Episode 105: The Hottest Trend in WordPress

WordFence News 1

An analysis of WordPress-related search trends found that interest in WooCommerce related results dominated during 2020. We discuss recent vulnerabilities discovered by our threat intelligence team in Ninja Forms, affecting over 1 million sites. WordPress issues a statement that pirated themes and plugins are prohibited on the repository. And a supply chain attack affects users […]

One Million Sites Affected: Four Severe Vulnerabilities Patched in Ninja Forms

WordFence News 1

On January 20, 2021, our Threat Intelligence team responsibly disclosed four vulnerabilities in Ninja Forms, a WordPress plugin used by over one million sites. One of these flaws made it possible for attackers to redirect site administrators to arbitrary locations. The second flaw made it possible for attackers with subscriber level access or above to […]

Episode 104: Cryptography Demystified

WordFence News 1

This week, the Wordfence team discusses cryptography in depth, including the basics, a brief history, hashing, and the Crypto Wars. We also go over current news, including 2 new findings by the Wordfence Threat Intelligence team, a new milestone for WordPress, and a recent attack on a Florida Town’s water supply. Here are timestamps and […]

Multiple Vulnerabilities Patched in Responsive Menu Plugin

WordFence News 1

On December 17, 2020, our Threat Intelligence team responsibly disclosed three vulnerabilities in Responsive Menu, a WordPress plugin installed on over 100,000 sites. The first flaw made it possible for authenticated attackers with low-level permissions to upload arbitrary files and ultimately achieve remote code execution. The remaining two flaws made it possible for attackers to […]

Severe Vulnerabilities Patched in NextGen Gallery Affect over 800,000 WordPress Sites

WordFence News 1

On December 14, 2020, the Wordfence Threat Intelligence team finished researching two Cross-Site Request Forgery (CSRF) vulnerabilities in NextGen Gallery, a WordPress plugin with over 800,000 installations, including a critical severity vulnerability that could lead to Remote Code Execution(RCE) and Stored Cross-Site Scripting(XSS). Exploitation of these vulnerabilities could lead to a site takeover, malicious redirects, […]

Episode 103: Wordfence Innovates with Machine Learning and Security for Schools

WordFence News 1

Wordfence opens the K-12 site audit and site cleaning service for publicly funded state schools worldwide. Machine learning is now a big part of our malware identification process, which will speed new malware signatures to deployment for WordPress sites protected by Wordfence. A bug in Sudo can let attackers with access to a local system […]

Machine Learning Gives Wordfence an Advantage

WordFence News 1

Wordfence is the leader in WordPress security, protecting over 4 million WordPress sites from malicious attacks. With new malware variants discovered daily, we now have a new weapon in our arsenal against WordPress attacks: Machine Learning. How Wordfence identifies malware For years, the Wordfence Threat Intelligence team has stayed ahead of attackers by quickly identifying […]

Episode 102: Disruption Presents Opportunity

WordFence News 1

After a disruptive year in 2020, there are new challenges in 2021, but also immense opportunities in numerous fields. In a deep and wide-ranging conversation, Mark Maunder and Kathy Zant discuss artificial intelligence, whether or not we’re living in simulation, cryptocurrencies and the opportunities of blockchain technology, open source communities and publishing, avoiding scams and […]

The Wordfence 2020 WordPress Threat Report

WordFence News 1

Over the course of 2020, and in the process of protecting over 4 million WordPress customers, the Wordfence Threat Intelligence team gathered a massive amount of raw data from attacks targeting WordPress and infection trends, in addition to the malware samples gathered by our Site Cleaning team. Attacks on WordPress can be categorized in three […]

Episode 101: Supporting Remote Students with Free Site Audits & Cleanings

WordFence News 1

Wordfence announces a new program offering free site cleaning and site audits to public schools in the United States. We talk about why we’re offering this program and how to help schools take advantage of it. We also talk about the growing prevalence of WordPress as a content management system and how the incoming administration […]

Announcing Free Site Cleaning & Site Security Audits for K-12 Public Schools

WordFence News 1

Wordfence, the leading provider of WordPress security software and services, is announcing today that we are, effective immediately, offering free site cleaning and site security audit services to K-12 public schools in the United States who use WordPress as their content management system. Whether a site is infected with malware, or you are looking for […]

Uncovering Potential Issues with the Contact Form 7 Vulnerability: More Data Needed

WordFence News 1

On December 17, 2020, the Astra research security team disclosed that they had discovered a critical severity Unrestricted File Upload vulnerability in Contact Form 7, the most popular WordPress plugin of all time. The lead researcher, Jinson Varghese, also published a blog post providing limited information about this vulnerability. The initial disclosure claimed that “By […]

Episode 100: How to Lose 6 Figures the Easy Way

WordFence News 1

The recent SolarWinds attack was incredibly sophisticated. What happens when that level of sophistication targets a homebuyer during one of the largest transactions of their lifetime? On this episode, we tell the story of an extremely difficult-to-detect spearphishing attack that almost cost a homebuyer a significant amount. We review the warning signs seen in this […]

Multiple Vulnerabilities Patched in Orbit Fox by ThemeIsle Plugin

WordFence News 1

On November 19, 2020, our Threat Intelligence team responsibly disclosed two vulnerabilities in Orbit Fox by ThemeIsle, a WordPress plugin used by over 400,000 sites. One of these flaws made it possible for attackers with contributor level access or above to escalate their privileges to those of an administrator and potentially take over a WordPress […]

Who Attacked SolarWinds and Why WordPress Users Need to Know

WordFence News 1

Chloe Chamberland is a threat analyst and member of the Wordfence Threat Intelligence Team. She holds the following certifications: OSCP, OSWP, OSWE, Security+, CySA+, PenTest+, CASP+, SSCP, Associate of (ISC)2, CEH, ECSA and eWPT. Many of these are advanced certifications including OSCP and OSWE which are 24 and 48 hour exams respectively, that require hands-on […]

SolarWinds and Supply Chain Attacks: Could it happen to WordPress?

WordFence News 1

The SolarWinds supply chain attack is all over the news, impacting government agencies, telecommunications firms, and other large organizations. The security firm FireEye was the first victim of the attack, disclosing that they had been hacked on December 8, 2020. On December 13th the US Treasury Department announced that it had also been compromised. At […]

Episode 99: SolarWinds Supply Chain Attack Affects Government and Fortune 500 Businesses

WordFence News 1

Earlier this week, we learned that SolarWinds, the largest provider of network management tools for government and enterprise organizations fell victim to a supply chain attack. This attack affected their Orion network management system. Reportedly, 18,000 enterprise and government customers installed malware that was digitally signed by a valid certificate as part of an update […]

A Challenging Exploit: The Contact Form 7 File Upload Vulnerability

WordFence News 1

Contact Form 7, arguably the most widely used WordPress plugin, released a security patch for an unrestricted file upload vulnerability in all versions 5.3.1 and lower. The WordPress plugin directory lists 5+ million sites using Contact Form 7, but we estimate that it has at least 10 million installations. One of the important features of […]

The NoneNone Brute Force Attacks: Even Hackers Need QA

WordFence News 1

For the last few weeks we’ve seen and blocked an increase in brute-force, credential stuffing, and dictionary attacks targeting the WordPress xmlrpc.php endpoint, on some days exceeding 150 million attacks against 1.9 million sites in a 24-hour period. These attacks attempt to guess the password of an authorized user on a site, and some of […]

Episode 98: How Application Passwords Work in WordPress 5.6

WordFence News 1

WordPress 5.6 was released this week with a new feature called application passwords. In this episode we talk about how application passwords work, where to find them in your WordPress installation, and why Wordfence decided to turn these off by default in version 7.4.14. We also talk about a new Magecart attack that places card […]

Reflected XSS in PageLayer Plugin Affects Over 200,000 WordPress Sites

WordFence News 1

On November 4, 2020, the Wordfence Threat Intelligence team found two reflected Cross-Site Scripting (XSS) vulnerabilities in PageLayer, a WordPress plugin installed on over 200,000 sites. These vulnerabilities could lead to an attacker executing malicious Javascript in an administrator’s browser, which could lead to takeover of a vulnerable WordPress site. We contacted the plugin’s publisher, […]

WordPress 5.6 Introduces a New Risk to Your Site: What to Do

WordFence News 1

WordPress 5.6, the final major release planned for 2020, comes out today, on December 8, 2020. It includes a few major features and updates, as well as a huge number of minor enhancements and bug fixes. A few changes have immediate implications for security and compatibility which we’ve highlighted in this post for WordPress users. […]

Episode 97: The Future of WordPress with PHP 8 and WordPress 5.6

WordFence News 1

With WordPress 5.6’s imminent release and the recent release of PHP 8, we talk about the rapid changes affecting the future of WordPress with new security features and new functionality available to both WordPress users and developers. We also review a recent vulnerability found by Google Project Zero researchers in iPhones. A social engineering attack […]

PHP 8: What WordPress Users Need to Know

WordFence News 1

PHP 8.0 is set to be released on November 26, 2020. As the programming language powering WordPress sites, PHP’s latest version offers new features that developers will find useful and improvements that promise to greatly enhance security and performance in the long run. It also fully removes a number of previously deprecated functions. PHP 8 […]