Press "Enter" to skip to content

Posts tagged as “wordpress”

Six WordPress Plugins Vulnerable

By Christine Hall on November 12, 2015 |

News, Security and Web Apps

Six WordPress Plugins VulnerableWordPress logo

In the same week that we learned from W3Techs that the popular open source content management system (CMS) WordPress now powers a full 25 percent of all sites on the web, we learn that six popular WordPress plugins contain serious security vulnerabilities. The later news comes to us by way of security firm Wordfence, which specializes in WordPress security and develops the Wordfence security plugin for the platform.

WordPress logoThis news isn’t surprising, nor is it cause for alarm. Because WordPress is by far the most popular content management platform on the web, it’s an obvious target for hackers, and third party plugins are the most obvious way inside. However, the folks at Automattic, which develops the platform, have proven themselves to be diligent at finding vulnerabilities and keeping them patched.

Continue readingSix WordPress Plugins Vulnerable
WordPress Upgraded to Fix Security HolesWordPress logo

WordPress Upgraded to Fix Security Holes

By Christine Hall on May 7, 2015 |

News, Security and Web Apps

Website publishers using the popular free and open source WordPress content management system (CMS) woke up this morning to find that their sites had been upgraded to version 4.2.2. Users who’s sites somehow missed being automatically upgraded are urged to update immediately, as this update addresses several important security issues. According to Wordfence, maintainers of a popular WordPress security plugin, this release fixes one recently discovered vulnerability and further hardens a security issue that was addressed in version 4.2.1.

Christine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

FOSSForce.com
Continue readingWordPress Upgraded to Fix Security Holes

WordPress Plugin ‘Simple Ads Manager’ Exploit

By Christine Hall on April 13, 2015 |

Internet, Software and Web Apps

Anyone who runs sites using the WordPress platform and the plugin Simple Ads Manager will want to read this and learn from our mistake. Even those not using this particular plugin, but who have deactivated plugins not being used but still residing on their servers might find this useful. Luckily, in our case no harm was done, but that’s only because the incident occurred on a test site, so we were able to just take the site down. Lucky for us, it wasn’t FOSS Force or one of our other active sites.

Early Saturday evening we began receiving numerous email notices with two worrisome subject lines from our server. One subject was “LOCALRELAY Alert for sitename,” being sent to us at the rate of about every five minutes, with each showing info on the “first ten of 101 emails” that had been sent by the server since the last email notification. The other subject, “Script Alert for /path/to/script” was coming with the same frequency. To make a long story short, someone had hacked into a site we use to evaluate and test WordPress plugins before possibly deploying them on active sites, and was using it to send spam. Our test site had been turned into a spambot in other words.

Christine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

FOSSForce.com
Continue readingWordPress Plugin ‘Simple Ads Manager’ Exploit
Drupal Hack & WordPress UsersWordPress logo

Drupal Hack & WordPress Users

By Christine Hall on October 30, 2014 |

Internet and Security

It’s not a good day for Drupal users, with the security folks at the CMS platform telling all users to consider themselves compromised if they didn’t install a security patch within seven hours of its release on October 15th.

Fixing the infected sites will require a bit of work. Sites will need to be taken offline, and the current install of Drupal blown-up and replaced with a backup from before October 15th. Any changes made made to a site since that date will have to be redone. Site owners will also need to notify their hosting companies of the situation, since the Drupal exploit could also be used to hack into other sites on a host’s server. Hosts will not be happy to hear this.

Users of other CMS platforms can give a sigh of relief — after all, they’ve dodged a bullet — but they’d be well advised to pay attention; a similar scenario could play out on any platform at any time.

Christine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

FOSSForce.com
Continue readingDrupal Hack & WordPress Users

Brute Force Attacks on WordPress Sites Underway

By Christine Hall on February 10, 2014 |

Internet, News and Security

At about 1 p.m. this afternoon the security company behind the WordFence plugin for WordPress issued a security advisory via email informing users of their plugin that WordPress sites are currently under a brute force attack.

“As of 11am eastern time this morning we are monitoring the largest distributed brute force attack on WordPress installations that we’ve seen to date. The real-time attack map on www.wordfence.com became so busy that we’ve had to throttle the amount of traffic we show down to 4% of actual traffic.

“A brute force attack is when an attacker tries many times to guess your username password combination by repeatedly sending login attempts. A distributed brute force attack is when an attacker uses a large number of machines spread around the internet to do this in order to circumvent any blocking mechanisms you have in place.”

Christine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

FOSSForce.com
Continue readingBrute Force Attacks on WordPress Sites Underway
WordPress – Too Fast For ComfortWordPress logo

WordPress – Too Fast For Comfort

By Christine Hall on December 18, 2013 |

Internet, Software and Web Apps

Something’s got to give with the WordPress cycle.

Just three months ago, back in September, WordPress issued version 3.6.1 of their content management and blogging platform. Last week they issued 3.8. In between there was 3.7 and 3.7.1, the later release raising eyebrows when it included an automatic “minor point” upgrade feature that can’t be easily disabled.

That’s an average of one release per month, a burden for someone trying to keep sites safe from exploitation by the black hats. By quickening the pace of releases, WordPress may be inadvertently forcing webmasters into remaining with older versions, a potential security risk. Just as the enterprise balked at too much “release often” pressure from their vendors, folks who administer WordPress sites would be justified in complaining and pushing for a solution to this aspect of the WordPress development process.

Christine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

FOSSForce.com
Continue readingWordPress – Too Fast For Comfort

The Importance of Free Websites

By Christine Hall on November 15, 2013 |

Internet, and Web Apps

On October 26th, ten year old Charlie Thompson went to a Halloween party at a friends house in rural New York state. The weather was reasonably mild, so much of the party took place outside. At some point the children began playing a game of hide and seek. Charlie and another boy found a wooden board that Charlie thought would be a perfect place to hide. He lifted the board and knelt on another board that was underneath.

The board on which he knelt was old and rotten. Unbeknownst to Charlie and his friend, it was also covering an old abandoned well. Under his weight it immediately broke, hitting him on the forehead and knocking him unconscious. He fell straight down into the well, which was eighteen feet deep. His friend immediately ran to get help.

Christine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

FOSSForce.com
Continue readingThe Importance of Free Websites
WordPress Becomes Big Brother & More…WordPress logo

WordPress Becomes Big Brother & More…

By FOSS Force on November 3, 2013 |

Internet, Media, News, Politics, Security and Web Apps

FOSS Week in Review

Is Netflix coming soon to a Linux near you?

Saurav Modak at Muktware was observant enough to note last week that Netflix is now offering-up programming with a choice heretofore unavailable. For the time being they’re still pretty much married to Microsoft’s dead or dying Silverlight, but they’ve taken HTML5 on as a lover. This gives users of the popular movie outlet a choice that, at the very least, should make things easier for Linux users who insist on using the Netflix service:

“Although hackers have already made a workaround to stream Netflix videos in Linux machines, performance is generally low and video playback is not hassle free. Some workarounds include running the entire browser in Wine, or running a Silverlight plugin in Wine and make it compatible with the browser. But all of them come at a cost of performance. Switching to HTML5 from Silverlight will greatly reduce all these hassles, as all you will need is a latest standard compatible browser to stream movies and TV shows. This will also allow support for mobile devices and tablets which are adopting more HTML5 standards day by day.”

Continue readingWordPress Becomes Big Brother & More…
When a WordPress Update Goes AwryWordPress logo

When a WordPress Update Goes Awry

By Christine Hall on September 25, 2013 |

Business, Tutorial and Web Apps

I guess this is something of a cautionary tale.

The weekend before last we decided that it was time to update the WordPress installations on two of our five sites. Both sites had been using version 3.4.2 which was now a year old. Days earlier, WordPress had released 3.6.1, urging all users to update due to some serious security issues. Although it wasn’t clear that this affected the version we were using, we decided to go ahead and update. It was time.

WordPress logoThat Friday night, in the wee hours of Saturday morning actually, I upgraded If This Be Treason, our less trafficked site. I began by checking all of the plugins to make sure they were good-to-go with WordPress’ latest and greatest and then updated all that had newer versions available. Except for one, all of the plugins used by that site indicated they worked with at least 3.6.0, which was good enough I figured, since 3.6.1 was only days old and was primarily a bugfix and security release, otherwise no different than the earlier point version.

Christine Hall

Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux

FOSSForce.com
Continue readingWhen a WordPress Update Goes Awry
Latest Articles