Category: WordPress security

WordPress Speed Optimization

10 WordPress Website Performance Best Practices

By Logan Kipp

If you’re reading this article, it’s almost certainly not the first website performance article you’ve browsed. Let’s be honest, practically everyone has an opinion on the matter and you would probably deforest half the Amazon rainforest if you tried to print each article you’ve come across. Since we all want to save the habitat of the endangered Amazonian Wapuu and skip the conjecture, I’d like to share with you my 10 WordPress website performance best practices that provide gains you can actually measure.

Tags:   best practices, CDN, database, http/2, performance, requests, WordPress
Categories:  WordPress, WordPress security
SiteLock Threat Intercept blog

Threat Intercept: Malvertising via JavaScript Redirects

By Michael Veenstra
This article was co-authored by Product Evangelist Logan Kipp.

THREAT SUMMARY

High Threat
Threat Bar Graphic
Learn More

Category: Malvertising / Malicious Redirect

Trend Identified: 5/17/2017

CVE ID: N/A

Trend Name: Trend El Mirage

Vector: Application Vulnerability, Multiple

The threat rating was determined using the following metrics:

Complexity:

MEDIUM: The vector used to infect websites appears to be through the use of leaked compromised passwords.

Confidentiality Impact:

HIGH: This infection provides complete control of the target website, including database content.

Integrity Impact:

HIGH: This infection provides the adversary administrator-level access to impacted website applications, making total data loss a possibility.


The SiteLock Research team has identified a trend of JavaScript injections causing the visitors of affected websites to be automatically redirected to advertisements without the knowledge of the website owner.

This infection impacts WordPress sites across all versions, but the affected websites identified at this time all show evidence of recent infection by a fake WordPress plugin that performed malicious redirects as well. The previous infections were determined to have been distributed via a botnet using a database of leaked login credentials, suggesting this new attack may similarly be accessing sites via compromised WordPress administrator credentials.

 

The malicious code becomes embedded into existing JavaScript files in the affected sites, ensuring that the code will be executed in visitors’ browsers regardless of their activity on the site.

The code as it appears in the injected files is obfuscated, which means it’s written in a way that makes it difficult for humans to read. This is the malicious script as it appears in the affected files:

Obfuscated JavaScript responsible for malicious redirects.

After decoding this file, we are able to determine the specifics of how it behaves:

Decoded Malvertisement Malware

Decoded and formatted version of the injected JavaScript.

The redirect takes place immediately after loading a page including the infected JavaScript, after which a cookie is stored in the visitor’s browser called “csrf_uid” that expires three days after being created. The naming of this cookie is an attempt to hide in plain sight, as CSRF (Cross-Site Request Forgery) protection cookies are commonplace in many websites across the internet. While the cookie is active, no further redirects will take place. This provides two benefits to the attacker. First, the ad network will be less likely to identify suspicious behavior and flag the attacker’s account. Secondly, it makes the redirects more difficult to identify and duplicate by the sites’ owners and administrators, decreasing the likelihood that the specific infection will be identified and removed.


Cookies are pieces of data that websites store in your browser for later use. Sites use cookies for a number of legitimate reasons, from storing login sessions to analytics of how users are browsing the site.

Fortunately, despite the nature of these redirects, no malicious activity has been identified in the advertisements themselves, meaning a system infection occurring after these redirects is unlikely.

Because the attack vector of this infection appears to be leaked login credentials from unrelated data breaches, it is very important to ensure that strong password policies are in place on your site. Avoid using the same password across multiple locations to prevent one service’s breach from exposing your accounts elsewhere. If you determine that your data has been part of a publicized breach, change your passwords immediately. Also, consider using a breach checker to identify if your email address has been associated with any public data breaches in the past, as this would be a major indicator that password changes will be necessary for your accounts.

If you are a website owner and you believe your website has been impacted by this infection, contact SiteLock as soon as possible at 855.378.6200. Our SMART scan began rapidly identifying and cleaning instances of this infection within 24 hours of being initially identified.

Tags:   malvertising, malware, redirect, threat intercept
Categories:  WordPress security
Password Zero Day

Zero Day Vulnerability in WordPress Password Reset

By Wyatt Morgan

This week an unpatched vulnerability in WordPress was disclosed by security researcher Dawid Golunski that could potentially allow an attacker to reset admin passwords. This vulnerability impacts most versions of WordPress, including the current release 4.7.4.

Tags:   vulnerability, WordPress, zero day
Categories:  Website Security, WordPress, WordPress security

How to Keep Your Dashboard Green

By Logan Kipp

The SiteLock Dashboard is designed to deliver a concise report of your website security status at-a-glance. We’ve incorporated a color-coded light system that is so easy to understand, your eyes won’t need more than two tenths of a second to discern the color of your SiteLock status light. If you’re not familiar with the definitions of the three traffic light settings, I sometimes like to explain these using what I call the beach martini rule. I tend to picture our customers relaxing on the beach, unwinding and sipping a martini because they know SiteLock has their back. At about the  point where it’s a good time to reapply your sunscreen, you also take a quick glance at your site status before sinking back into your lounge chair.

SiteLock Dashboard Green LightGreen – The coast is clear, no action is required at this time. Re-apply your sunscreen and order yourself another martini.

SiteLock Dashboard Yellow LightYellow – Action is required to resolve a non-critical item. When you’re done soaking up the rays for the day, go ahead and take a look at what needs your attention.

SiteLock Dashboard Red LightRed – Action is required on a critical item. Let’s go ahead and set that martini down and take a look at what’s going on.

Tags:   account management, alerts, dashboard, malware, SiteLock, vulnerability
Categories:  Website Security, WordPress security
SiteLock Threat Intercept blog

Threat Intercept: Passwords Publicly Exposed by Malware

By Ramuel Gall
This article was co-authored by Product Evangelist Logan Kipp.

THREAT SUMMARY

High Threat
Threat Bar Graphic
Learn More

Category: Shell / Information Disclosure

Trend Identified: 4/20/2017

CVE ID: N/A

Trend Name: Trend Tusayan

Vector: Application Vulnerability, Multiple

The threat rating was determined using the following metrics:

Complexity:

LOW: The vectors used to infect websites appear to be well-documented vulnerabilities in older versions of website platforms.

Confidentiality Impact:

HIGH: This infection provides complete control of the target website, including credential disclosure and database contents.

Integrity Impact:

HIGH: This infection provides the adversary administrator-level access to impacted website applications, making total data loss a possibility.

The SiteLock team has discovered a dangerous malware trend that not only provides website administrator level access to the bad actors involved, but exposes sensitive website credentials publicly over the internet.

Tags:   cpanel, idx shell, Joomla!, magento, malware, password, shell, threat intercept, trend, vulnerability, WordPress
Categories:  Website Security, WordPress, WordPress security
website security scientist

Ask a Security Pro: Encryption Explained

By Logan Kipp

Over the last year I’ve led a multitude of security workshops aimed to educate entry-level WordPress users about website security. Some of the questions I regularly field in these workshops are related to the mechanics of SSL certificates, and their role in protecting website data from prying eyes. As you may know, the installation of an SSL certificate on a web server allows the server to accept traffic on the hypertext transfer protocol (secure), or simply ‘HTTPS,’ the primary form of encrypted data transfer between websites and visitors. I’d like to share the answers to some of the most frequently asked questions I’ve had on the subject.

SSL is the Armored Truck

The first thing I’d like to clarify on the subject of HTTPS and SSL certificates specifically is that the use of SSL certificates and HTTPS do not in any way, shape, or form protect the data on your website itself. HTTPS encrypts data in transit only. Neither does it protect data resting on visitors’ computers. You should consider HTTPS the armored truck of websites, not the bank vault. It acts as the protection against adversaries while data travels from point ‘A’ to point ‘B’.

Tags:   #AskSecPro, Encryption, HTTPS, SSL
Categories:  Ask a Security Pro, Website Security, WordPress security

Malware and WordPress Auto Login

By Michael Veenstra

Malware comes in a great deal of unique shapes and sizes.  Most people know someone who has had the misfortune of an infected computer at some point. Ransomware, trojans, and viruses that affect consumers’ physical devices are generally built with compiled code, which means you can’t easily “take a look under the hood” to get a solid idea of how it works.

The types of malware we work with at SiteLock behave a little differently, however. The web-ready files we encounter most frequently are written in Interpreted Languages like PHP and JavaScript. This means that the files involved contain plain, human-readable code, allowing anyone who understands the language to see what the files do.

Tags:   malware, PHP Code, WordPress
Categories:  Website Security, WordPress security
SiteLock Threat Intercept blog

Trending: Fake WordPress SEO Plugin Provides Backdoor Access

By Jessica Ortega

We recently discussed a particularly sneaky piece of malware that’s been disguising itself as fake plugin and targeting Joomla! users. While this phenomenon is not unique to the Joomla! content management system, SiteLock has discovered a recent trending fake plugin for WordPress, one of the world’s largest open source applications.

The fake plugin the SiteLock Research team found is called WP-Base-SEO. It is a forgery of a legitimate search engine optimization plugin, WordPress SEO Tools. Malicious content was found in /wp-content/plugins/wp-base-seo/wp-seo-main.php.  At first glance, the file appears to be legitimate, including a reference to the WordPress plugin database and documentation on how the plugin works.

WordPress fake SEO Plugin header

Fake plugin header

Tags:   fake plugin, Joomla!, SiteLock, WordPress
Categories:  SiteLock News, WordPress security
website security scientist

Ask a Security Professional: Feature-Based Malware Detection

By Logan Kipp

Last year we published an #AskSecPro series where we explained how signature-based malware analysis works, as well as how traditional signatures are created. An area we don’t often talk about in public channels, but has played a pivotal role in SiteLock becoming a global leader in website security solutions, is our research and development efforts in new security technologies. In addition to our more traditional approaches to malware detection, SiteLock continues to explore new frontiers in technological improvement to push the field of security research forward. For some time SiteLock has been developing machine learning mechanisms as part of its process for discovering new malware iterations on an automatic basis. Our research in the field has shown that machine learning promises to be an important part of early malware detection and preliminary identification. One of the most significant breakthroughs we’ve had in machine learning as it pertains to malware detection and signatures, has been in feature-based signature analysis.

Tags:   #AskSecPro, analysis, behavioral analysis, feature-based, machine learning, malware, research, signatures, unsupervised learning
Categories:  Ask a Security Pro, Website Security, WordPress, WordPress security
website security scientist

Ask a Security Professional: WordPress Database Security Part Two — Best Practices

By Logan Kipp

In Part One of our #AskSecPro series on WordPress Database Security, we learned about the anatomy of WordPress. Now that we have a firm understanding of the role the WordPress MySQL database plays in a WordPress installation, we can take a look at the various ways an adversary can exploit the mechanisms involved. We’ll also explore some of the ways to defend your database against compromise.

Tags:   #AskSecPro, best practices, database, mysql
Categories:  Ask a Security Pro, Website Security, WordPress, WordPress security