Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Category Archive: WordPress Security

Three WordPress Security Mistakes You Didn’t Realize You Made

This entry was posted in General Security, WordPress Security on October 2, 2018 by Mikey Veenstra   20 Replies

Considering the amount of malicious activity that takes place on the internet, it's no surprise that successful attacks on WordPress sites are launched across a wide variety of vectors. Whether outdated plugin code is to blame, or password reuse, or any number of other security flaws, no site owner sets out to introduce a vulnerability into their environment. Ultimately any security issue begins with a mistake, and while mistakes are forgivable there's still risk involved if they're not discovered and remedied....read more

Yes, You Should Probably Have A TLS Certificate

This entry was posted in General Security, WordPress Security on September 18, 2018 by Mikey Veenstra   13 Replies

Last week's article covering the decision to distrust Symantec-issued TLS certificates generated a great response from our readers. One common question we received, and one that pops up just about any time SSL/TLS comes up, is how to determine when a site does and does not need such a certificate. Spoiler: Your site should probably have a TLS certificate....read more

Duplicator Update Patches Remote Code Execution Flaw

This entry was posted in Vulnerabilities, WordPress Security on September 5, 2018 by Mikey Veenstra   3 Replies

A critical remote code execution (RCE) vulnerability has been patched in the latest release of Duplicator, a WordPress backup and migration plugin with millions of downloads. In their public disclosure of this flaw, Synacktiv detailed its scope and severity, and provided a viable proof of concept exploit for the security community. In this post we'll take a look at the basics of the vulnerability, what was patched, and what you can do if you think your site's at risk....read more

Ninja Forms Security Updates: What You Need To Know

This entry was posted in Vulnerabilities, WordPress Security on August 28, 2018 by Mikey Veenstra   1 Reply

Yesterday, the popular WordPress plugin Ninja Forms released version 3.3.14, which disclosed and patched two security issues present in the plugin. Upon review of these issues we've determined their severity to be moderately low, however due to the plugin's wide userbase of more than a million active installs we've elected to provide a detailed exploration of exactly what these vulnerabilities are and what risks they do pose if left unpatched. As usual, we recommend updating vulnerable versions of the plugin as soon as possible, despite the relatively low risk....read more

Wordfence: Live On Tour In A City Near You

This entry was posted in Videos, WordPress Security on August 24, 2018 by Dan Moen   12 Replies

This year we've attended and sponsored quite a few WordCamps, and have had members of our team speak at some as well. If you haven’t attended one recently we highly recommend it. They're a great opportunity to learn and connect with other members of the WordPress community....read more

Brad Haas Discusses BabaYaga Malware on the CyberWire Podcast

This entry was posted in WordPress Security on July 31, 2018 by Dan Moen   0 Replies

In early June we published an article and accompanying white paper detailing an interesting malware infection which we've internally dubbed BabaYaga. The relatively sophisticated malware is unique because it contains a number of features intended to ensure the infected site remains in working order. It keeps WordPress core up to date, performs and stores backups and even scans for and removes malware....read more

Your Site Can Help Defend Millions Of Others

This entry was posted in Wordfence, WordPress Security on July 19, 2018 by Mikey Veenstra   4 Replies

As you're probably aware, Wordfence's Security Services Team (SST) provides world-class remediation services in the event that your site falls victim to malicious activity.  Our analysts combine their considerable expertise with the best threat intelligence in the industry to deliver results we're consistently proud to stand behind. To be clear, the word "consistently" is used deliberately here, as the continued reliability of our services is crucial in maintaining the trust placed in us by our users....read more

Details of an Additional File Deletion Vulnerability – Patched in WordPress 4.9.7

This entry was posted in Vulnerabilities, Wordfence, WordPress Security on July 5, 2018 by Matt Barry   4 Replies

Today WordPress released version 4.9.7, a security release which addresses two separate arbitrary file deletion vulnerabilities requiring Author privileges. Some details can be found on the WordPress.org blog....read more

Optimizing Wordfence Security Settings: Brute Force Protection

This entry was posted in Wordfence, WordPress Security on July 5, 2018 by Kathy Zant   15 Replies

As a part of the Wordfence Client Partner initiative, we’ve recently had some in depth conversations with organizations using Wordfence at scale. These conversations have been enlightening, and we wanted to share some of the stories we’ve heard about how different organizations use Wordfence....read more

Arbitrary File Deletion Flaw Present in WordPress Core

This entry was posted in Vulnerabilities, WordPress Security on June 27, 2018 by Mikey Veenstra   41 Replies

The security community has been abuzz this week following the disclosure of a vulnerability present in all current versions of WordPress. The flaw, published in a detailed report by RIPS Technologies, allows any logged-in user with an Author role or higher to delete files on the server....read more

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.