Category Archives: WordPress Security

Hacking 27% of the Web via WordPress Auto-Update

At Wordfence we continually look for security vulnerabilities in the third party plugins and themes that are widely used by the WordPress community. In addition to this research, we regularly examine WordPress core and the related wordpress.org systems. Recently we discovered a major vulnerability that could have caused a mass compromise of the majority of WordPress sites.

The vulnerability we describe below may have allowed an attacker to use the WordPress auto-update function, which is turned on by default, to deploy malware to up to 27% of the Web at once.

Choosing the most damaging target to attack

The server api.wordpress.org (or servers) has an important role in the WordPress ecosystem: it releases automatic updates for WordPress websites. Every WordPress installation makes a request to this server about once an hour to check for plugin, theme, or WordPress core updates. The response from this server contains information about any newer versions that may be available, including if the plugin, theme or core needs to be updated automatically. It also includes a URL to download and install the updated software.

api-normal - Hacking 27% of the Web via WordPress Auto-Update

Compromising this server could allow an attacker to supply their own URL to download and install software to WordPress websites, automatically. This provides a way for an attacker to mass-compromise WordPress websites through the auto-update mechanism supplied by api.wordpress.org. This is all possible because WordPress itself provides no signature verification of the software being installed. It will trust any URL and any package that is supplied by api.wordpress.org.

api-compromised - Hacking 27% of the Web via WordPress Auto-Update

WordPress powers approximately 27% of all websites on the Internet. According to the WordPress documentation: “By default, every site has automatic updates enabled for minor core releases and translation files.”. By compromising api.wordpress.org, an attacker could conceivably compromise more than a quarter of the websites worldwide in one stroke.

Below we describe the technical details of a serious security vulnerability that we uncovered earlier this year that could compromise api.wordpress.org. We reported this vulnerability to the WordPress team via HackerOne. They fixed the vulnerability within a few hours of acknowledging the report. They have also awarded Wordfence lead developer Matt Barry a bounty for discovering and reporting it…

Read the article: Hacking 27% of the Web via WordPress Auto-Update – Wordfence

How To Future-Proof Your WordPress Website In 4 Easy Steps 

Future-proofing your site is an aspect of site development that many users neglect until it’s too late. It’s a simple process that shouldn’t eat into your schedule too much. In any case, the benefits far outweigh the additional time spent keeping on top of it all.

In this post, the author suggests four important steps to help you future-proof your site:

  1. Sign up with a reputable hosting provider.
  2. Create regular backups of your website.
  3. Select themes and plugins from trustworthy developers.
  4. Use a child theme to preserve your changes.

Read the full article: How to Future-Proof your Website in 4 Easy Steps >

Source: How To Future-Proof Your WordPress Website In 4 Easy Steps | @thetorquemag

Wordfence Announces New Firewall

FirewallThis morning at 9am Pacific time we rolled out a new kind of firewall to over 1 Million active WordPress websites.  It comes with a Threat Defense Feed that updates our firewall as new threats emerge. It also continuously updates our malware scan as we discover new malware patterns through our forensic research.

If you have auto-update enabled in Wordfence, you will automatically be upgraded to 6.1.1 today which will include the new features. You can manually update by signing into your WordPress site and upgrading to Wordfence to 6.1.1 or you can download Wordfence from the official WordPress plugin repository

Read the full article >

The Panama Papers

The Panama PapersMossack Fonseca (MF), the Panamanian law firm at the center of the so called Panama Papers Breach may have been breached via a vulnerable version of Revolution Slider. The data breach has so far brought down the Prime Minister of Iceland and surrounded Russian President Putin and British Prime Minister David Cameron with controversy, among […]

Source: Mossack Fonseca Breach – WordPress Revolution Slider Plugin Possible Cause – Wordfence

Need Training on how to protect your WordPress website? Learn more >