Category Archives: Antivirus and Malware

Zero Day Vulnerability Discovered In WordPress

OLYMPUS DIGITAL CAMERAMost WordPress vulnerabilities are minor, involving the use of outdated themes, plugins or other third-party software. However, a team of Finnish researchers has recently discovered a new zero-day vulnerability that allows hackers to execute code remotely on WordPress servers.

Juoko Pynnonen first reported the bug on Klikki Oy, describing it as a javascript injection vulnerability. According to Pynnonen’s report, hackers can use this vulnerability in websites running WordPress 4.2 or earlier to inject malicious JavaScript code into the site’s comment field. Assuming the comment is a minimum of 66,000 characters long, the JavaScript will be executed when someone views the comment.

An unauthenticated attacker can store JavaScript on WordPress pages and blog posts. If triggered by an administrator, this leads to server-side code execution under default settings,” said Pynnonen. “A usable comment form is required. It looks like the script is not executed in the admin Dashboard, but only when viewing the post/page where the comment was entered. If comment moderation is enabled (the default setting) then the comment won’t appear on the page until it has been approved by an admin/moderator. Under default settings, after one ‘harmless’ comment is approved, the attacker is free from subsequent moderation and can inject the exploit to several pages and blog posts.”

Surprisingly, this isn’t the first cross-site scripting vulnerability identified in WordPress. Earlier this month, WP developers released a new update to patch a similar vulnerability. While each of these vulnerabilities are unique, they both rely on code injects to harm websites.

Video: WordPress 4.2 stored XSS

You can click on the play button above to see a demonstration of how the most recent zero-day WordPress vulnerability works. It’s a rather simple bug that wreaks havoc on websites running the WordPress content management system (CMS).

So, how can you protect your website against this vulnerability? The only viable solution as of now is to disable commenting. This can be done by logging into your site’s dashboard and choosing Settings > Discussion > and unticking the box that allows visitor commenting. Of course, WordPress developers should be patching this vulnerability in the upcoming days, so make sure your site is running the latest version.

How To Secure a WordPress Site

encryption-03Powering over 77 million websites, WordPress is the world’s most popular content management system (CMS). The free-to-use platform supports a massive library of “plugins” and “themes,” allowing webmasters to change elements of their site without messing with complicated code. But like all content management systems, WordPress is vulnerable to hacking and malicious attacks. To protect your site from these attacks, it’s recommended that you implement the following security measures.

Create a Complex Password

Your first line of defense against malicious attacks is a strong password. Using easy-to-remember passwords like “Myspace123” is just asking for trouble. Instead, choose a random password consisting of upper-case letters, lower-case letters, non-sequential numbers, and special characters. Of course, it should go without saying that you should never email or store this password in plain text format.

Avoid Using The ‘Admin’ Username

Hackers often attempt to infiltrate WordPress sites by using the admin username. Therefore, it’s recommended that you create a unique username for your website. During the initial installation/setup, WordPress will ask you to specify a username. In the event that your site is already set up with the admin username, you can change it by adding a new user in the dashboard (Users > Add New), giving it admin privileges, and deleting the old Admin user.

Block Admin Directory Access

A third tip to safeguard your WordPress site from attacks is to block access to the WP-Admin directory. Basically, this prevents anyone other than you (or anyone using your IP address) from logging into your site as the administrator. Simply add the following lines of code to your site’s .htaccess file:

“AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName “Access Control”

AuthType Basic

order deny,allow

deny from all

allow from xxx.xxx.xxx.xxx (enter your IP address here)

Update Your Files

Arguably, the single most important WordPress security tip is to keep your files updated. WordPress introduced automatic background updates several months ago, but this only affects major updates. Outdated WordPress installations, themes and plugins pose a serious security risk to your site, so make sure they are updated to the latest version.

Limit Login Attempts

Brute force attacks occur when hackers use automated programs or software to blast thousands of different usernames and combinations in an attempt to find the right one. This type of attack is easily prevented, however, by using the Limit Login Attempts plugin.

Have any other WordPress security tips that you would like to share with our readers? Let us know in the comments section below!