Changing the WordPress login URL is a security practice recommended by several WordPress bloggers and security professionals. Even so, many others warn that changing the login URL of your WordPress website does little to thwart attacks. The truth, as is Continue reading How to change your WordPress login URL
One of the most common problems that we observe among many of our clients is the persistent threat of cross contamination – that is, malware that spreads from one website to another when they are hosted in the same environment. Continue reading New Guide on Secure VPS Configuration
One of the most unsavory elements of the WordPress community is all the people that promote themselves as being community focused while seeming to be much more interested in how they can sell off what they provide to the highest Continue reading Yoast SEO Founders Fund Collaboration Platform That Opens WordPress Websites to Having All Their Users Deleted
When it comes to securing WordPress websites, it is very common to find people assuredly claiming that WordPress firewall plugins provide less protection than web application firewalls (WAFs) from web hosts or cloud security providers, without any evidence to back Continue reading Automattic’s Web Application Firewall (WAF) Failed to Provide Protection Against Zero-Day That WordPress Firewall Plugins Did
A basic rule of security is that if you know a lot, you don’t know much. Those knowledgeable about security try to be careful about what they say, as they realize they might not know everything. A lot of WordPress Continue reading Inaccurate Claims About Security Impact of Changing WordPress Database Prefix Highlighted With Exploited Zero Day
Today, on June 29, 2023, the Wordfence Threat Intelligence Team became aware of an unpatched privilege escalation vulnerability being actively exploited in Ultimate Member, a WordPress plugin installed on over 200,000 sites, through our vulnerability changelog monitoring we do to Continue reading PSA: Unpatched Critical Privilege Escalation Vulnerability in Ultimate Member Plugin Being Actively Exploited
With the web’s increased emphasis on security, all sites should operate on HTTPS. Installing an SSL certificate allows you to make that transition with your website. But it can also have an unintended consequence for sites that have been operating Continue reading How to Quickly Find & Fix Mixed Content Issues (SSL/HTTPS)
Ever had an uninvited guest crash your party, resulting in chaos, confusion, and some unhappy visitors? Well, SEO spam is that party crasher — just for websites. Why should you care, you ask? Well, just imagine your meticulously crafted website Continue reading Spamdexing: What is SEO Spam & How to Remove It
Last week, there were 84 vulnerabilities disclosed in 76 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 42 Vulnerability Researchers that contributed to WordPress Security last week. Review those Continue reading Wordfence Intelligence Weekly WordPress Vulnerability Report (June 19, 2023 to June 25, 2023)
On May 28, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in miniOrange’s WordPress Social Login and Register plugin, which is actively installed on more than 30,000 WordPress websites. The Continue reading miniOrange Addresses Authentication Bypass Vulnerability in WordPress Social Login and Register WordPress Plugin
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve Continue reading WordPress Vulnerability & Patch Roundup June 2023
On June 5, 2023, our Wordfence Threat Intelligence team identified, and began the responsible disclosure process, for an Arbitrary User Password Change vulnerability in LearnDash LMS plugin, a WordPress plugin that is actively installed on more than 100,000 WordPress websites Continue reading Arbitrary User Password Change Vulnerability in LearnDash LMS WordPress Plugin
In version 5 of the WordPress security plugin All-In-One Security (AIOS) an update was made to its firewall functionality, which implemented “6G firewall rules in the new PHP-based firewall.” Someone posted on the support forum for the plugin requesting to Continue reading 6G Firewall Rules in All-In-One Security (AIOS) WordPress Plugin Don’t Provide Effective Protection
Readers of this blog will know that attackers are constantly finding new ways to hide their malware and avoid detection; after all, that’s what good malware does best! We have recently observed attackers leveraging both excessive amounts of unicode as Continue reading Remote Code Execution Backdoor Uses Unicode Obfuscation & Non-Standard File Extensions
A zero-day is a vulnerability being exploited before the developer is aware of it. One of the implications of that is that keeping software up to date won’t protect against it. So for WordPress websites, a WordPress security plugin can Continue reading iThemes Security (Solid Security) and iThemes Security Pro Won’t Protect Against Zero-Days Contrary to Their Marketing
Last week, there were 60 vulnerabilities disclosed in 52 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 25 Vulnerability Researchers that contributed to WordPress Security last week. Review those Continue reading Wordfence Intelligence Weekly WordPress Vulnerability Report (June 12, 2023 to June 18, 2023)
As we have noted in the past, the WordPress security provider Patchstack is falsely claiming to know about hundreds of zero-day vulnerabilities and claiming to be providing “early warnings” to their customers on vulnerabilities that were already public before they Continue reading Patchstack’s “Early Warning” About Vulnerability Isn’t Early and Fails to Warn It Isn’t Fixed
In March, the details of a vulnerability that had been fixed in a WordPress plugin that extends the functionality of the plugin WooCommerce were disclosed. The exploitabilty of it should have been limited as it required having access to a Continue reading Latest WooCommerce Version Fixes Security Bypass Utilized by Widely Exploited Vulnerability
Wordfence remains the number one security plugin of choice for website owners serious about protecting their investment and their customers. Our Threat Intelligence team and engineering team stay abreast of the newest threats and ensure that Wordfence is able to Continue reading Wordfence 7.10.0 Released!