Category: WordPress security

Case study-Hyannis whale watchers

How SiteLock Saved a Whale Watchers Website [Case Study]

By SiteLock

Company Overview

Hyannis Whale Watcher Cruises is dedicated to providing ‘Cape Cod’s Finest Whale Watching!’ Established in 1989, the company brings more than thirty years of experience to whale watching, with an impressive sighting rate of 99 percent. As the company’s popularity grew, its website was forced to expand from an initial online brochure to a comprehensive resource including whale watching information, trip scheduling and online ticket purchasing. These changes also greatly increased customer reach both nationally and internationally.

Tags:   blacklisted website, case study, SiteLock support
Categories:  SiteLock Reviews, WordPress security
threat intercept

Threat Intercept: SiteLock Discovers XSS Vulnerability in WooCommerce Extension

By Ramuel Gall
This article was co-authored by Product Evangelist Logan Kipp.

THREAT SUMMARY

Low Threat
WordPress Website Security Threat Level
Learn More

Category: XSS – Reflected

Trend Identified: 7/25/2017

CVE ID: N/A

Threat Name: N/A

Vector: Browser/Javascript

The threat rating was determined using the following metrics:

Complexity:

MEDIUM: While initial exploitation is low complexity, weaponization requires action from the victim.

Confidentiality Impact:

MEDIUM: Successful exploitation of this vulnerability could potentially hijack individual browser sessions.

Integrity Impact:

MEDIUM: Successful exploitation of this vulnerability could potentially hijack individual browser sessions.

What is it?

SiteLock recently found a reflected cross-site scripting (XSS) vulnerability in the WooCommerce “Product Vendors” plugin for WordPress. Reflected XSS vulnerabilities differ from persistent XSS in that each attack is completed in the duration of a single session, rather than permanently modifying the impact site. According to the Open Web Application Security Project (http://www.owasp.org):

The variety of attacks based on XSS is almost limitless, but they commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.

 

Who is impacted?

Websites running the WooCommerce “Product Vendors” plugin versions 2.0.35 and older are vulnerable to this exploit. Fortunately, Automattic (WooCommerce’s parent company) patched the vulnerability almost immediately after being contacted by SiteLock. Unfortunately, many site owners do not update their plugins frequently, or at all. If you use Product Vendors for WooCommerce, make sure that you are running the most recent version (v2.0.38 at the time of writing).

 

How was it found?

Our automated scanner alerted us to an XSS vulnerability on a customer’s website, which we determined was due to the WooCommerce “Product Vendors” plugin. What was unusual in this case is that the vulnerable plugin was, at the time, the most recent version, so no patches were yet available for the vulnerability. We immediately contacted Automattic concerning our findings in following our Responsible Disclosure Policy, provided all relevant information on the vulnerability, and coordinated this disclosure.

 

Remediation Steps

The simplest way to fix this vulnerability is to update the plugin to the newest version, which was patched less than a week after the vulnerability was reported. Fortunately for SiteLock TrueShield customers, emergency policy updates were pushed to protect against this vulnerability as soon as it was discovered. However, we still recommend updating WooCommerce Product Vendors to the latest version.

 

Technical details

Overview

WooCommerce Product Vendors is a WordPress plugin which allows eCommerce sites to create a marketplace with multiple vendors, taking commissions from each vendor’s sales. The XSS vulnerability was found in the Vendor Signup form, which can be placed anywhere on the site.

 

Cause

This version of the plugin has a reflected XSS vulnerability because the $_POST parameter for vendor_description, which allows vendors to insert a description of their company, is not properly escaped, allowing arbitrary JavaScript to be executed in a visitor’s browser.

 

Reproduction Steps

In this case, the issue was reproduced using the below cURL request, and verified when the output showed the unaltered script.

Exploitability

$_POST parameter XSS vulnerabilities are often underestimated because it’s not possible to exploit them by directly sending a victim to the vulnerable URL. This difficulty is easily circumvented by first directing the victim to an attacker-controlled form that uses JavaScript to submit itself. As $_POST parameters are not directly visible in the URL, this also hides any suspicious parameters that would appear in a $_GET exploit. Additionally, as $_POST requests do not have the same character limit as $_GET requests, a larger payload can be delivered.

Note: It is also possible to craft a data:// URL that includes a self-submitting form, negating the need for the attacker to control another site. However, many browsers impose a length limit on data URLs, and data URLs are unusual enough to elicit suspicion in a potential victim.

 

Impact

As with all reflected XSS vulnerabilities, the impact depends on the ingenuity of the attacker. Reflected XSS allows an attacker to take control of the victim’s browser for as long as the tab is open on the vulnerable site, and victims are far more likely to leave a tab open on a site that appears to be legitimate. Stealing credentials, hijacking sessions, or exfiltrating payment information entered on the vulnerable site may also be possible, depending on the site’s configuration and the security measures in place.

 

Remediation

If updating to the latest version is not possible, this vulnerability can also be patched by escaping the $_POST[‘vendor_description’] parameter on line 61 of wp-content/plugins/woocommerce-product-vendors/templates/shortcode-registration-form.php using the esc_attr() WordPress function.

 

Tags:   threat intercept, vulnerability, xss, zero day
Categories:  WordPress security
What is WordPress Multisite

What is WordPress Multisite and Who Should Use It?

By Adam Warner

In this post, we’re going to look at the Multisite feature of WordPress. We’ll learn what it is, when to use it, and when not to use it. We’ll also cover a few important best practices to keep in mind when running WordPress Multisite.

When you enable Multisite in WordPress, you have the ability to create a network of individual WordPress sites on a single installation of the software. Enabling, configuring, managing, and growing a WordPress Multisite-powered website is not for novice users, but depending on the goals of your business, it just might be the perfect solution.

Tags:   multisite, network
Categories:  WordPress security
WordPress Speed Optimization

10 WordPress Website Performance Best Practices

By Logan Kipp

If you’re reading this article, it’s almost certainly not the first website performance article you’ve browsed. Let’s be honest, practically everyone has an opinion on the matter and you would probably deforest half the Amazon rainforest if you tried to print each article you’ve come across. Since we all want to save the habitat of the endangered Amazonian Wapuu and skip the conjecture, I’d like to share with you my 10 WordPress website performance best practices that provide gains you can actually measure.

Tags:   best practices, CDN, database, http/2, performance, requests
Categories:  WordPress security
How to Install and Configure the SiteLock Plugin for WordPress

How to Install and Configure the SiteLock Plugin (Video Tutorial)

By Adam Warner

In our Beginner’s Guide to the SiteLock Plugin for WordPress, we showed you the benefits of proactively preventing malware and hacking attempts on your WordPress website. In this video, you’ll learn exactly how to install and configure our plugin and connect it to a SiteLock account.

Tags:   SiteLock WordPress plugin, tutorial, WordPress plugin
Categories:  WordPress security
threat intercept

Threat Intercept: Malvertising via JavaScript Redirects

By Michael Veenstra
This article was co-authored by Product Evangelist Logan Kipp.

THREAT SUMMARY

High Threat
WordPress Website Security Threat Level
Learn More

Category: Malvertising / Malicious Redirect

Trend Identified: 5/17/2017

CVE ID: N/A

Trend Name: Trend El Mirage

Vector: Application Vulnerability, Multiple

The threat rating was determined using the following metrics:

Complexity:

MEDIUM: The vector used to infect websites appears to be through the use of leaked compromised passwords.

Confidentiality Impact:

HIGH: This infection provides complete control of the target website, including database content.

Integrity Impact:

HIGH: This infection provides the adversary administrator-level access to impacted website applications, making total data loss a possibility.


The SiteLock Research team has identified a trend of JavaScript injections causing the visitors of affected websites to be automatically redirected to advertisements without the knowledge of the website owner.

This infection impacts WordPress sites across all versions, but the affected websites identified at this time all show evidence of recent infection by a fake WordPress plugin that performed malicious redirects as well. The previous infections were determined to have been distributed via a botnet using a database of leaked login credentials, suggesting this new attack may similarly be accessing sites via compromised WordPress administrator credentials.

The malicious code becomes embedded into existing JavaScript files in the affected sites, ensuring that the code will be executed in visitors’ browsers regardless of their activity on the site.

The code as it appears in the injected files is obfuscated, which means it’s written in a way that makes it difficult for humans to read. This is the malicious script as it appears in the affected files:

WordPress Malvertising via JavaScript Redirects

Obfuscated JavaScript responsible for malicious redirects.

After decoding this file, we are able to determine the specifics of how it behaves:

WordPress Injected Javascript Malware

Decoded and formatted version of the injected JavaScript.

The redirect takes place immediately after loading a page including the infected JavaScript, after which a cookie is stored in the visitor’s browser called “csrf_uid” that expires three days after being created. The naming of this cookie is an attempt to hide in plain sight, as CSRF (Cross-Site Request Forgery) protection cookies are commonplace in many websites across the internet. While the cookie is active, no further redirects will take place. This provides two benefits to the attacker. First, the ad network will be less likely to identify suspicious behavior and flag the attacker’s account. Secondly, it makes the redirects more difficult to identify and duplicate by the sites’ owners and administrators, decreasing the likelihood that the specific infection will be identified and removed.

What is a website cookie?
Cookies are pieces of data that websites store in your browser for later use. Sites use cookies for a number of legitimate reasons, from storing login sessions to analytics of how users are browsing the site.

Fortunately, despite the nature of these redirects, no malicious activity has been identified in the advertisements themselves, meaning a system infection occurring after these redirects is unlikely.

Because the attack vector of this infection appears to be leaked login credentials from unrelated data breaches, it is very important to ensure that strong password policies are in place on your site. Avoid using the same password across multiple locations to prevent one service’s breach from exposing your accounts elsewhere. If you determine that your data has been part of a publicized breach, change your passwords immediately. Also, consider using a breach checker to identify if your email address has been associated with any public data breaches in the past, as this would be a major indicator that password changes will be necessary for your accounts.

If you are a website owner and you believe your website has been impacted by this infection, contact SiteLock as soon as possible at 855.378.6200. Our SMART scan began rapidly identifying and cleaning instances of this infection within 24 hours of being initially identified.

Tags:   malvertising, malware, redirect, threat intercept
Categories:  WordPress security
Password Zero Day Vulnerability

Zero Day Vulnerability in WordPress Password Reset

By Wyatt Morgan

This week an unpatched vulnerability in WordPress was disclosed by security researcher Dawid Golunski that could potentially allow an attacker to reset admin passwords. This vulnerability impacts most versions of WordPress, including the current release 4.7.4.

Tags:   vulnerability, zero day
Categories:  WordPress security
sitelock dashboard

How to Keep Your SiteLock Dashboard Green

By Logan Kipp

The SiteLock Dashboard is designed to deliver a concise report of your website security status at-a-glance. We’ve incorporated a color-coded light system that is so easy to understand; your eyes won’t need more than two tenths of a second to discern the color of your SiteLock status light. If you’re not familiar with the definitions of the three traffic light settings, I sometimes like to explain these using what I call the beach martini rule. I tend to picture our customers relaxing on the beach, unwinding and sipping a martini because they know SiteLock has their back. At about the point where it’s a good time to reapply your sunscreen, you also take a quick glance at your site status before sinking back into your lounge chair.

SiteLock Dashboard Green LightGreen – The coast is clear, no action is required at this time. Re-apply your sunscreen and order yourself another martini.

SiteLock Dashboard Yellow LightYellow – Action is required to resolve a non-critical item. When you’re done soaking up the rays for the day, go ahead and take a look at what needs your attention.

SiteLock Dashboard Red LightRed – Action is required on a critical item. Let’s go ahead and set that martini down and take a look at what’s going on.

Tags:   account management, alerts, malware, SiteLock products, vulnerability
Categories:  WordPress security
threat intercept

Threat Intercept: Passwords Publicly Exposed by Malware

By Ramuel Gall
This article was co-authored by Product Evangelist Logan Kipp.

THREAT SUMMARY

High Threat
WordPress website security threat level
Learn More

Category: Shell / Information Disclosure

Trend Identified: 4/20/2017

CVE ID: N/A

Trend Name: Trend Tusayan

Vector: Application Vulnerability, Multiple

The threat rating was determined using the following metrics:

Complexity:

LOW: The vectors used to infect websites appear to be well-documented vulnerabilities in older versions of website platforms.

Confidentiality Impact:

HIGH: This infection provides complete control of the target website, including credential disclosure and database contents.

Integrity Impact:

HIGH: This infection provides the adversary administrator-level access to impacted website applications, making total data loss a possibility.

The SiteLock team has discovered a dangerous malware trend that not only provides website administrator level access to the bad actors involved, but exposes sensitive website credentials publicly over the internet.

Tags:   cpanel, idx shell, Joomla!, magento, malware, password, shell, threat intercept, trend, vulnerability
Categories:  WordPress security
obfuscated code

WordPress Auto Login and Obfuscated Code

By Michael Veenstra

Malware comes in a great deal of unique shapes and sizes.  Most people know someone who has had the misfortune of an infected computer at some point. Ransomware, trojans, and viruses that affect consumers’ physical devices are generally built with compiled code, which means you can’t easily “take a look under the hood” to get a solid idea of how it works.

The types of malware we work with at SiteLock behave a little differently, however. The web-ready files we encounter most frequently are written in Interpreted Languages like PHP and JavaScript. This means that the files involved contain plain, human-readable code, allowing anyone who understands the language to see what the files do.

Tags:   malware, PHP Code
Categories:  WordPress security