There is lots of advice out there on dealing with the security risk posed by WordPress plugins, much of it is written by people who likely don’t have your best interest at heart when providing it. Take one example we Continue reading Many Reputable WordPress Security Plugins Won’t Protect Your Website From a Vulnerable Plugin
We recently looked at yet another example of the limited value that rules written for specific WordPress plugin vulnerabilities offered with the Wordfence Security plugin. But what about the other firewall plugin that has rules being written for it, NinjaFirewall? Continue reading NinjaFirewall’s Rule For Vulnerability Doesn’t Really Add Much Protection
It’s always a good idea to be aware of the security issues that might affect your site. For example, cross-site scripting (XSS) attacks consist of injecting malicious client-side scripts into a website and using the site as a propagation method Continue reading What is a Content Security Policy (CSP)
On Friday, we noted the web host SiteGrounds 1+ million install WordPress plugins Security Optimizer and Speed Optimizer are collecting a lot of website data from those installing the plugin without consent. That is in violation of the guidelines of Continue reading SiteGround’s 1+ Million Install WordPress Plugins Also Contain Apparently Inadvertent Tracking
Two weeks ago we looked at how a feature of web host SiteGround’s recently rebranded WordPress plugin, Security Optimizer, didn’t really provide the advanced protection against cross-site scripting (XSS) promised, or any protection for that matter. Their response to that Continue reading Developer of 1+ Million Install Security WordPress Plugin Lacks Conceptual or Practical Understanding of WordPress Security
Guideline 7 of the WordPress Plugin Directory’s Detailed Plugin Guidelines, “Plugins may not track users without their consent”, states that an example of a violation would be “Automated collection of user data without explicit confirmation from the user.” That is Continue reading Two 1+ Million WordPress Plugins From SiteGround, Sponsor of Plugin Review Team Rep, Collecting Website Data Without Consent
Guideline 7 of the WordPress Plugin Directory’s Detailed Plugin Guidelines, “Plugins may not track users without their consent”, states that an example of a violation would be “Automated collection of user data without explicit confirmation from the user.” That is Continue reading Two 1+ Million WordPress Plugins From SiteGround, Sponsor of Plugin Review Team Rep, Collecting Website Data Without Consent
Recently, the CEO of the WordPress security provider Wordfence, Mark Maunder, was criticizing a competitor over a bug bounty program that caused cross-site request forgery (CSRF) vulnerabilities to be found, while he was promoting Wordfence’s own bug bounty program. He Continue reading Wordfence Call CSRF Vulnerabilities “Low Risk” While Criticizing Competitor After Previously Calling Them “High Severity”
Note: This post refers to Wordfence CLI, the command line tool for operations teams to rapidly scan large numbers of WordPress websites for vulnerabilities and malware, not the Wordfence plugin which is deeply integrated into WordPress and provides additional functionality, Continue reading Wordfence CLI 2.1.0 Adds Email Capability and Unattended Configuration
On December 1, 2023, several security researchers reported about a new phishing campaign targeting WordPress administrators. WordPress sites owners had started receiving emails from WordPress.com with the following message: “The WordPress Security Team has discovered a Remove Code Execution (RCE) Continue reading Analysis of the Fake WordPress CVE-2023-46182 Patch Plugin & Phishing Campaign
When it comes to testing the protection offered by WordPress security plugins, we seem to be alone in doing that, which isn’t good. We had someone contact us not that long ago who was complaining about our the accuracy of Continue reading NinTechNet’s Website Security Scanner Isn’t a Good Option for Testing the Security Provided by WordPress Firewall Plugins
When it comes to the WordPress Plugin Directory, security isn’t being handled well. Earlier this week we noted how a plugin was allowed back in to that despite not having come close to properly resolving a serious security vulnerability that Continue reading SiteGround Labels Their WordPress Security Plugin as Web Application Firewall (WAF) Despite Not Having One
Wordfence just launched its bug bounty program. Through December 20th 2023, all researchers will earn 6.25x our normal bounty rates when Wordfence handles responsible disclosure for our Holiday Bug Extravaganza! Register as a researcher and submit your vulnerabilities today! Last week, there were 109 vulnerabilities disclosed in Continue reading Wordfence Intelligence Weekly WordPress Vulnerability Report (December 4, 2023 to December 10, 2023)
On December 6th, 2023, the WordPress plugin Backup Migration received a critical security patch for a remote code execution vulnerability. Details were released five days later after users were given an opportunity to install the patch, although the official CVE Continue reading Critical RCE Vulnerability Patched in Backup Migration Plugin
Last month we wrote about how one of our competitors in providing data on vulnerabilities in WordPress plugins was copying inaccurate data from another provider. That involved a vulnerability in a plugin named Auto Affiliate Links, which hadn’t been fully Continue reading WordPress Plugin Developers Continue to Make Additional Attempts to Fix Vulnerabilities Without Disclosing It
In this post, we will look at how to use WPScan as a WordPress vulnerability scanner. This security tool provides you with a better understanding of your WordPress website and any vulnerabilities that may be present in your environment. It Continue reading WPScan Intro: How to Scan for WordPress Vulnerabilities
In October 2021, we found that the Wordfence Security plugin for WordPress more than double the peak memory usage over WordPress by itself. That compared to a minimal memory increase by the two WordPress firewall plugins that provided more protection Continue reading Wordfence Security Still More Than Doubles Peak Memory Usage Over WordPress By Itself
On August 14, 2023, the Wordfence Threat Intelligence team began a research project to find Stored Cross-Site Scripting (XSS) via Shortcode vulnerabilities in WordPress repository plugins. This type of vulnerability enables threat actors with contributor-level permissions or higher to inject Continue reading Over 100 WordPress Repository Plugins Affected by Shortcode-based Stored Cross-Site Scripting
Recently, a fairly serious vulnerability was fixed in the WordPress plugin 10Web Booster, which WPScan is claiming was discovered by Krzysztof Zając. That vulnerability allowed anyone to delete arbitrary WordPress options (settings). The vulnerability could have been most easily used Continue reading PHPCS Isn’t The Security Solution It Is Sometimes Made Out to Be