Tips, Expertise, Articles and Advice from the Pro's for Your Website or Blog to Succeed
When you are searching for an SSL certificate, you will find 128-bit encryption and 256 bit encryption certificates. What are they? The below questions may come to your mind.
Don’t panic; we have answers.
In today’s digital world, enterprises and institutions of all types rely on multiple information systems as well as consumer data to run their daily business processes. This trend has seen a spike in demand for experienced information executives and IT professionals with a broad range of skills.
Leading tech companies, federal agencies, and private corporations are seeking IT leaders who double up as technological innovators, business managers, acquisition experts, strategic thinkers, and technical professionals.
WordPress is a powerful content management system (CMS) by all means, but it comes with its fair share of debilitating errors. Just like any other human-made system, it’s prone to errors that can result from many different things. Perhaps you installed a faulty theme or plugin and messed up your install. Maybe a natural disaster […]
The post WordPress Error Establishing a Database Connection appeared first on WPExplorer.
Easy WP SMTP has patched a vulnerability that allows attackers to capture the password reset link from the plugin’s debug log file and gain unauthorized access to the site. The plugin is used by more than 500,000 WordPress sites to configure and send all outgoing emails via a SMTP server so they are less likely to end up in recipients’ junk/spam folders.
WPScan categorized the vulnerability as a “sensitive data disclosure:”
The plugin has an optional debug log file generated with a random name, located in the plugin folder and which contains all email messages sent. However, this folder does not have any index page, allowing access to log file on servers with the directory listing enabled or misconfigured. This could allow attackers to gain unauthorised access to the blog by reseting the admin password by getting the reset link from the log.
Easy WP SMTP version 1.4.3 contains the fix, adding an empty “index.html” file to the plugin’s folder to prevent anyone from browsing the files (even if the Option -Indexes is missing on that server). Users are advised to update immediately, as the vulnerability has already been exploited in the wild. Several users took to the plugin’s support forums to report attempts on their sites.
Jerome Bruandet, a security researcher from NinTechNet, reported the vulnerability and published a post explaining how an attacker might access the debug log where the plugin writes all the email messages sent by the site. Using author archive scans, the hacker can find a username and then send a password reset email that gets intercepted via the Easy WP SMTP debug log file:
At the time of publishing, approximately 51.8% of users are on 1.4.x versions of the plugin. Without a more specific breakdown, it’s not clear how many users have updated to the patched 1.4.3 version. Approximately 59,000 sites have downloaded the plugin today, leaving many installations still vulnerable.
This is another case where automatic background updates on plugins can quietly save the day. Users who have auto-updates enabled for plugins have already received the fix. Administrators for older installations of WordPress or sites where auto-updates have been disabled will need to update manually as soon as possible.
WooCommerce 4.6.2 was released yesterday with a fix for a vulnerability that allowed account creation at checkout, even when the “Allow customers to create an account during checkout” setting is disabled. The WooCommerce team discovered it after several dozen users reported their sites were receiving spam orders, or “failed orders” where the payment details were fake.
WooCommerce developer Rodrigo Primo described how the bot is attacking stores:
The gist of it is that the bot is able to create a user when placing an order exploiting the bug fixed by 4.6.2. After creating the user, the bot tries to find vulnerabilities in other plugins installed on the site that require an unprivileged authenticated account.
WooCommerce recommends users update to 4.6.2 to stop bots from creating users at checkout and then remove any accounts the bot previously created. This will not stop the bots from creating fake orders so store owners are advised to install additional spam protection from the WooCommerce Marketplace. Some users in the support forum are trying free plugins like Advanced noCaptcha & Invisible Captcha and Fraud Prevention Plugin for WooCommerce.
The first logged instance happened nine days before WooCommerce was able to issue a fix. In the meantime, some users reported having their site’s URL changed and other hacking attempts. Dave Green, WordPress engineer at Make Do, used log files to determine that the script relies on exploiting other vulnerabilities in order to gain access to the database.
“That script is creating the order, and is also likely to be exploiting whatever vulnerability is available to bypass customer account settings and create a new user; it may or may not be relying upon other exploits for this,” Green said.
“Assuming it has successfully gained access to the system, it then tries to update the DB. It either fails and leaves you with nuisance orders, or succeeds and points your site to the scam URL.”
The WooCommerce team has also fixed this same bug in WooCommerce Blocks 3.7.1, preventing checkout from creating accounts when the related setting is disabled.
WooCommerce did not publish the names of any of extensions that have vulnerabilities being exploited by this script. However, some one user reported an attack that coincided with the fake orders:
I had a failed order yesterday with similar info to the OP as well.
At the exact same time that failed order came in, my WAF blocked two attempted attacks from the same user/IP (bbbb bbbb) for “TI WooCommerce Wishlist < 1.21.12 – Authenticated WP Options Change”
The script may have been probing for a vulnerability in the TI WooCommerce Wishlist plugin, which was patched approximately two weeks ago. The plugin is active on more than 70,000 WordPress sites.
The WooCommerce team is still researching the origin and impact of this vulnerability and will publish more information as it becomes available.
It’s a stroke of luck for mischief makers on the internet if they can find a way to harm WordPress websites. With just one trick up their sleeves, they can take a shot at almost 30% of the websites on the internet. That’s the downside of WordPress being the most popular CMS. As website owners, […]
The post Free Tools to Scan Your WordPress Site for Vulnerabilities appeared first on WPExplorer.
Did you know over 100,000 websites are hacked daily? That’s right, cybercrime is a serious threat to any company, and anybody with a WordPress site isn’t safe either. I have had a run-in with hackers (and had to recover my WordPress site), and you probably know it was ugly. Hackers are actively looking for vulnerable […]
The post Simple Security Checklist for WordPress Sites appeared first on WPExplorer.
Incidents of data breaches and theft are showing no signs of slowing down. According to Forbes, in the first half of 2019 alone, cybercriminals compromised the personal information of more than 4 billion users. As the world becomes more and more digitalized, businesses can longer afford to ignore cybersecurity.
One of the best ways to stay safe is to keep abreast of emerging cybersecurity trends, so here we’ll discuss five of the most prominent ones to be aware of going in 2020:
Los Angeles is famous for its complicated parking signs:
They're totems of rules and exceptions, and exceptions to the exceptions. Often, when we code, we forget a lesson that’s obvious in these preposterous signs: Humans understand simple, consistent rules, but fail on special cases.Say you’re given an array of integers, and you want to calculate the sum of each element’s neighbors. Try it: