: OSCP, OSWP, OSWE, Security+, CySA+, PenTest+, CASP+, SSCP, Associate of (ISC)2, CEH, ECSA and eWPT. Many of these are advanced certifications including OSCP and OSWE which are 24 and 48 hour exams respectively, that require hands-on …
Read More

SolarWinds and Supply Chain Attacks: Could it happen to WordPress?

This entry was posted in General Security, WordPress Security on December 23, 2020 by Ram Gall   2 Replies

The SolarWinds supply chain attack is all over the news, impacting government agencies, telecommunications firms, and other large organizations. The security firm FireEye was the first victim of the attack, disclosing that they had been hacked on December 8, 2020. On December 13th the US Treasury Department announced that it had also been compromised. At …
Read More

Follow Us


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates