Earlier this week, one of the largest coordinated efforts between WordPress plugin authors, Sucuri, and the WordPress security team resulted in a number of popular plugins receiving security updates. Due to inaccurate information within the WordPress codex, a number of developers improperly assumed the add_query_arg() and remove_query_arg() functions would properly escape user input. When combined,…
WordPress 4.1.2 is available and is a critical security update for all previous versions of WordPress. The release has eight security fixes, one of which is high risk, three are medium-low risk, and the last four added to harden WordPress. This is the first major security update to WordPress core since WordPress 4.0.1 released in…
For the past week, security firm Sucuri has worked with the WordPress core security team to address a cross site scripting vulnerability discovered in more than a dozen popular WordPress plugins. The vulnerability stems from the improper use of the add_query_arg() and remove_query_arg() functions. Inaccurate information within the WordPress Codex lead many developers to assume…
If you follow WordPress topics on Quora, you may have noticed a popular question making the rounds regarding security. The question has been viewed more than 30,000 times: I am powering a bank’s website using WordPress. What security measures should I take? Ordinarily, such a question is a magnet for trollish responses and uninformed WordPress…
iThemes has released new versions of iThemes Security and iThemes Security Pro to address a critical security vulnerability. Every version of both plugins is at risk, including Better WP Security 3.0. The vulnerability allowed potentially dangerous JavaScript to run when viewing 404 logs. When the 404 Detection feature is enabled, data about requests for non-existent…
By utilizing the power of graphical processing units and partnering with Netriver, Wordfence can simulate a password cracking attempt using a library that contains more than 260 million passwords. The library is made up of previous hacks on major websites and services. For example, if your password was leaked during the LinkdIn hack in 2012,…
BuddyPress 2.2.2 is available from the WordPress plugin directory. It fixes two potential security issues and has a few bug fixes. This is what is fixed in 2.2.2. Activity: sanitize output of “Load More” link Members: better nonce check on members widget Core: improve filtering of wp_title The security issues were responsibly disclosed by Todd…
WordPress users have been subject to a rash of plugin vulnerabilities over the past couple of months. Some of these vulnerabilities have been so widespread that the FBI recently warned users of attacks designed to exploit WordPress sites. Not long after WordPress published its Security White Paper, an outbreak of issues popped up, starting with…
The WP REST API development team has released a critical security update. Rachel Baker, one of the lead developers of the WP REST API plugin says, “The release fixes a serious information disclosure vulnerability, which allowed for unpublished content and post revisions to be retrieved via the REST API.” The security vulnerability affects versions 1.2.0 and earlier. The security…
The security team at Sucuri has issued an advisory for WordPress users who have the WP Super Cache plugin activated on their sites. The popular caching plugin contains a dangerous persistent XSS vulnerability that was promptly patched in its 1.4.4 release. Sucuri ranks the risk as “Dangerous” with a DREAD score of 8/10. Exploiting the…
The FBI issued a public service announcement today, warning concerning WordPress website attacks being carried out by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). The perpetrators of these attacks are defacing sites across various platforms such as news organizations, businesses, government sites, and religious…
Slack, which is used by thousands of people world-wide to communicate, recently suffered a security breach. According to Slack, the breach occurred during a four-day period in February. Hackers gained access to a central database used to store user names, email addresses, and one-way encrypted (“hashed”) passwords. In addition, the database contains information that users…
Last August, Automattic acquired Parka, LLC, the makers of the BruteProtect security tool for WordPress, with the goal of integrating its features into Jetpack. The services provided in BruteProtect Pro were subsequently offered for free. Jetpack 3.4 was released today with brute force protection available to users via a new module called Protect. You can…
Last month a vulnerability was discovered in the Fancybox for WordPress plugin, making it possible for a hacker to inject an iframe into the website without needing administrator access. Although the issue was promptly patched, a string of seemingly random WordPress websites were recently compromised using this vulnerability. Hackers claiming to be acting on behalf…
Last week a blind SQL injection vulnerability was discovered in Yoast’s popular WordPress SEO plugin. Given the severity of the vulnerability and the fact that the plugin is installed on more than one million WordPress sites, the security team at WordPress.org pushed a forced update to mitigate the possibility of mass exploitation. Following this incident,…