Brought to you by SiteLock, Ask the Expert is our new Q&A series where we learn from industry innovators, thought leaders, and entrepreneurs about how they’re influencing their field. Throughout this series, you’ll find our interviewees share one commonality: they’re passionate about open-source content management systems (CMS), like WordPress, Joomla! and Drupal. Join us as we dive into a variety of subjects, including social media, blogging and website security.
Category: WordPress Security (Page 1 of 2)
Many individual and small company forays on the web are through WordPress on shared hosting accounts, and it’s not uncommon for a shared hosting account to hold multiple WordPress sites as needs and business grow. Site owners maintain each and every WordPress install, managing content, configuration, users and updates. At least they should. Maintaining multiple sites in a single shared hosting account is time-consuming and, as we’ll see, risky as each site on the account is a point of access that has to be secured.
A recent article reported that WordPress.com is moving to enable HTTPS by default on all of its 600,000 hosted sites. This is a huge security win for WordPress users and the Internet at large. It sets a high security bar for other entities to strive for, and of course helps protect users and visitors from prying eyes.
If you’re a WordPress.com user, one way to take advantage of WordPress’s exemplary efforts is to go further and enhance the security of your WP.com site with protection services.
CDNs are great for WordPress sites because much of the post content is static and can easily be cached and served by a CDN. With visitors receiving cached content from the closest CDN data center, origin server load decreases, allowing sites to load faster for site visitors. At the same time, serving a site from multiple data centers makes the origin server more robust. A fortuitous spike in traffic won’t take a site down as the data centers handle the increased load.
Visit wpdistrict.sitelock.com for the full story.
While reviewing malware, the SiteLock Research Team detected suspicious code in a WordPress plugin. We reviewed the suspicious code and found the plugin wasn’t malicious per se, though it was potentially vulnerable to attack. We will discuss the plugin and analyze its unique authentication issues, and then discuss mitigation and the dangers of using unsupported plugins.
Visit wpdistrict.sitelock.com for the full story.
In the latest article from the SiteLock research team, we’ll discuss how fake plugins get on to WordPress sites, analyze a well known fake plugin to provide a sense of what they can do, look at a non-exhaustive list of fake plugins and a couple of interesting features, and discuss ways to avoid being victimized by fake plugins.
Read the full story at our WordPress-focused site, wpdistrict.sitelock.com.
The unfortunate happens and your WordPress site is compromised. You recover from the hack through backups or SiteLock’s malware removal service, yet you still feel at unease.
The truth is, once a WordPress site recovers from a compromise, there’s a bit more to do. Learn about simple post-compromise steps that can help harden your site from future attacks.
Learn more at wpdistrict.sitelock.com.
While scanning website files, SiteLock SMART flagged three particular files as suspicious. Inspection of the files by the SiteLock research team ultimately determined that a malicious WordPress plugin was being actively hosted, used by unsuspecting site owners, and spread via YouTube.
In the following article, we will:
- detail the malware contained in the malicious plugin
- reveal the relationships between the malicious plugin and other websites
- discuss mitigation for sites using the plugin and how to avoid such situations
Open source content management systems (CMS) like WordPress, Joomla! and Drupal have become some of the most popular platforms for creating websites. So much in fact, that over 25 percent of the entire internet is powered on WordPress.
Platforms like WordPress are free and have a huge community of users and developers, providing a vast ecosystem themes and plugins. Unfortunately, since they’re so popular, open source platforms are often a large target for hackers and since much of the platform is developed by volunteers, code vulnerabilities may exist.
Earlier this week a security researcher reported a cross site scripting vulnerability, also known as an XSS vulnerability, in the WordPress icon package, Genericons. Genericons is an icon package that was used with the default-installed WordPress theme, Twenty Fifteen. Genericons included an HTML file, named example.html, which actually had the cross site scripting flaw.
About The Genericons XSS Vulnerablity
The XSS vulnerability was DOM, or document object model, based meaning it could potentially control how the browser handles a requested page. The victim would have to be coaxed into clicking a malicious link, reducing severity, though the exploit remains widely deployed all the same.