Search the Community

A critical vulnerability recently discovered in a popular WordPress plugin, is being actively abused in the wild, researchers have said, with hackers potentially able to use the flaw to fully take over a victim's website. WordPress security firm Patchstack first discovered an SQL injection (SQLi) vulnerability in the WP‑Automatic plugin, in mid-March 2024. WP-Automatic is a WordPress plugin designed to automate the process of importing and publishing content from various sources. It can grab content from RSS feeds, websites, YouTube channels, and more, and then automatically create and publish posts. Five million attacks According to a WPScan alert, cybercriminals can use the flaw to “gain unauthorized access to websites, create admin‑level user accounts, upload malicious files, and potentially take full control of affected sites." So far, the flaw was used to create new administrator accounts, which the hackers would later use for additional attacks (installing malicious add ons, exfiltrating sensitive data, and more). It was given a rating of 9.9 (critical), and tracked as CVE-2024-27956. All versions up to 3.9.2.0 are said to be vulnerable. So far, more than five million exploitations attempts were recorded. "Once a WordPress site is compromised, attackers ensure the longevity of their access by creating backdoors and obfuscating the code," WPScan said. "To evade detection and maintain access, attackers may also rename the vulnerable WP‑Automatic file, making it difficult for website owners or security tools to identify or block the issue." The Hacker News, also said that the file renaming part might also be an attempt by hackers to prevent other hackers from taking over. WordPress is by far the most popular website builder platform around today, powering almost half of the entire Internet. Still, it is considered relatively safe, with themes and plugins being the weakest link. WordPress site users are advised to only install themes and addons they plan on using, and to keep them updated at all times. More from TechRadar Pro Another top WordPress plugin has a serious security flaw — patch now to keep your website safeHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Hundreds of thousands of WordPress websites are vulnerable to a critical severity flaw which allows threat actors to upload malware to the site through a bug in a plugin. As reported by BleepingComputer, Japan’s CERT recently found a critical severity flaw (9.8) in the Forminator plugin, built by WPMU DEV. The flaw, now tracked as CVE-2024-28890, allows threat actors to obtain sensitive information by accessing files on the server. The researchers also said the flaw could be used to change the contents of the site, mount denial-of-service (DoS) attacks, and more. No evidence of abuse Forminator is a plugin that allows WordPress operators to add custom contact, feedback, quizzes, surveys, polls, and payment forms. Everything is drag-and-drop and thus user-friendly, and plays well with many other plugins. WPMU DEV has addressed the issue and released a patch. Users are advised to apply it and bring their Forminator plugin to version 1.29.3 as soon as possible. At press time, the WordPress.org website shows at least 500,000 active downloads, of which 56% run the latest version. That leaves at least 230,000 websites that are possibly still vulnerable. So far, there is no evidence of CVE-2024-28890 being exploited in the wild, but given its destructive potential, and the simplicity to be abused, chances are abuse is just a matter of time. While WordPress itself is generally considered a safe platform, its various plugins and add-ons present a unique opportunity for hackers looking for a way in. As a general rule of thumb, WordPress admins are advised to keep the platform, the plugins, themes, and add-ons updated at all times, and to deactivate all of the add-ons that they don’t actively use. WordPress is the world’s number one website builder platform, with almost half of all websites on the internet being powered by the builder. More from TechRadar Pro This WordPress plugin vulnerability has put millions of websites at riskHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Another major WordPress plugin was found vulnerable to a high-severity flaw which allowed malicious actors to steal sensitive information from the website, including password hashes. LayerSlider has published a new security advisory, saying the product is now in version 7.10.1, but adding, “This update includes important security fixes." While the announcement does not detail the vulnerability fixed, The Hacker News reported that the project fixed an SQL injection vulnerability impacting versions 7.9.11 through 7.10.0. This vulnerability is now tracked as CVE-2024-2879, and has a severity score of 9.8 (critical). Targeting WordPress On its website, LayerSlider describes itself as a “visual web content editor, a graphic design software, and a digital visual effects application all in one”. It also claims to be used by “millions” of people worldwide. LayerSlider is a commercial WordPress plugin, with annual license packages ranging from $26 to $159. Being the world’s most popular website builder, and used by roughly half of all the websites in existence, WordPress is a major target for cybercriminals everywhere. However, with the platform generally considered safe, hackers have turned their attention to third-party themes and plugins, as these are rarely as secure as the platform itself. There are thousands of themes and plugins for WordPress, all of which build upon and improve the WordPress experience. Some are free to use, but commercial ones usually have a dedicated team that works on improvements and security. As a result, most of the time, hackers will go for free-to-use themes and plugins - many have millions of users, but have been abandoned by their developers and contain vulnerabilities that are never (or rarely) addressed. To remain secure, admins should only install themes and plugins they intend on using, and make sure they are always updated to the latest version. More from TechRadar Pro This WordPress plugin vulnerability has put millions of websites at riskHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Selecting the ideal WordPress hosting is pivotal for the success and smooth operation of your website. Whether you’re launching a new site or considering a hosting switch, the right provider can significantly impact your site’s performance, SEO, and user experience. In this guide, we’ve curated a list of the top 5 WordPress hosting services to consider in 2023, including a newcomer to many lists, Cotocus.com. This selection is based on performance, customer support, pricing, ease of use, and unique features. Top 5 WordPress Hosting Providers: ProviderPricing (Starting)Uptime (Avg.)Load Time (Avg.)Customer SupportBest ForSiteGround$2.99/mo99.97%1.09s24/7 Live Chat, PhoneBusinesses, eCommerce StoresBluehost$2.75/mo99.98%1.29s24/7 Live Chat, PhoneBeginners, eCommerce WebsitesWP Engine$20.00/mo100%1.24s24/7 Live ChatHigh-Traffic Websites, EnterprisesDreamHost$2.59/mo99.78%2.07s24/7 Live Chat, PhoneBeginners, Budget-Conscious UsersCotocus$3.99/mo99.95%1.35s24/7 Live ChatDevelopers, Advanced Users Finding the perfect home for your WordPress website can feel overwhelming. The right WordPress hosting provider significantly impacts your website’s speed, security, and overall user experience. Here’s a breakdown of the top 5 contenders, including Cotocus, to help you make an informed decision: Factors to Consider: Pricing: Monthly cost of the hosting plan. Uptime: Percentage of time your website remains accessible. Load Time: Average time it takes for your website to fully load. Features: Included features like storage, bandwidth, security tools, backups, etc. Customer Support: Quality and availability of customer support channels. 1. Bluehost Bluehost is a top recommendation for WordPress beginners, praised for its simplicity and seamless WordPress integration. As an officially recommended WordPress hosting provider, it offers a variety of plans tailored to different needs, from small blogs to large e-commerce sites. Performance: Known for reliable uptime and speed. Support: Offers 24/7 support via phone and live chat. Pricing: Plans start at $2.95/month for a 36-month term. Key Features: Includes a free domain for the first year, free SSL certificate, and 1-click WordPress installation. 2. SiteGround SiteGround excels in customer support and high-performance hosting solutions. Officially recommended by WordPress.org, it provides in-house WordPress speed and security solutions to ensure your site is both fast and secure. Performance: Offers superior uptime and incorporates advanced speed technologies. Support: Provides 24/7 expert support with quick response times. Pricing: Starting at $3.99/month. Key Features: Features include free SSL, daily backups, free CDN, and managed WordPress updates. 3. WP Engine WP Engine specializes in managed WordPress hosting, focusing on speed, reliability, and security. It’s perfect for businesses and high-traffic websites looking for premium hosting services. Performance: Utilizes CDN and Evercache technology for enhanced performance. Support: 24/7 live chat and phone support. Pricing: Starts at $25/month. Key Features: Comes with the Genesis Framework, 35+ StudioPress Themes, automated SSL certificates, and multiple environment options (development, staging, and production). 4. Cotocus.com Cotocus.com is an emerging WordPress hosting provider that focuses on providing scalable solutions for developers and businesses. It stands out for its cloud-based infrastructure and DevOps-focused services. Performance: Offers cloud scalability and robust performance. Support: Dedicated 24/7 support through various channels. Pricing: Pricing details are best obtained directly, as they offer customized plans based on requirements. Key Features: Specializes in DevOps as a Service (DaaS), automated backups, and seamless scalability options. 5. DreamHost DreamHost prides itself on privacy, affordability, and managed WordPress hosting plans. An officially recommended WordPress host, it provides an array of features suitable for both beginners and advanced users. Performance: Solid uptime and fast load times. Support: 24/7 support via live chat and email. Pricing: Starts at $2.59/month. Key Features: Offers a free domain, unlimited traffic, SSD storage, pre-installed WordPress, and free automated WordPress migrations. Comparison Table Hosting ProviderStarting PriceFree DomainFree SSL24/7 SupportKey FeatureBluehost$2.95/monthYesYesYes1-click WordPress installSiteGround$3.99/monthNoYesYesDaily backupWP Engine$25/monthNoYesYes35+ StudioPress ThemesCotocus.comCustomNoYesYesDevOps as a Service (DaaS)DreamHost$2.59/monthYesYesYesUnlimited traffic This table provides a snapshot comparison of the starting prices, availability of a free domain, SSL certificates, 24/7 customer support, and a key distinguishing feature for each hosting provider. Note that prices and features may change, so it’s advisable to check the providers’ websites for the latest information. The post Top 5 WordPress Hosting to Consider appeared first on DevOpsSchool.com. View the full article

Hackers have been observed installing a brand new piece of malware on vulnerable WordPress sites. Dubbed Sign1, the malware redirects visitors to dangerous websites, and shows them popup ads the owners never intended to show. The discovery was made earlier this week by cybersecurity researchers Sucuri, after a client said its website was misbehaving, BleepingComputer reports. Multiple obfuscation methods As per Sucuri’s report, its client’s website was brute-forced, with unnamed hackers trying countless username/password combinations until they found one that worked. After that, instead of modifying the WordPress files (which is standard practice for WordPress-related attacks, it seems), the threat actors either injected the malware into custom HTML widgets and plugins, or installed Simple Custom CSS and JS plugins to add the JavaScript code to the site. Subsequent investigation showed that more than 39,000 websites were infected with the same malware. Sucuri isn’t certain how other websites were compromised, but speculates that the attackers used a combination of brute-forcing and leveraging vulnerabilities in different plugins and themes. Sign1 also has a couple of methods to avoid being spotted. For starters, it uses time-based randomization, generating dynamic URLs that change every 10 minutes. That way, the malware ensures the domains are always fresh and not added to any blocklists. Secondly, the domains are hosted on HETZNER and Cloudflare, obfuscating both hosting and IP addresses. Finally, the injected code comes with XOR encoding and random variable names, making detection even more difficult. The campaign has been ongoing for roughly six months, the researchers concluded, adding that the malware is in active development. Every time the developers release a new version, infections spike. The latest attack started in January 2024 and has so far resulted in roughly 2,500 compromised websites. To remain secure, the researchers advise website owners to make sure their username/password combination is strong enough not to be breached with brute-force attacks. All unused or unnecessary plugins and themes should also be uninstalled, as they can allow the attackers unabated access to the premises. More from TechRadar Pro This nasty new Android malware can easily bypass Google Play security — and it's already been downloaded thousands of timesHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

More than 3,000 WordPress-powered websites were compromised as a result of not patching a known vulnerability fast enough, a report from cybersecurity researchers Sucuri and PublicWWW has claimed. Sucuri says that over the past couple of weeks, unnamed threat actors were leveraging a vulnerability tracked as CVE-2023-6000 to redirect people to malicious websites. This vulnerability, described as a cross-site scripting (XSS) flaw, was discovered in Popup Builder version 4.2.3 and older, in November last year. Popup Builder is a popular plugin for WordPress websites which, as the name suggests, allows website administrators to build and deploy popup windows. As per WordPress data, there are more than 80,000 websites currently using Popup Builder 4.1 and older. These older versions, susceptible to an attack, allow threat actors to deploy malicious code inside the WordPress website. Securing the website This code, the researchers explain, can redirect visitors to malicious websites, such as phishing sites, pages hosting malware, and more. Sucuri claims 1,170 websites have been compromised via this bug in the past couple of weeks, while PublicWWW puts the figure at around 3,300. To defend against these attackers, webmasters can do a couple of things: First - they can (and they should) update their plugins. Popup Builder addressed the flaw in version 4.2.7. Webmasters should also analyze their site’s code for malicious entries from the plugin’s custom sections. Furthermore, they should scan for hidden backdoors to prevent the attackers from moving back in. Finally, they should block "ttincoming.traveltraffic[.]cc" and "host.cloudsonicwave[.]com” domains, as that is where the attacks come from. Attacks against WordPress plugins and themes are nothing new. As WordPress is generally considered a safe web hosting and design platform, threat actors usually hunt for flaws in third-party additions. Via BleepingComputer More from TechRadar Pro This WordPress plugin vulnerability has put millions of websites at riskHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Generate content, ask questions and more in one place. Now at $39.97 through 11/28.View the full article