Uncategorized

New to Monitoring Your Site for Bad Behavior and are Startled by the Numbers? Don’t Panic!

I have many years of working with clients and one of the most common concerns that comes up after putting security in place is regarding the startling number of how many baddies are constantly attacking their site, especially on WordPress. Over the years, I’ve been asked dozens of times questions like: “I see hundreds of …

New to Monitoring Your Site for Bad Behavior and are Startled by the Numbers? Don’t Panic! Read More »

UpdraftPlus WordPress plugin vulnerability

A new vulnerability has been discovered in the popular plugin UpdraftPlus. The plugin has more than 3 millon active installations currently and the vulnerability has a CVE identifier reserved as CVE-2022-23303. The developers behind updraftplus has made an announcement: “an update was pushed to Premium users within the hour”. Marc-Alexandre Montpas the cyber security researcher …

UpdraftPlus WordPress plugin vulnerability Read More »

Security flaw in WP Statistics Plugin

Cyber Security Researcher Cyku Hong from the Taiwan-based company DEVCORE has found a serious security vulnerability in the WordPress plugin WP Statistics. This plugin is installed on over 600,000 websites and the flaw makes it possible for an attacker to conduct an SQL-injection attack. The SQL-injection attack can be used to read sensitive information such as …

Security flaw in WP Statistics Plugin Read More »

Essential Addons for Elementor has a critical security hole

A critical security vulnerability was recently discovered in the Essential Addons for Elementor, a plugin that has over a million active installations on the WordPress plugin repository.  The plugin is used to “enhance your Elementor page building experience with 80+ creative elements and extensions“. One of those “creative elements” is the dynamic and product gallery …

Essential Addons for Elementor has a critical security hole Read More »

AccessPress hack underlines the importance of core file monitoring

AccessPress hack underlines the importance of core file monitoring Core file integrity monitoring is when a tool is in place that ensures WordPress application files are changed only during an actual WordPress upgrade. Plugins, themes or other 3rd party code should never alter core files. The Jetpack security team discovered that 93 AccessPress WordPress add-ons …

AccessPress hack underlines the importance of core file monitoring Read More »

Protecting WordPress with Open Source Web Application Firewall ModSecurity

In this guide you will learn how to install and protect WordPress with the Open Source Web Application Firewall (WAF) ModSecurity. We will also install the latest protection rules from the OWASP Core Rule Set (CRS). A WAF is a great addition to the Cyber Security protection for your WordPress blog or website and can …

Protecting WordPress with Open Source Web Application Firewall ModSecurity Read More »

WooCommerce Unauthenticated SQL Injection Vulnerability

WooCommerce Unauthenticated SQL Injection Vulnerability

On 15th July 2021, news was going around regarding an unauthenticated SQL Injection in WooCommerce. WooCommerce released a blog post about the vulnerabilities here: https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/#. The vulnerabilities were detected on the 13th of July and fixed in WooCommerce versions 3.3.6 to 5.5.1 and WooCommerce Blocks versions 2.5.16 to 5.5.1. This blog post is a short …

WooCommerce Unauthenticated SQL Injection Vulnerability Read More »

WordPress PHPMailer vulnerability analysis

On 13th May 2021, WordPress released WordPress 5.7.2, which was a security release fixing one vulnerability that affected versions 3.7 to 5.7. This vulnerability is a PHP Object Injection vulnerability in PHPMailer (CVE-2020-36326, CVE-2018-19296) that occurs via the addAttachment function with a UNC pathname. You may notice that there are two CVE’s in the security …

WordPress PHPMailer vulnerability analysis Read More »