WordPress 3.5.1 Released

January 24, 2013 by 2 Comments

The WordPress team just pushed out a new version of WordPress (3.5.1) that has some security bugs fixed. Straight from their release post, these are the security changes:

  1. A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions. This was fixed by the WordPress security team. We’d like to thank security researchers Gennady Kovshenin and Ryan Dewhurst for reviewing our work.
  2. Two instances of cross-site scripting via shortcodes and post content. These issues were discovered by Jon Cave of the WordPress security team.
  3. A cross-site scripting vulnerability in the external library Plupload. Thanks to the Moxiecode team for working with us on this, and for releasing Plupload 1.5.5 to address this issue.

There weren’t many changes in this release, but these are all the modified files:


Read More

Filed Under: WordPress Tagged With:

WordCamp Las Vegas 2012 – Tony Perez: WordPress Security – Dealing with Today’s Hacks

January 16, 2013 by Leave a Comment

Here is a great presentation given by Tony Perez our COO in October of 2012 at WordCamp Las Vegas:

Filed Under: presentation, sucuri, videos, WordPress Tagged With: , , , , ,

W3 Total Cache Implementation Vulnerability

December 25, 2012 by 9 Comments

Just in time for Christmas, it was announced on the full disclosure list a security (configuration/implementation) bug on W3 Total cache (W3TC), one of the most popular WordPress plugins.

The issue is connected to the way W3TC stores the database cache (in a public accessible directory). It can be used to retrieve password hashes and other database information.

By default the plugin will store the caches inside /wp-content/w3tc/dbcache/ and if you have directory listing enabled, anyone can browse to yoursite.com/wp-content/w3tc/dbcache/ and download them. The second issue is that even if you don’t have directory listing enabled, it is still possible to guess those directories/files in order to extract the database cache queries and results.

Read More

Filed Under: plugins, vulnerability, WordPress Tagged With: , ,

Website Malware – Sharp Increase in SPAM Attacks – WordPress & Joomla

December 14, 2012 by 12 Comments

This past week we have seen a sharp increase in the use of old tactics designed to poison your search engine results – also known as Search Engine Poisoning (SEP) attacks. If you use our free scanner, SiteCheck, you’ll likely see something like the following:

Sucuri - ViewState Infection

You’re probably wondering, what the heck, how is that SEO SPAM? Allow me to explain what this is doing.

Read More

Filed Under: awareness, joomla, Malware, malware cleanup, research, security, Spam, sucuri, WordPress Tagged With: , , , , ,

WordPress 3.5 Released

December 11, 2012 by 1 Comment

Update like it’s hot!

Today marks the release of WordPress 3.5 (Named Elvin after jazz drimmer Elvin Jones), a major release this year for the WordPress project.

WordPress 3.5

This release highlights some very significant changes to anything from the JavaScript libraries being used, to a brand new Media Manager. Although there are no security fixes highlighted, there were various bugs fixed along with the newly added features.


Read More

Filed Under: security, sucuri, updates, WordPress Tagged With: , , ,

Sucuri SiteCheck Malware Scanner Plugin for WordPress

December 7, 2012 by 5 Comments

If you’re a WordPress user, love our free SiteCheck scanner, or already use our free SiteCheck Malware Scanner Plugin for WordPress, we have an update for you.

Sucuri Security - SiteCheck Malware Scanner

Read More

Filed Under: Malware, plugin, security, SiteCheck, sucuri, WordPress Tagged With: , , , , , , ,

Out-of-date Software Affects Websites Big and Small

November 5, 2012 by 3 Comments

Last week we published an article listing some big and popular websites that were leaking information about their users via the Apache server-status page. We also published a full list of sites that had this option enabled on our Labs project: URLFind.org.

On URLFind, we list a lot more details than just the sites that have server-status enabled. You can easily find sites that are running outdated versions of WordPress, Joomla or even vBulletin. We also index sites that are still running PHP 4 (outdated and not supported) and other potentially unsafe configurations and servers.

Message to all webmasters

After we published the blog post with the server-status issue, almost all of the sites got fixed (well, excluding Staples and Ford), which I don’t think they would have without that small push (walk of shame).

We are hoping that by shedding a bit more light to this already publicly exposed dilemma, webmasters will take note and update their sites and servers as soon as they can.

Read More

Filed Under: apache, iis, research, sucuri, vulnerability, WordPress Tagged With: , , , , ,

WordPress Security Hangout – Grand Rapids WP Meetup

October 19, 2012 by 1 Comment

Every now and then, trying to summarize a conversation doesn’t do it any justice. Here is the discussion in its entirety between Dre Armeda, Mark Jaquith and I, Tony Perez, for the recent Grand Rapids WP Meetup. As you might imagine, it’s about WordPress Security:

It’s lengthy, true, but it covers a number of subjects. Everything from passwords, their management, to hardening and appropriate security controls.

If you’re not familiar with Mark Jaquith, you should be. He has been actively engaged in the WordPress community for 8 years +, is a lead developer for the project and has contributed countless patches to the core, many addressing security issues. If you’re looking for development advise or for a third party audit of your code then he’s about as good as it gets, be sure to check him out at http://coveredwebservices.com/

Filed Under: awareness, corporate, security, sucuri, WordPress

Is WordPress.com SPAM Campaign Due to Compromise?

October 16, 2012 by 6 Comments

*****Updated – 20121019*****

Both Matt Mullenweg and Barry Abrahamson, System Wrangler with Automattic, have confirmed that there was not an environmental compromise and everything was isolated to individual user accounts.

Per their incident handling process they identified a brute force like attack which made use of a list of compromised email / password combinations derived from a third-party application[s].

People often use the same username and password on different sites, even though we all know we shouldn’t. If a password on a smaller site is compromised bad guys try it against the big ones like Twitter, Facebook, and WordPress.com. If anything bad happens to a WP.com user we get in touch with them as soon as possible to assist them. – Automatic.com

At this point it’s unclear of the severity, as WordPress.com has not released anything public, but I would say the odds are not in their favor.

The Hacker News (THN) put out an article this morning titled: 15000 WordPress Blogs Hacked For making Money From Survey.

WordPress.com Spam

Naturally my first reaction was, meh, it’s likely a fluke of some kind, but as I read it I became more suspicious. It all started with this email:

Read More

Filed Under: awareness, communications, security, Spam, sucuri, WordPress Tagged With: , , , , ,

Dealing with WordPress Malware

October 11, 2012 by 8 Comments

A few months back I contributed to a post with Smashing Magazine on the top 4 WordPress Infections, it was released yesterday, and it couldn’t have been at a better time. If any one attended WordCamp Las Vegas you might even find some similarities. Fortunately in the process of preparing for the event and working with the team, we were able to compile a bit more information expanding on the things we originally discussed in the last post. It’s perfect timing for a number of reasons, and will complement this post very nicely.

WordPress Malware
The idea of this post, like many in the past, is to outline and discuss this past weekend’s presentation. In the process, hopefully you take something away. Unfortunately, the presentation was capped off with a live attack and hack, and I won’t be able to include that in this post, but I promise it’s coming.

**Note: If you plan to be at WordCamp Philadelphia 2012 you might be in for some treats, just saying. And if you don’t have it on the calendar, you should.

Read More

Filed Under: awareness, blacklisted, google, hacked, htaccess, Learn, Malware, phishing, php, plesk, protection, Redirects, research, security, SiteCheck, Spam, sucuri, vulnerability, WordPress Tagged With: , , , , ,
«Older Posts
Newer Posts»