It’s that time in the release cycle when all the dev notes are rolling out ahead of the next major update. These notes include technical summaries of all the goodies coming in the next release. If you haven’t been paying close attention, there are always a few happy surprises in there that pop up as…
Disqus, a comment management and hosting service, has announced it suffered a data breach that affects 17.5 million users. A snapshot of its database from 2012 with information dating back to 2007 containing email addresses, usernames, sign-up dates, and last login dates in plain-text were exposed. Passwords hashed with the SHA1 protocol and a salt…
Cloudflare, a content distribution network used by many popular sites, published detailed information about a security vulnerability that leaked user information, some of which was private, including passwords, private messages, etc. The vulnerability was discovered by security researcher Tavis Ormandy, a member of Google’s Project Zero team. The issue stems from a memory leak in…
When WPML emailed new passwords to customers in plaintext, some customers thought it was due to a security breach. Amit Kvint, compatibility team leader for WPML, confirmed the emails are not a result of a security breach. In a post on the official WPML blog, Kvint says the emails were a preventive measure to insure…
Customers who purchased WPML, a multilingual plugin for WordPress, are receiving a suspicious email that looks similar to a phishing attempt. Matt Radford, a customer of WPML, kindly sent the Tavern a copy of the email. Dear Matt, We want to make sure that your WPML account remains secure. For this, we are updating all…
After four months of development led by Konstantin Obenland, WordPress 4.3 “Billie” named after jazz singer Billie Holiday, is available for download. This release features menus in the customizer, strong passwords by default, site icons, and variety of other improvements. Menus in the Customizer You can now create, add, and edit menus in the customizer…
By utilizing the power of graphical processing units and partnering with Netriver, Wordfence can simulate a password cracking attempt using a library that contains more than 260 million passwords. The library is made up of previous hacks on major websites and services. For example, if your password was leaked during the LinkdIn hack in 2012,…
phpBB.com, which hosts the popular open source forum software phpBB, has been compromised. On Dec. 14th, members of the development team discovered several web servers that power the website were compromised and immediately suspended operations. Users are not at risk as the phpBB software is not affected. According to an ongoing investigation, initial entry was…
The CEO of iThemes, Cory Miller, published a second update concerning the security breach that occurred on Tuesday. After news of the breach, customers were left wondering whether or not their passwords were stored in clear-text. The latest update confirms that passwords were in fact stored in clear-text and affected approximately 60,000 customers. There is…
iThemes published details on a security breach that took place earlier today. According to the announcement, after noticing suspicious activity, they noticed a signification attack on their membership database. iThemes urges all customers to reset their passwords immediately. To protect accounts from any unauthorized access, iThemes has temporarily reset all user passwords. To regain access…
When we talk about the basics of WordPress security, we always tell you to use a very strong password. The recently added password strength meter helps to facilitate the process. But what about usernames? WordPress offers a way to change your display name which acts as a username alias. However, it doesn’t hide the username…
One of the security tips you’ll come across often is immediately deleting the admin user after installation and creating a new user, then assigning that user the administrator role. This is something I wish the core team would address so that during the installation of WordPress, users would be able to choose their own username…
I recently received a hat tip from a happy user of the BruteProtect plugin and decided to give it a try myself. The only configuration that is necessary for BruteProtect is to apply a free API key to communicate with the service. If you’re using the Limit Login Attempts plugin to block unsuccessful login attempts,…
Earlier today on Twitter, WordPress community member Travis Ballard @Ansimation published a link to a plugin that will have people thinking twice before they sign up to a WordPress based website. Ironically, it’s called WPEvil and saves passwords into plain text instead of hashes. One thing I’ve learned over the years is that passwords are…
Perhaps one of the easiest attacks to perform on a WordPress based website is a brute force attack. Sucuri took the time to create a few different honeypots and monitored WP-Login.php to track the various IP addresses as well as the passwords used to break into the site. Their list of passwords attempted is no…