Vulnerability in User Role Editor – Users Can Become Admins

Nathan WrigleySecurityLeave a Comment

There is a major vulnerability in a popular plugin with over 300,000 active installs: User Role Editor 4.24 and older. The vulnerability allows any registered user to gain administrator access. For sites that have open registration, this is a serious security hole. If you are running User Role Editor, upgrade to the newest version which is 4.25 immediately. Looking at a diff … Read More

3 Severe Plugin Vulnerabilities Fixed in the Last 24 Hours

Nathan WrigleySecurityLeave a Comment

The following three plugins contain severe vulnerabilities that have all been fixed within the past 24 hours. Details of these vulnerabilities have been released to the public so they are likely already being exploited. If you use any of these plugins, upgrade immediately. Please share with the larger WordPress community. WooCommerce Store Toolkit Plugin (A plugin for WooCommerce made by Visser Labs, not … Read More

6 Million Password Attacks in 16 Hours and How to Block Them

Nathan WrigleySecurityLeave a Comment

Last week in the President’s cyber security op-ed in the Wall Street Journal he implored Americans to move beyond simple passwords and to enable two factor authentication or cellphone sign-in. One of the things we monitor at Wordfence is the number of brute force attacks on WordPress websites. Brute force attacks are password guessing attacks, where an attacker tries to sign in … Read More

Why Wordfence Supports Strong Encryption Without Backdoors

Nathan WrigleySecurityLeave a Comment

This morning global headlines are discussing Apple’s move to oppose a court order issued by the US government regarding breaking into it’s own iPhone. This case has far reaching consequences and is part of a wider debate on cryptography and whether consumers and businesses should have access to strong cryptography and the data protection that comes with it. I’m going to … Read More

WordPress-Delivered Ransomware and Hacked Linux Distributions

Nathan WrigleySecurityLeave a Comment

In a rather unfortunate turn of events earlier this month, the Hollywood Presbyterian Medical Center was infected with ransomware. Ransomware, if you’re unfamiliar with it, encrypts everything on your workstation and then tells you to pay an attacker to decrypt your system and regain access to your information. In the case of Presbyterian, they had to pay 40 bitcoins or the … Read More

Scary Data – Trends in Malware, Phishing, Site Cleaning and Bad Networks

Nathan WrigleySecurityLeave a Comment

At Wordfence we have great visibility into the size and scale of the threat facing the WordPress community. Our software protects well over a million sites worldwide. This week we thought it would be interesting to provide you with a broader perspective, analyzing some of the information that Google has made available in the Safe Browsing section of their Transparency … Read More

The Crypto Wars – How We Arrived at Apple vs United States

Nathan WrigleySecurityLeave a Comment

This week our team is in San Francisco attending the RSA 2016 Security conference. It is the largest security conference in the world with over 40,000 attendees this year. We’re also here for the BSides San Francisco security conference which happened right before RSA and which is a smaller independent locally organized conference. These conferences cover the larger subject of information security … Read More

A Backdoored WordPress Plugin and 3 Additional Vulnerabilities

Nathan WrigleySecurityLeave a Comment

We have several plugin vulnerabilities we’d like to bring to your attention this week. First up is a backdoor that was added to the Custom Content Type Manager plugin. The backdoor was added by a malicious coder who gained access to the plugin code in the official WordPress plugin repository. It’s unclear whether the plugin author’s credentials were stolen or … Read More

Get Rid of Data to Help Secure It

Nathan WrigleySecurityLeave a Comment

Last week I spent some time chatting with Mike Dahn who is the co-founder of the BSides information security conferences globally. He’s also organizer of BSides San Francisco and is well known and respected in information security circles. We had a really informative chat and I’ve posted the video interview below. You know you’re chatting with someone who spends a lot of time … Read More

Hacked Sites Suffer Long Term Search Ranking Penalties

Nathan WrigleySecurityLeave a Comment

During our research into what the WordPress community knows about hacked websites, we discovered that there is very little data available on the subject. We decided to conduct a survey, inviting a portion of our community to participate. We received responses from 1,605 people who reported having a website they manage hacked in the last year. We learned a lot. Thank you … Read More