If you use the Better WP Security plugin, keep an eye out for an important update next week. According to iThemes, the plugin will be renamed to iThemes Security to be more in line with the other products in the iThemes family. Because of the name change, users will need to re-activate the plugin after…
Last week, we wrote about a report published by Sucuri that explained how 162,000 clean WordPress sites were used in a DDoS attack through the pingback functionality of XML-RPC. Alex Shiels who works on Akismet mentioned on Twitter the security team was working on a solution. An update to Akismet is now available containing bug…
Security research firm Sucuri is reporting more than 162,000 WordPress sites were used in a distributed denial of service attack. Compromised machines or websites are generally used to facilitate these types of attacks but in this case, clean WordPress sites were used via XML-RPC. XML-RPC is used in WordPress as an API for third-party clients…
In this episode of WordPress Weekly, we dived deep into the topic of security, especially at it relates to WordPress. Dre Armeda and Tony Perez of Sucuri joined me on the show to talk about the formation of the company, the history behind the name, and provided advice on how to protect your WordPress site.…
One of the biggest features to land in WordPress 3.7 were automatic updates. When automatic updates are completed, an email notification is sent to the address specified within Settings > General which is typically the website administrator. However, if you maintain websites for clients, you probably want those notifications to be forwarded to you and…
Chris Wiegman of iThemes has announced the latest update to the Better WP Security plugin contains fixes for vulnerabilities discovered in 3.6.3. The updates address compatibility with InfiniteWP, the removal of their in-dashboard support form, and FooPlugins support form code. While support for InfiniteWP was removed in 3.6.4, it’s been restored in 3.6.5 as they…
Tony Perez and Dre Armeda of Sucuri Security will be our special guests on this weeks edition of WordPress Weekly. We’ll spend the majority of the episode talking about WordPress security and what users can do to protect themselves against the bad guys. We’ll also figure out why the company was founded and what trends…
Duo Security is a business that provides two-factor authentication services across multiple platforms. Late last week, the company announced on their blog they discovered a security vulnerability in their WordPress plugin. According to Duo, the vulnerability only affects WordPress Multisite installations where the plugin is enabled on an individual per-site basis. The vulnerability may allow…
Security company Wordfence is reporting that the large distributed brute force attack on WordPress sites is starting to subside. On the morning of February 10th, employees noticed a large increase in the volume of attacks. Their real-time activity map was showing so much activity, they had to throttle the amount of data displayed. I asked…
BruteProtect, the cloud-powered brute force attack prevention service that we wrote about back in July of 2013 has successfully closed a seed round of venture capital funding with a private angel investor in California. Jesse Friedman who previously worked for Astonish, has been hired on as the director of innovation. BruteProtect is looking to hire…
Osirt, a malware security company is reporting that the WordPress theme OptimizePress contains a significant security vulnerability. According to the security bulletin published a few days ago, the problem lies within the Media-upload.php file. When a browser loads this file within the theme, the media upload screen appears. From here, malicious users can upload php…
It’s a phrase that’s all too common in open source software development, “iterate quickly, release often“. The idea that any time a bug is fixed or an improvement is made that those fixes should be pushed out immediately to the end-user. The process is wonderful for companies operating under the Software As A Service umbrella…
Themify has announced that they have discovered and confirmed a vulnerability in their framework. The vulnerability stems from an unsecure file named themify-ajax.php. The fix was released on November 9th, 2012 but the auto upgrade process failed to delete the file. Themify states they have “recently received several reports of intruders using themify-ajax.php to upload…
One of the security tips you’ll come across often is immediately deleting the admin user after installation and creating a new user, then assigning that user the administrator role. This is something I wish the core team would address so that during the installation of WordPress, users would be able to choose their own username…
Over the week-end, I received an email from Mollom notifying me that they had discovered a security breach. According to their official blog post on the matter, the breach was discovered on August 21st. Mollom is a service managed by Acquia, a commercial open source software company providing products, services, and technical support for the…