Sucuri has published more information regarding the compromising of at least 30,000 domains. Based on their research, they are ruling out the possibility that the attacks are taking advantage of a new vulnerability within the core of WordPress. The first question is how are these sites getting hacked? On all the cases we analyzed, they…
In what I think is a great service to anyone who operates a website, the security service Sucuri has started to publish articles containing answers to user submitted questions. In their latest installment, they answer some general questions such as why anyone would want to hack your site, what they gain by attacking a website,…
A few days ago, Sucuri mentioned that the Absolute Privacy plugin for WordPress contained a security vulnerability that would allow the ability to bypass the authentication mechanism and gain admin access to the application, that being WordPress. The plugin was subsequently pulled from the repository as there had not been any updates to fix the…
Knowing that a lot of people use DreamHost for their WordPress powered websites, it’s a bit unsettling to see that suspicious activity was detected within one of their databases and thus, passwords have been reset across FTP/Shell and VPS customer accounts. If you use DreamHost and have not been able to log-in recently, this may…
WordPress 3.3.1 was released last night and it addresses an important security issue discovered in WordPress 3.3. Along with the security fix, the release also fixes 15 issues that are outlined here. After I upgraded the Tavern website, I was a bit confused to see a number of things that were listed under the What’s…
If you administer a WordPress powered website, you might want to check the directory structure, especially the WP-Content/Upgrade and WP-Content/Uploads to see if you notice a folder called Tall. According to the folks at WPMU.org, one of their co-workers websites became a victim to an attack that involved an entirely new WordPress installation being installed…
From WordCamp Chicago 2011, Dre Armeda who is one of the guys behind the awesome security service/site Securi. His presentation contains a ton of information that all end users should take note of.
Siobhan McKeown has published a disturbing yet not out of the ordinary article that explains how a couple of plugins were recently added to the plugin repository that were using a version of J-Query from J-Query.org which after investigation proved to be a fake website. The purported J-Query file was actually propagating sites with CPA…
VaultPress has announced that the latest edition of the plugin now supports WordPress Multisite. This has been a killer feature that owners of large multisite installs have been waiting for. VaultPress will automatically backup each site that is installed within the network. However, it must be noted that only the Network’s main site will have…
bbPress has released version 2.0.1 which is considered a maintenance release. However, if you have anonymous posting enabled, you’ll want to upgrade as soon as possible as this release addresses an issue where anonymous posters could potentially be able to edit topics and replies. If upgrading from 2.0, try upgrading through the dashboard as you…
Sucuri Security has a great post that begins to review the aftermath of the massive exploitation of the TimThumb image re sizer script. According to their calculations, about a million pages have been compromised by the script but when filtering down their results for the past thirty days, there were over 200,000 results. The exploitation…
Chris Liversidge of Search Engine Land gives an explanation as to why WordPress is not his platform of choice when it comes to multinational search. I was with him up until the point he discussed security where he states that WordPress is plagued by frequent security updates. This is not true. Security within WordPress has…
Generally common sense material listed in the article but it’s always good to remind people about these techniques. As far as I’m concerned, just being in the know and having the awareness of what’s going on is half the battle. On a final note, while website security can seem daunting and intimidating, it’s something that…
Not sure if any of the plugins or themes you have installed within your WP-Content directory contain the outdated version of TimThumb? Good news, there is a simple plugin that not only scans your content directory for the outdated version of the script, but also provides a link to quickly upgrade to the newer version.…
Joost de Valk who is pretty popular these days, especially after the release of his Yoast SEO Plugin tells us the story of how one of his sites was hacked because a theme containing the TimThumb vulnerability was not updated. If that were not interesting enough, Joost shares a statistic that doesn’t surprise me one…