As per Dan Moen from Wordfence in the last two weeks, the WordPress.org repository has closed three plugins because they contained content-injection backdoors. “Closing” a plugin means that it is no longer available for download from the repository, and will not show up in WordPress.org search results. Each of them had been purchased in the…
Category: WordPress
This week we published a security alert about a new wave of spam campaigns containing the Emotet banking trojan that can exploit Windows admin rights on users’ PC. We also included a protection guide to better fight against these online threats. 1. Top 25 Worst, Most Insecure Passwords Used in 2017 How secure are your passwords? Are you…
Buying popular plugins with a large user-base and using it for effortless malicious campaigns have become a new trend for bad actors. One such incident happened recently when the renowned developer BestWebSoft sold a popular Captcha WordPress plugin to an undisclosed buyer, who then modified the plugin to download and install a hidden backdoor. In a blog post published on Tuesday,…
Security vulnerabilities have been discovered in three popular WordPress plugins: Duplicator, Formidable Forms and Yoast SEO. The details of the vulnerabilities are as follows: Duplicator 1.2.28 and older vulnerable to stored XSS WPVulnDB also reports that the Duplicator, running on over 1 million active sites, fixed a stored cross site scripting vulnerability affecting versions 1.2.28 and older. This report…
WordPress recently removed a plugin known as “Animated Weather Widget by weatherfor.us.” from plugin repository. It appears that the plugin was removed for including JavaScript code that would mine cryptocurrency using the CPU resources of site visitors. How It Worked: A WordPress site owner installs the “Animated Weather” plugin. The plugin loads an iframe. This…
This week we could not publish any article due to my bad health so now let’s see the major stories of the past days in our weekly round-up. As always, the cyber-security landscape brings new challenges, so read on and keep yourselves informed! 1.Unencrypted USB stick with 2.5GB of data detailing airport security found in…
Last night I got a notification that Coinhive has been hacked — a popular browser-based service that offers website owners to embed a JavaScript to utilise their site visitors’ CPUs power to mine the Monero cryptocurrency for monetisation. Reportedly an unknown hacker managed to hijack Coinhive’s CloudFlare account that allowed him/her to modify its DNS…
Last month, Wordfence identified three plugins with critical object injection vulnerabilities, all being exploited in the wild. After that they deployed new and improved firewall rules to block that kind of exploit. Wordfence while analyzing their attack data, recently discovered that hackers were actively exploiting a similar vulnerability in the Contact Form for WordPress – Ultimate Form Builder Lite plugin…
An extremely relentless harmful star included a backdoor to a WordPress plugin called Display Widgets that Set Up backdoors on potentially 200,000 internet sites since June 21. The hacker utilized the open-source Display Widgets plugin, which lets customers manage exactly how their WordPress plugins appear on their sites, as the delivery device for the backdoor….
Creating SEO friendly images is simple to do, yet many website owners neglect this valuable source of search engine traffic. To make it even more simple, WordPress has some great tools built in to help you optimize your images, and you use the All-in-One SEO Pack to maximize your optimization. The most important thing to…
