PHP 8: What WordPress Users Need to Know

WordFence News 1

PHP 8.0 is set to be released on November 26, 2020. As the programming language powering WordPress sites, PHP’s latest version offers new features that developers will find useful and improvements that promise to greatly enhance security and performance in the long run. It also fully removes a number of previously deprecated functions. PHP 8 […]

Episode 96: Hosting Provider Failures and Incident Response Preparedness

WordFence News 1

Two hosting providers experienced outages this week. GoDaddy had a brief outage affecting numerous systems on Tuesday, November 17. Managed.com had an extensive outage due to ransomware that affected all systems. We discuss what types of incident response preparations site owners should consider when events beyond their control occur. We also discuss a large-scale attack […]

Wordfence Site Cleaning Guarantee Extended to 1 Year

WordFence News 1

Today, we’re pleased to announce that all customers of Wordfence site cleaning services receive an annual clean site guarantee. If your site is compromised again after our team has cleaned and secured your WordPress site, we’ll clean it again for free. Additionally, we’re expanding our Security Services Team coverage to 24/7 effective immediately. The Wordfence […]

Large-Scale Attacks Target Epsilon Framework Themes

WordFence News 1

On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework, which we estimate are installed on over 150,000 sites. So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites […]

Episode 95: Critical Privilege Escalation Vulnerabilities Affect Over 100K WordPress Sites

WordFence News 1

Three critical privilege escalation vulnerabilities in the Ultimate Member plugin put over 100,000 sites at risk. We also talk about the Page Experience metric to be added as a ranking signal for Google search in May 2021 and what this means for WordPress sites using page builders or Gutenberg. Microsoft warns against using telephone/SMS-based multi-factor […]

Critical Privilege Escalation Vulnerabilities Affect 100K Sites Using Ultimate Member Plugin

WordFence News 1

On October 23, 2020, our Threat Intelligence team responsibly disclosed several vulnerabilities in Ultimate Member, a WordPress plugin installed on over 100,000 sites. These flaws made it possible for attackers to escalate their privileges to those of an administrator and take over a WordPress site. We initially reached out to the plugin’s developer on October […]

Episode 94: Hosting Provider Exposed 63 Million Customer Records

WordFence News 1

A hosting provider exposed over 63 million customer records via an open elastic search database containing verbose logs with plain-text username/password credentials for numerous WordPress, Magento and other sites. We also talk about the security updates in WordPress 5.5.2/5.5.3 and the accidental 5.5.3-alpha autoupdate. We talk about object injection vulnerabilities like the one discovered in […]

Object Injection Vulnerability in Welcart e-Commerce Plugin

WordFence News 1

On October 6, 2020, our Threat Intelligence team discovered a High-Severity Object Injection vulnerability in Welcart e-Commerce, a WordPress plugin with over 20,000 installations that claims top market share in Japan. After we finished our investigation, we contacted the plugin’s publisher, Collne Inc. on October 9, 2020. Full disclosure was sent on October 12, 2020, […]

Unpacking the WordPress 5.5.2/5.5.3 Security Release

WordFence News 1

On Thursday, October 29, the WordPress core team released WordPress version 5.5.2. This was a minor release containing bug fixes and security enhancements to the core WordPress content management system powering over one-third of the internet. There was a subsequent 5.5.3 release one day later; you can read about the emergency WP 5.5.3 release here. […]

Emergency WP 5.5.3 Release

WordFence News 1

The WordPress core team has released an emergency release of WordPress 5.5.3, just one day after the release of version 5.5.2. This emergency release was done to remedy an issue introduced in WordPress 5.5.2 making it impossible to install WordPress on a brand new website without a database connection configured. In preparing for this emergency […]

Trump Campaign Site Hacked – What We Know & Lessons Learned

WordFence News 1

On October 27, 2020 at approximately 4:50pm Mountain Time, Donald Trump’s campaign website, www.donaldjtrump.com, was defaced. The attackers left a message claiming they had compromising information on President Trump. The defacement page contained two Monero cryptocurrency wallet IDs encouraging visitors to “vote” by sending cryptocurrency to the wallets, indicating that if the first wallet received […]

Introducing Wordfence Central Teams

WordFence News 1

Last year, we introduced Wordfence Central and today thousands of WordPress site owners are using this free tool to manage their WordPress sites. Whether you’re using Wordfence Premium or still on the free plugin, Wordfence Central makes it possible for you to manage your sites’ security settings, tune your security alerts, and quickly assess security […]

Episode 92: WordPress Forced Security Autoupdate Protects Sites from Loginizer Vulnerability

WordFence News 1

An easily exploitable SQL injection vulnerability was discovered in the Loginizer plugin installed on over one million WordPress sites, causing the WordPress team to force an update to sites using the vulnerable version. The Justice Department is filing antitrust suit against Google for allegedly monopolizing search and search advertising markets. Google Chrome gets an update […]

High Severity Vulnerability Patched in Child Theme Creator by Orbisius

WordFence News 1

On September 9, 2020, our Threat Intelligence team discovered a vulnerability in Child Theme Creator by Orbisius, a WordPress plugin installed on over 30,000 sites. This flaw gave attackers the ability to forge requests on behalf of an administrator in order to modify arbitrary theme files and create new PHP files, which could allow an […]

Episode 90: WPBakery Plugin Vulnerability Exposes Over 4 Million Sites

WordFence News 1

A vulnerability discovered by the Wordfence Threat Intelligence team in the WPBakery plugin exposes over 4 million sites. High severity vulnerabilities were discovered in the Post Grid and Team Showcase plugins. The online avatar service Gravatar, has been exposed to a user enumeration technique, which could be abused to collect data on its users’ profiles, […]

Vulnerability Exposes Over 4 Million Sites Using WPBakery

WordFence News 1

On July 27th, our Threat Intelligence team discovered a vulnerability in WPBakery, a WordPress plugin installed on over 4.3 million sites. This flaw made it possible for authenticated attackers with contributor-level or above permissions to inject malicious JavaScript in posts. We initially reached out to the plugin’s team on July 28, 2020 through their support […]

High Severity Vulnerabilities in Post Grid and Team Showcase Plugins

WordFence News 1

On September 14, 2020, our Threat Intelligence team discovered two high severity vulnerabilities in Post Grid, a WordPress plugin with over 60,000 installations. While investigating one of these vulnerabilities, we discovered that almost identical vulnerabilities were also present in Team Showcase, a separate plugin by the same author with over 6,000 installations. We initially reached […]

Common Ways Attackers Are Stealing Credentials

WordFence News 1

A few weeks ago, we reviewed some of the worst website hacks we’ve ever seen. Every one of them started with poor password choices and escalated into a disastrous event for the site owner. Strong passwords and good password hygiene are often the first line of defense. On September 29, 2020, the Wordfence Live team […]

Episode 88: XCloner Vulnerabilities, LokiBot Malware, & a 14 Year Old Nets a $25K Bug Bounty

WordFence News 1

Our Threat Intelligence team discovered several vulnerabilities present in XCloner Backup and Restore, a WordPress plugin installed on over 30,000 sites. These vulnerabilities could have allowed an attacker to modify arbitrary files, including PHP files. The US government Cybersecurity and Infrastructure Security Agency is warning of detected persistent malicious activity traced back to LokiBot infections. […]

Critical Vulnerabilities Patched in XCloner Backup and Restore Plugin

WordFence News 1

On August 14, our Threat Intelligence team discovered several vulnerabilities present in XCloner Backup and Restore, a WordPress plugin installed on over 30,000 sites. This flaw gave authenticated attackers, with subscriber-level or above capabilities, the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution on […]

High-Severity Vulnerabilities Patched in Discount Rules for WooCommerce

WordFence News 1

On August 20, 2020, the Wordfence Threat Intelligence team was made aware of several vulnerabilities that had been patched in Discount Rules for WooCommerce, a WordPress plugin installed on over 40,000 sites. We released a firewall rule to protect against these vulnerabilities the same day. During our investigation, we also discovered a separate set of […]