WP-CLI Guide: Secure Plugin & Theme Management


Welcome to our third post on WP-CLI for secure WordPress management over an SSH command line interface. In our previous two articles, we discussed how to connect to WordPress over SSH, and then how to back up & update WordPress securely.

Like other open-source content management systems, WordPress lets you easily add code to make your website look and act differently. These are your themes and plugins, built by inspired developers and designers who understand how WordPress works. It’s these extensions that allow you to publish content with added functionality for your visitors and what facilitates the unique look of your brand.

The people who build these extensions know quite a bit about internet technology when it comes to user experience, but there are just too many ways to break a website. All developers should be ready to deal with a security flaw by patching and notifying users of an update if it comes to that.

Security is not the core competency for most developers and designers. Even the most secure code in the world has flaws that can allow an attacker to gain unauthorized access.

Read More

WordPress Themes: XSS Vulnerabilities and Secure Coding Practices

As many might imagine, my life revolves around Information Security. If you’re like me, you’re undoubtedly seeing all these new posts talking to insecurities in WordPress themes, specifically a plethora of Cross-Site Scripting (XSS) vulnerabilities. Surprise, surprise, right? Yeah, no, not so much.

WordPress Theme XSS Vulnerabilities

Here are some of the posts I am referring to:

Read More

Information Leakage on multiple WordPress themes by WooThemes

This weekend there was a post on the Full disclosure list about multiple vulnerabilities on some WordPress themes by WooThemes. This is what the message said:

Vulnerable are the next themes by WooThemes: Live Wire (all three themes from Live Wire series), Gotham News, Typebased, Blogtheme, VibrantCMS, Fresh News, The Gazette Edition, NewsPress, The Station, The Original Premium News, Flash News, Busy Bee, Geometric…


In different themes there is test.php – script with phpinfo() – which leads to Information Leakage (disclosure of FPD and other important information about the server) and XSS (in PHP < 4.4.1, 4.4.3-4.4.6).

So what exactly is going on? Basically, these themes include a “test.php” file that prints the output of phpinfo(), leaking some internal information about the server (internal path, modules, versions, etc). This information leakage by itself is not serious, but can be used by an attacker when trying to hack the site. The other issue (XSS – cross site scripting) is a bug on PHP4 itself and does not affect anyone using PHP5 (which I hope is everybody).

So, if you are using any of those themes, it is a good idea to remove this test.php file, since debugging code shouldn’t be on production sites. If you are running PHP4, you have bigger issues than this XSS/information leakage, we recommend getting your software up to date!

Running WordPress? Scan your site for free to see if it has any malware or security issues: http://sitecheck.sucuri.net