Websites Used As Part of WordPress Hacking Campaign Running Behind Cloudflare
Last week, we looked at the unfixed vulnerability in a WordPress plugin being targeted by a hacking campaign. What was also captured by our firewall’s logging when exploit attempts were stopped was the...
View ArticleAttacker Adding Malicious Code to Legitimate WordPress Plugins in Plugin...
When it comes to vulnerabilities in WordPress plugins, they often go unnoticed for years, as was the case with a vulnerability we ran across in WooCommerce this week. But with another situation in the...
View ArticleWordPress Plugin Developers Can Use security.txt Files to Aid in Getting...
In May, we found that numerous security providers had failed to catch that a vulnerability in the 100,000+ install WordPress plugin Genesis Block hadn’t been fully fixed. It was a good reminder of the...
View ArticleInsights That Australia’s Report on Chinese Hacking Campaign Has for Securing...
This week the Australian government released an advisory focused on a Chinese hacking campaign, which includes a couple of case studies looking in to successful hacks. The information in the advisory...
View ArticleWordPress Plugin Directory is Allowing Completely Unsupported Extraordinary...
For those looking to improve the security of WordPress websites, security plugins are often thought of as an important part of the solution. Just look at the install count of security plugins. What our...
View ArticlePopular WordPress Plugins Get Low OpenSSF Scorecard Security Scores, But Does...
We recently introduced a Plugin Security Scorecard tool to promote better handling of security by the developers of WordPress plugins. A direct inspiration for this is the Open Source Security...
View ArticleDo Low OpenSSF Scorecard Scores for Libraries Shipped With WordPress Plugins...
Yesterday, we discussed what we found when we tried to assess the value of OpenSSF Scorecard scores for WordPress plugins. OpenSSF Scorecard scores are supposed to “quickly assess open source projects...
View ArticleWordPress Plugin Security Review: Plugin Vulnerabilities Firewall
As part of our new push to improve the security of WordPress plugins through our Plugin Security Scorecard tool, next month it is going to start lowering the grade for plugins if the developer isn’t...
View ArticleWordPress Plugin Security Review: Lockdown Mode
As part of our push to improve the security of WordPress plugins, next month our Plugin Security Scorecard tool is going to start lowering the grade for plugins if the developer isn’t linking to the...
View ArticleHacker Targeting Vulnerability That Was in Shield Security WordPress Plugin
Last week, our own WordPress firewall plugin blocked an attempt to exploit a vulnerability in another security plugin, Shield Security. On the one hand, that should be shocking. A security plugin with...
View ArticleWordPress Plugin Security Review: Plugin Vulnerabilities
As part of our push to improve the security of WordPress plugins, next month our Plugin Security Scorecard tool is going to start lowering the grade for plugins if the developer isn’t linking to the...
View Article11 Month Wait for Security Fix for WordPress Plugin Highlights Value of...
In August of last year, we found that an update to a plugin coming directly from WordPress, Health Check & Troubleshooting, had introduced a couple of minor security issues. We reported those to...
View ArticleSecurity Reviews and Software Bill of Materials (SBOMs) Should be Standard...
Recently, we have taken a renewed look at how to assess the security of WordPress plugins, as part of building up the capabilities of our new Plugin Security Scorecard tool. Right now, it is hard to...
View ArticleWordPress is Telling People to Report Security Issues Through a Bug Bounty...
In August of last year, we noted a significant problem with reporting security issues with a WordPress plugin that comes directly from WordPress, Health Check & Troubleshooting, which has 300,000+...
View ArticleWordPress Plugin Developer Security Advisory: Bill Minozzi
One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing...
View ArticleWordPress Generated Nonces Don’t Generally Provide CSRF Protection for Those...
We were recently looking into a somewhat convoluted situation with a vulnerability in a WordPress plugin. Part of investigating that involved checking on something involving usage of a nonce for those...
View ArticleHacker Tried to Exploit Our Website Based on Fake Vulnerability Claim From...
One differentiation between our WordPress firewall plugin and other firewall plugins is that we try to provide users with a good understanding of the risk posed by attacks, instead of scaring people...
View ArticleDeveloper of Limit Login Attempts Reloaded Admits Brute Force Attacks Are Not...
There is a widespread belief that there are brute force attacks against WordPress admin passwords going on. Just one plugin, Limit Login Attempts Reloaded, which is focused on preventing those attacks,...
View Article“Powerful Firewall Rules” Don’t Stop Exploitation of Reflected XSS...
As part of refining our new Plugin Security Scorecard tool, we are very interested in making sure that the grading provided by that is useful. As we noted last month, an inspiration for our own tool,...
View ArticleWordPress Coding Standards is Failing to Warn About Missing Sanitization and...
One of the things that our new Plugin Security Scorecard uses to grade the security of WordPress plugins is a subset of the checks from our Plugin Security Checker. The subset is intended to be things...
View Article