Evaluating Cookies to Hide Backdoors


Identifying website backdoors is not always an easy task. Since a backdoors primary function is to conceal itself while providing unauthorized access, they are often developed using a variety of techniques that can make it challenging to detect. For example, an attacker can inject a single line of code containing less than 130 characters into a website file. While this may not seem like a lot of code, this short string can be used to load PHP web shells on your website at the attacker’s whim —  while also preventing website visitors and administrators from detecting the malicious behavior. Continue […]

Interview with Ryan Dewhurst, founder of WPScan


Ryan Dewhurst is an ethical hacker and penetration tester who has dedicated many years in helping people in the WordPress community improve the security posture of their websites and protect them from malicious attackers. Ryan is the founder of WPScan, a free, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their sites. The WPScan CLI tool currently uses a database of 21,875 WordPress vulnerabilities. 1. For those who do not know you, tell us what you do and a bit about your past and credentials. I’ve been interested in computers and […]

Bogus CSS Injection Leads to Stolen Credit Card Details


A client recently reported their customers were receiving antivirus warnings when trying to access and purchase products from a Magento ecommerce website. This is almost always a telltale sign that something is amiss, and so I began my investigation. Malware in Database Tables As is pretty common with Magento credit card swiper investigations, my initial scans came up clean. Attackers are writing new pieces of malware like it’s going out of style, so there are very frequently new injections to track down and remove. Continue reading Bogus CSS Injection Leads to Stolen Credit Card Details at Sucuri Blog.

The Month in WordPress: December 2020


We bid goodbye to 2020 in style with the release of WordPress 5.6 and the launch of Learn WordPress. But these weren’t the only exciting updates from WordPress in December. Read on to learn more! WordPress 5.6 is here The latest major WordPress release, version 5.6 “Simone”, came out on December 8. The release ships with a new default theme called Twenty Twenty One. It offers a host of features, including: Greater layout flexibility More block patterns Video captioning support Auto-updates Beta-compatibility for PHP 8.0 Application password support for the REST API Updates to jQuery In addition, WordPress 5.6 is […]

How to safely add custom code to WordPress websites


Users are often looking for ways to tweak their websites, plugins and themes, or to add some modifications to an existing functionality. In most of these cases, you can do so by adding custom code to your WordPress website. There is nothing wrong with adding custom code to your website. However, there are a few things that you need to look out for when adding custom code making these changes to your WordPress website. This article highlights what to look out for, and the best practices to adding custom code to your WordPress website. What to look for before adding […]

SEO Spam Links in Nulled Plugins


It’s not unusual to see website owners running things on a budget. Choosing a safe and reliable hosting company, buying a nice domain name, boosting posts on social media, and ranking on search engines — all this costs a lot of money. At the end of the day, some site owners may even choose to cut expenses by installing pirated (or nulled) software on their websites. Unfortunately, as discussed in some of our earlier posts about free software and fake verification, these “free” components may still come with a hefty price tag. Continue reading SEO Spam Links in Nulled Plugins […]

Who Attacked SolarWinds and Why WordPress Users Need to Know


Chloe Chamberland is a threat analyst and member of the Wordfence Threat Intelligence Team. She holds the following certifications: OSCP, OSWP, OSWE, Security+, CySA+, PenTest+, CASP+, SSCP, Associate of (ISC)2, CEH, ECSA and eWPT. Many of these are advanced certifications including OSCP and OSWE which are 24 and 48 hour exams respectively, that require hands-on hacking skills to pass. Chloe works full-time at Wordfence to identify and reverse engineer emerging threats facing WordPress. She works closely with vendors to remediate vulnerabilities they have, develops firewall rules for Wordfence, and publishes her research here, once the affected software has been patched […]

SolarWinds and Supply Chain Attacks: Could it happen to WordPress?


The SolarWinds supply chain attack is all over the news, impacting government agencies, telecommunications firms, and other large organizations. The security firm FireEye was the first victim of the attack, disclosing that they had been hacked on December 8, 2020. On December 13th the US Treasury Department announced that it had also been compromised. At that time SolarWinds Orion was officially reported as the intrusion vector. SolarWinds has since stated that “fewer than 18,000” firms were affected. Companies impacted by the SolarWinds supply chain attack include Intel, NVidia and Cisco. What is a supply chain attack? A supply chain attack […]

WordPress Vulnerability Roundup: December 2020, Part 2


New WordPress plugin and theme vulnerabilities were disclosed during the second half of December. This post covers the recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website. The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes. In the December, Part 2 Report WordPress Core Vulnerabilities No new WordPress core vulnerabilities have been disclosed this month. The latest version of WordPress core is currently 5.6. As a WordPress security best practice, make sure you’re running the latest version […]

WFCM 1.7.0: new file integrity checks & detailed email notifications


2020 has been a very difficult year for everyone. So there is nothing better than ending the year on a high; before we leave for the holidays and enjoy some downtime, we are excited to announce the last release of this year; Website File Changes Monitor 1.7.0. In this update we added a new feature to further improve the detection of possibly tempered WordPress core on a website. We have added several improvements to reduce false positives when it comes to WordPress core updates, and new installs, updates and uninstalls of plugins and themes. On top of that, we have […]