The security research team at Sucuri has discovered a vulnerability in the popular WordPress MailPoet Plugin, formerly known as WYSIJA Newsletters. The bug leaves MailPoet open to an attack wherein a file can be uploaded remotely without authentication. Sucuri is classifying this as a serious vulnerability and recommends an immediate update for anyone using the…
The developers of Pods, a popular WordPress plugin used to create and extend custom post types, content types, taxonomies, users, media, or comments, has released an update that addresses a critical security vulnerability. Version 2.4.3 and all previous versions of the plugin have been patched in case you can’t upgrade to the latest version immediately.…
Security vulnerabilities have plagued the TimThumb script for years. It is most commonly used in cropping, zooming and resizing images in WordPress themes. After the large scale attacks launched against the script a few years ago, one might think that theme and plugin developers would be less likely to continue building with it. However, this…
Clef, the two-step authentication service that replaces usernames and passwords has announced a strategic partnership with Softaculous. Softaculous is similar to Fantastico in that it contains several scripts that can be auto installed on a webhosting account. The partnership enables automated WordPress installs from Softaculous to have Clef support out of the box. In one…
If you have a WordPress site with a bbPress-powered forum, you may want to set aside a few minutes this weekend to perform updates. bbPress 2.5.4 was released today with five bug fixes, including an important fix for a security vulnerability. bbPress project lead John James Jacoby announced the release, crediting IT Security Reaseacher Mazen…
The popular All In One SEO Plugin for WordPress has released an update addressing two security issues discovered by Sucuri during a security audit. According to Sucuri, one of the vulnerabilities can be used to escalate privileges while the other deals with Cross Site Scripting attacks. A logged-in user who doesn’t have administrative capabilities is…
We started the show off with Andrew Nacin where he clarified a number of points dealing with the WordPress.com Cookie problem. He also published a great post explaining why security is nuanced. The second part of the show featured an interview with Varsity News Network CEO, Ryan Vaughn, to discuss how the company is utilizing…
Late last week, Yan Zhu, a Staff Technologist for the Electronic Frontier Foundation publicly disclosed a security vulnerability she discovered with WordPress.com and how it handles cookies. More specifically, she discovered the “wordpress_logged_in” cookie being sent in the clear to a WordPress authentication endpoint. She was able to use the authenticated cookie to publish blog…
WooThemes is continuing to investigate a handful of reports of fraudulent activity on customers’ credit card accounts. The company worked with Sucuri who conducted a code audit and discovered three modified files on their server pointing toward an attack. WooThemes has published a blog post explaining the steps they’ve taken to prevent this incident from…
WordPress 3.8.3 was released today and fixes a pesky bug introduced in WordPress 3.8.2. As we reported a few days ago, one of the security fixes in 3.8.2 caused the Quick Draft dashboard widget to break. Auto-drafts created through the widget were not being promoted to draft status. When a title and content were added…
Marcus Couch and I were joined by Eric Mann to discuss the news of the week. After the news, we discussed in-depth a few of the core proposals Mann has published on his blog. We covered the following three WordPress core proposals: Data Service Portability Offline Editor After speaking with Mann, it’s clear he puts…
With the release of WordPress 3.8.2, some users are reporting on the WordPress.org support forum that the update disabled XML-RPC causing mobile apps to break. Many of those who are reporting the issue have one thing in common: they’re using the Wordfence Security plugin. With over 1.5 million downloads, Wordfence Security is a popular plugin…
This episode of WordPress Weekly featured a panel of four individuals helping to make the web a safer place. Chris Wiegman – Lead Developer of iThemes Security Regina Smola – Founder of WPSecurityLock Brennen Byrne – Founder and CEO of Clef Sam Hotchkiss – Founder of BruteProtect We discussed a number of topics such as…
Last week, we reported the Better WordPress Security plugin would be renamed to iThemes Security. We also shared important details to prepare users for the upgrade. Because of the name change, users needed to re-enable the plugin or risk seeing errors. Despite the beta testing period, the upgrade process hasn’t gone smoothly for some users.…
When we talk about the basics of WordPress security, we always tell you to use a very strong password. The recently added password strength meter helps to facilitate the process. But what about usernames? WordPress offers a way to change your display name which acts as a username alias. However, it doesn’t hide the username…