This entry was posted in Wordfence on January 21, 2021 by Kathy Zant 5 RepliesWordfence, the leading provider of WordPress security software and services, is announcing today that we are, effective immediately, offering free site cleaning and site...
Security – Internet, WordPress, and otherwise
2020 Year in Review: the best of WP White Security
2020 has been a challenging year for many. However, we have been very lucky and even though it was challenging, we’ve made the best out of it, and we turned it into a big one! So we wanted to take the time and look back at everything that happened at WP White...
WordPress Security: The Ultimate Guide
Uncovering Potential Issues with the Contact Form 7 Vulnerability: More Data Needed
On December 17, 2020, the Astra research security team disclosed that they had discovered a critical severity Unrestricted File Upload vulnerability in Contact Form 7, the most popular WordPress plugin of all time. The lead researcher, Jinson Varghese, also published...
WordPress Vulnerabilities Explained
Episode 100: How to Lose 6 Figures the Easy Way
The recent SolarWinds attack was incredibly sophisticated. What happens when that level of sophistication targets a homebuyer during one of the largest transactions of their lifetime? On this episode, we tell the story of an extremely difficult-to-detect spearphishing...
Website File Changes Monitor 1.7.1: improved UX & other minor improvements
Today we are happy to announce the release of Website File Changes Monitor 1.7.1. This is a minor but must-install followup to update 1.7.0. In this update we have improved several aspects of the plugin’s user experience (UX) and also addressed a few issues reported...
Hacking WordPress websites & stealing WordPress passwords
A detailed explanation of how attackers use Man-in-the-Middle (MitM) to hack WordPress websites and login credentials. This article is for educational purposes only. Like any other web application with a login form, WordPress submits your username and password in an...
WPScan Can Now Assign CVE Numbers for WordPress Core, Plugin, and Theme Vulnerabilities
WPScan, a security company that maintains a database of WordPress vulnerabilities, has been officially designated as a CVE (Common Vulnerability and Exposures) Numbering Authority (CNA). The company joins 151 organizations from 25 countries that...
Unauthenticated Remote Code Execution in e-signature plugin
During a recent audit we discovered an unauthenticated remote code execution in the plugin e-signature. All versions less than 1.5.6.8 are vulnerable.Disclosure / Response TimelineJanuary 7, 2021: Initial contact.January 11, 2021: Patch is live.Current State of the...
WordPress Vulnerability Roundup: January 2021, Part 1
New WordPress plugin and theme vulnerabilities were disclosed during the first half of January. This post covers the recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website. The...
Identity Theft Resource Center® to Release 15th Annual Data Breach Report; Launch Free & Paid Subscriptions to New Breach Tracking Tool
The release of the 2020 ITRC Data Breach Report and launch of the ITRC’s data breach tracking tool supports the Data Privacy Day 2021 initiative to help build trust among consumers and promote transparency around data collection practices. SAN DIEGO, January 13, 2021-...
WordPress Security Updates: December 2020
This article covers our public notifications related to major security issues our clients and the WordPress community should know about. We are always focused on prevention and the mitigation of risk to our clients, and keeping you updated here is part of that...
Website Security in The New Year 2021 – Are You A Cat Herder?
Concerned about WordPress security and would like someone to watch your back? If this sounds like you then you are in the right place. Taking a vacation, or maybe your web designer has wandered away? Why worry about dark side of the Internet. Let...
Multiple Vulnerabilities Patched in Orbit Fox by ThemeIsle Plugin
On November 19, 2020, our Threat Intelligence team responsibly disclosed two vulnerabilities in Orbit Fox by ThemeIsle, a WordPress plugin used by over 400,000 sites. One of these flaws made it possible for attackers with contributor level access or above to escalate...
Admin Notices Manager 1.1: choose which admin notices you see & which not
We can all agree that 2020 was a difficult year. That’s why we are excited to start 2021 with our very first update of the Admin Notices Manager plugin. In this update we added the ability to choose which type of admin notices to show as normal on the WordPress...
Interview with Ryan Dewhurst, founder of WPScan
Ryan Dewhurst is an ethical hacker and penetration tester who has dedicated many years in helping people in the WordPress community improve the security posture of their websites and protect them from malicious attackers. Ryan is the founder of WPScan, a free, black...
The Month in WordPress: December 2020
We bid goodbye to 2020 in style with the release of WordPress 5.6 and the launch of Learn WordPress. But these weren’t the only exciting updates from WordPress in December. Read on to learn more! WordPress 5.6 is here The latest major WordPress release, version 5.6...
How to safely add custom code to WordPress websites
Users are often looking for ways to tweak their websites, plugins and themes, or to add some modifications to an existing functionality. In most of these cases, you can do so by adding custom code to your WordPress website. There is nothing wrong with adding custom...
Who Attacked SolarWinds and Why WordPress Users Need to Know
Chloe Chamberland is a threat analyst and member of the Wordfence Threat Intelligence Team. She holds the following certifications: OSCP, OSWP, OSWE, Security+, CySA+, PenTest+, CASP+, SSCP, Associate of (ISC)2, CEH, ECSA and eWPT. Many of these are advanced...
SolarWinds and Supply Chain Attacks: Could it happen to WordPress?
The SolarWinds supply chain attack is all over the news, impacting government agencies, telecommunications firms, and other large organizations. The security firm FireEye was the first victim of the attack, disclosing that they had been hacked on December 8, 2020. On...