WordPress News

website security scientist

Ask a Security Professional: WordPress Database Security Part Two — Best Practices

By Logan Kipp

In Part One of our #AskSecPro series on WordPress Database Security, we learned about the anatomy of WordPress. Now that we have a firm understanding of the role the WordPress MySQL database plays in a WordPress installation, we can take a look at the various ways an adversary can exploit the mechanisms involved. We’ll also explore some of the ways to defend your database against compromise.

Tags:   #AskSecPro, best practices, database, mysql
Categories:  Ask a Security Pro, Website Security, WordPress, WordPress security
website security scientist

Ask a Security Professional: What is #Cloudbleed?

By Logan Kipp

Over the last few days you may have heard the term #Cloudbleed thrown around the water cooler. Some of the questions our customers are asking us include,  “What is Cloudbleed?” and “Am I protected from Cloudbleed?” As your resident Security Professional, I’ll be glad to help you to understand what the Cloudbleed buzz is all about and how it may impact you.

— First, I want to be very clear that the Cloudbleed bug does NOT impact SiteLock TrueShield™ WAF/CDN. More below.

Tags:   buffer overflow, CDN, cloudbleed, disclosure, leaked, memory leak
Categories:  Ask a Security Pro, Website Security, WordPress, WordPress security

SiteLock is a WordCamp Global Community Sponsor for 2017!

By Adam Warner

We are excited to announce that SiteLock is a WordCamp Global Community Sponsor this year! After sponsoring 17 WordCamps and attending 40 in 2016, becoming a 2017 global sponsor was an obvious next step for us, and we look forward to expanding our support within the community this year!

Tags:   community, influencer, sponsorship
Categories:  WordPress

Rogue Pharmacy Defacements via REST API Exploit

By Logan Kipp
SiteLock Research shield

This article was co-authored by Security Researcher Wyatt Morgan from SiteLock Research.

 

This month we’ve seen WordPress websites bombarded with defacements and remote code execution attempts by abusing a vulnerability in the WordPress REST API. As could be expected, compromises motivated by financial gain have now made their debut through the same vector. This most recent flavor of defacements focuses on driving traffic to a rogue pharmacy website, where the visitor is encouraged to purchase — you guessed it, “authentic” erectile dysfunction medication.

Tags:   exploit, pharmahack, REST API, rogue pharmacy, trend, Trend Yuma
Categories:  Website Security, WordPress, WordPress security

Case Study: ValChoice

By Ashley Baldwin

Company Background

Dan Karr is the founder and CEO of ValChoice.com, a company with a mission to “give every consumer in America a free analysis of their insurance company.” After an awful car accident, Karr was unable to recover almost $100,000 worth of medical expenses from his health and auto insurance companies. As a husband and a father of three, the financial strain put pressure on his entire family. “After that experience, I vowed to prevent this from happening to any other family by leveraging my technology background to bring transparency to the insurance industry,” said Karr. That’s when ValChoice.com was born.

ValChoice.com provides its customers with a detailed, easy-to-understand analysis of the value, protection and services that insurance companies offer. As the company website states, ValChoice.com is “an independent, unbiased and trusted source of information about insurance companies.”

Tags:   case study, Firewall, malware removal, scanning, ValChoice, WordPress
Categories:  WordPress, WordPress Benefits

Remote Code Execution Attempts via REST API Vulnerability

By Logan Kipp
SiteLock Research shield

This article was co-authored by Security Researcher Wyatt Morgan from SiteLock Research.

 

In the continuing saga of the WordPress REST API vulnerability in WordPress 4.7 and 4.7.1, SiteLock has identified that at least one hacker has launched a campaign specifically attempting remote code execution (RCE) on WordPress websites. The attacks aim to take advantage of WordPress websites using plugins that enable PHP to run inside of posts. If successful, the attack injects a line of code that ultimately downloads a series of malicious files from a Pastebin repository. These malicious files are used to install  backdoors and automatically steal information from  websites. When unsuccessful at remote code execution, the attack overwrites existing posts and leaves behind PHP shortcode.

Tags:   api, backdoor, exploit, rce, remote code execution, rest, Trend Sedona, WordPress
Categories:  Website Security, WordCamp, WordPress security
website security scientist

Ask a Security Professional: WordPress Database Security Part One — Anatomy of WordPress

By Logan Kipp

For most people the year is still just getting started, but for some website owners the year has already packed quite a punch in the form of website attacks. This month hackers exploiting a vulnerability in the WordPress REST API successfully defaced over a million websites in what has become one of the largest website defacement campaigns to date. The attacks injected content that overwrote existing posts on WordPress websites running versions 4.7 and 4.7.1, leaving website owners with an immeasurable number of “Hacked by” posts across the droves of impacted websites.WordPress REST API

Many website owners who have unfortunately found themselves in the proverbial trenches of a digital battlefront, some of which had at least some security measures, are facing a difficult data recovery situation. It is from these recent events that the next Ask a Security Professional question was crafted; How can I better protect my data?

I feel that it’s important to fully understand what the problem is in order to best understand what forms a solution can take. In Part One of #AskSecPro we’ll cover an introduction to some of the infrastructure behind WordPress. Let’s start at the beginning.

Tags:   #AskSecPro, core, database, mysql, phpmyadmin, security, sql
Categories:  Ask a Security Pro, Website Security, WordPress, WordPress security
Loop Conference 2017 | SiteLock

LoopConf – Advancing WordPress Development and Communities

By Adam Warner

We’ve just returned from LoopConf, a WordPress developer-focused event that SiteLock was lucky enough to sponsor. It was an amazing three days, packed with informative sessions around open source software and leading-edge technologies – everything the WordPress community loves, all in one place! As usual, I’ve provided a summary of just some of the awesome sessions I attended while at the conference.

Tags:   conference, developers, LoopConf
Categories:  WordPress

Defacement Trend via REST API Exploit

By Logan Kipp
SiteLock Research shield

This article was co-authored by Security Researcher Wyatt Morgan from SiteLock Research.

 

SiteLock Research has identified a trend of defacements impacting thousands of WordPress websites. This trend of defacements appears to be exploiting a vulnerability in the WordPress REST API present in versions 4.7 and 4.7.1. The attack overwrites existing WordPress posts with a defacement, of which there are already many variations, with hackers even overwriting each others’ defacements in many cases. Customers using the SiteLock TrueShield™ Web Application Firewall (WAF) are protected against this exploit.

Trend characteristics:

  • This attack vector impacts WordPress sites running versions 4.7 and 4.7.1 with the REST API enabled.
  • The attackers are sending the defacement payload over the REST API to modify and deface existing posts.
  • Post keywords are being modified in many cases, possibly for blackhat SEO purposes.
  • We’ve identified at least six different defacement
    campaigns through this vector.

Examples (hackers’ handles redacted):

WordPress defacement | hacked by

WordPress defacement example | hacked byWordPress defacement | hacked by with loveWordPress defacement | Hacked by HaCk3D

 

 

 

 

 

 

 

 

This attack targets existing posts in WordPress, which means that a successful attack is overwriting data inside the WordPress database and data may only be recoverable via backup. If you have been impacted by this attack, your best course of action is to follow these steps:

1. Perform a file and database backup of the impacted website and save it to a secure location. This will ensure your data is safe if any critical failures occur in the following steps.
2. Update WordPress to the latest version, version 4.7.2.
3. Login to /wp-admin/ and verify which posts have been impacted by the defacement by looking in the title and body of the post for content that you did not put there. From the “edit post” menu, for each impacted post, check the revision history of the post to see if the original content is intact in a previous revision. If a previous revision is available, restore the post to that revision. Be sure to also check if the permalink for the post has been modified.

In many cases, following the above steps will remove the defacement and no further action is required. If you were not able to recover all of your post content, please continue with the following steps.

4. Locate your most recent database backup from before the attack and restore it to the production database.
5. Login to /wp-admin/ to check if any database clean-up is required to synchronize to the current WordPress version on the production site.
6. If WordPress indicates database changes are needed, allow it to run through the changes.

7. Audit your website for any incompatibility with the new WordPress version you’ve installed. Issues with updating are most commonly evident in the look and feel of the website.

We advise reaching out to your hosting provider as they may have a backup of your website stored on file. Additionally, if you have any questions or concerns about this email, please contact us at 877.563.2832 or email support@sitelock.com.

Please check this article regularly for updates as more information becomes available.

Tags:   api, breaking, defacement, exploit, rest, trend, Trend Conrad
Categories:  Website Security, WordPress, WordPress security

Critical WordPress REST API Vulnerability

By Logan Kipp

This article was co-authored by Security Researchers Gregory Bloom and Wyatt Morgan from SiteLock Research.

 
As you may have heard by now, WordPress 4.7.2 has arrived! This emergency patch was released by the diligent WordPress contributors following the discovery of a rather nasty vulnerability in the new WordPress REST API functionality. The vulnerability discovered allowed for unauthenticated privilege escalation, which in layman’s terms means it’s potentially harmful as it could allow an adversary to gain unauthorized administrator privileges to any post on most WordPress websites running versions 4.7 or 4.7.1.

Tags:   api, exploit, privilege escalation, rest, vulnerability, WordPress, zero day
Categories:  Website Security, WordPress security