WordPress Security Action
WordPress Security Action

Working with WordPress makes a sense of good professionalism, but at the same time it also has lots of responsibilities to take care of. If not, there can be problems regarding site and data management. So, now you know what I am trying to say right!

In addition to it, WordPress security is an in-trend term now. It is associated with the overall protection of the WordPress site you are creating, and thus the safety of the data inherited in it. So there arises the use of something that could make your data completely safe, but safe from what? Here are some of the options –

  • Data hacking – The most prominent danger for your website, hacking of data is related to the deletion, change, locking or any unauthorized manipulation done in your site’s data, either in the content or in the programming, thereby making it unworthy for you to use and thus getting the information illegally.
  • Incompatible plugins/themes – WordPress is all about the themes and plugins. The best way you will be able to use it, is the best way you can create your site. But any problem in the plugins can cause problem in your site as well. Like there can be site downtime, site crash or any other thing like that. Also your site’s functionality will be disturbed as well. So the use of highly compatible plugins is as must.
  • Human errors/Hosting issues – These are the most commonly occurring problems in any wordpress website. The hosting issues can occur anytime in a website. Especially when you are migrating your site or performing staging-like operations in it. There could sufficient source from which you can performing these complex like actions with it.
  • Server crashes/Storage issues – Whatever the reason is, the server crashes are always painful. So you must opt for better choices like backup dat or site clone for avoiding this. Similarly there can be storage issues, especially while creating big sites, as they have lots of data in it.  So either your WordPress must have lots of data space, or you should have a seperate proper arrangement for it.  
  • Accidents/Natural disasters – Here I am not talking about the natural accidents, but the once related to the site maintenance. Also there can be problems like battery shortage, sudden battery down, light off, or any other type. There must be prevention from any such type of problems.

What can be a helpful Answer to this?

A really helpful answer is the use of Data Backup plugins. Thay can provide all the solutions for the problems I have described above. Actually it can be a powerful solution for providing a complete wordpress security for your site. You are thus advised to use the best plugins for wordpress.

In addition to site security of WordPress,the plugin tool should be able to perform these actions preferably –

Improve your WordPress security
Improve your WordPress security

For eliminating any problem, first you gotta know the problem. The plugin must have daily automatic scanning feature. Automatic scanning will let you to regularly check for the site’s functions whether they are working properly or not. And also it checks for any problem that might occur in the site and damage it anyway.

The daily scanning can have many forms, like the quick scan, custom scan and the full scan types are common. Full scan usually is more helpful than the custom scan and the quick scan types, as it checks for all the areas of the site and its functions. So you can opt for this scan on regular basis.

Though this is to note that the scan time duration totally depends on the amount of data present in the site. So larger will the site, more will the scanning time duration.

  • Malware Removal

So with the daily scanning you can easily find out any kind of malware that may be existing in your site. And once you will catch it, the following step will be the elimination of them. Search for the plugins that could provide you the best options for eliminating malware from your site. The best ones will be those with one-click malware removal technique.

There can be options like ‘Auto cleaning’, that could itself perform the actions to remove the malicious codes, virus or trojans that can harm your website and do damages like data loss, and dat lock etc.

Your plugin must also be able to give you alerts regarding the hacked files or notifications for it. BackupBuddy, BlogVault, Updraftplus are some of the best plugins that can provide you the malware removal options.

  • Awesome Site Security

When you work in WordPress, you site is everything that need to protect. So the plugin need to have proper site security options for you. As they allow to harden the security walls for any hacker to get your confidential information details. The plugin must be able to detect the most complex hacks as well, and thus have awesome site security.

The plugins can clean your site of malware, clean the hacked files and notify you about the whole process as well. You must also be able to scan the site wherever you want, and the plugins must also have other important site security features as well.

Along with the site security, the navigation ability of the site must be good as well. The dashboard should be completely functional, also the backup features must be vibrant. So that you can save your data and use it anytime. The best part of this is, that you can access your data anytime from the plugins directly. Your site will be completely secure and safe.

So here I described about the easiest way to perform a complete WordPress security action for your website. Now it’s your choice to know the best plugins that could provide you all these features and help your site to give a worthy protection, the one that your creation deserves.

I hope you have liked my Blog, please share it with your friends as well.      

   

 

Why Malware Detection is Important?
Why Malware Detection is Important?

Digital marketing seems to look easy and simple from its surface, but is as complex in depth. There are so many things an associate has to deal with, in order to make things work good. Using wordpress is very common in terms of Blogging, site creation and adding content stuff in it.

Though anyone can use this platform for their content/site creation stuff, just have to be very quick on all of the problems that may occur during your site creation. The most threatening problem is, of the different malware that can attack and harm your system. So it’s your duty to protect your site from any kind of problem. But how will you do it?

Malware aren’t the one which can’t be prevented from entering your website. With proper detection and monitoring you can keep your site safe from any kind of hacking like problems. Here I will tell you about the best ways you can protect your WordPress site –

malware
malware

Site Scanning –

Performing site scanning for your website at regular intervals can be very effective in terms you want a full website protection for your WordPress. You know it that how much time and hard work it takes to create a website, and just one malware problem and you can have many problems regarding it.

Site scanning is a term associated with website’s security. It is the process in which a particular site is checked for any kind of problem occurrence in it. The process is done to know whether the site contains any malfunction or not. Scan site for malware detection is an old, yet very useful method for the detection of any problem.

You will easily check for the site’s functionality by performing site scanning process.

Let’s take you to know in depth about this function, to let you know more.

Today’s technology has become very advance, thereby creating different ways to perform the scanning of the website. Now there are many types of website scanning you can actually perform. Here I am describing them all –

  • Quick Scan –

    The most frequent types of scanning is the quick scan. It is the scanning of the active files and folders, and the common areas of as website. Though the chances for virus detection is small, yet not impossible in this type of scanning.      

  • Custom Scan –

    If you want to scan the files and catalogues separately, then you can opt for this scan type. This one is popular because it allows you to create your own scanning options. You are free to select the areas of website that you want to scan.

  • Full Scan –

    This is the most prominent scan types, that can help you to detect every single piece of problem that will(may) occur in your website. This scanning type is the one which checks for every data of the website, and detects the vulnerability if found.

What are the Common website Vulnerabilities?

Any WordPress website or simply site can undergo these vulnerability problem. Check them out here –

  • Site hacking –

    There are hackers present all around in the internet. You just have to be very alert form them if you want your site to be safe. This makes it the very first reason to perform different scanning techniques.

  • Security misconfiguration –

    The hackers try their best to get the site security details, including the server, platform, framework and back end database. Hackers can change the important informations if any security isn’t applied on the site.

  • Broken authentication –

    These are the website authority and session management vulnerabilities, usually occurs because of unprotected authentication credentials. These need to be secured on proper basis, as any problem may cause data loss like problems.

  • SQL Injection –  

    This is a common website hacking technique which is used by the malicious attackers to hack the site. They put the malicious code in the SQL statement of a webpage, and as a result can hack the information in the site’s database server.  

So in all these ways the website can be disturbed due to malware.

Source to perform Scanning –

When it comes to wordpress, you can use the different tools and software that are available for the website scanning purpose. Here are the different sources for it –

  • Website scanning tools

    These are the software that are made for the website scanning. You can also have the third party tools that are made for these process. Its suggested to follow the best.

  • Data Backup plugin –

    These are the WordPress plugins, (both insource and outsource) that are made to have the data backups and site’s backup. The best ones offer all kinds of scanning for your website. BlogVault, Backupbuddy etc. are some of the examples.   

What will be the effect of scanning a website?

Basically, as it is related to security term, the most effective result will be regarding the security of the website. Lets point out these –

  • Website security –

    Your site will be secure of any malfunctioning and thus you will not face any issues like site misfunction, website crash, data loss etc.

  • Data protection –

    Your data will be completely protected and secure of any kind of threat if you opt for proper scanning types.

  • Site Monitoring –

    You will be able to detect all the things thats going on in the site, if your site will be affected by any virus, you can eliminate it.

So here was my blog describing about the malware security detection, the ways, the effects and the importance as well. Now it’s all up to you for selecting the best tool/plugin/software for your scanning purpose. You are suggested to look for all the features first and then to install the tool in your system.

I hope this Blog has find some help for you, Thanks for reading. Do share it with someone who needs this. 🙂

    

On February 6, I had written a blog post regarding a possible security breach at BlogVault. Since then we have been conducting a thorough investigation into the issue. We have concluded the investigations. This post outlines its results.

 

No Data Breached

In our previous communication with you, we had mentioned that there had been a data breach. After detailed investigations, we found that the issue was a vulnerability in the BlogVault plugin, and none of the data on our servers were exposed.

We have ensured to cover every aspect of our system in our investigations, which involved inspecting the logs for our system as well as that of affected and unaffected sites. We also reviewed the attack payload with great detail.

 

BlogVault Plugin Vulnerability Fixed in Version 1.45

On Feb 4, we learned that we were using ‘unserialize’ PHP function on unverified data in BlogVault plugin versions 1.40 to version 1.44. We fixed it on the same day (Feb 4) with plugin version 1.45.

However, we had assumed the worst, and communicated with our customers the same day about the security issue. Following this, we also made a public announcement about it via a blog post.

Since then, we have thoroughly investigated the issue and analyzed our entire system. We have found that the the above mentioned vulnerability was the only entry point that allowed malware to be injected into sites on which the BlogVault plugin was reachable.

The BlogVault plugin has been secure ever since the updates on version 1.45.

However, we have continued to strengthen the security of our plugin and as of the date on which this post is published, the latest version of the BlogVault plugin is 1.46. If your BlogVault plugin is older than 1.46, we request you to update to the latest version available in the WordPress repository (https://wordpress.org/plugins/blogvault-real-time-backup/ ).

 

Your data and backups are safe

As mentioned in our previous communication, your backups and data were safe and continue to be safe. They were never at risk. This includes:

  • Your backups
  • Your passwords
  • Your payment details

Please find below the details of the measures we have taken during the investigation to bolster the security of our service:

 

Preventive Security Measures Implemented

As a reflection of our commitment to security best practices, we have taken a list of preventive security measures during the investigation to ensure that this incident doesn’t repeat itself.

  • Updates made with versions 1.45, and 1.46 of the BlogVault plugin were a part of the measures to strengthen the security of the plugin.
  • We have actively scanned all sites to identify websites affected by this issue and to get them cleaned and secure.
  • We have also pushed an automatic update to the BlogVault plugin on most sites.
  • Moreover, we have taken and continue to take measures to ensure that neither the BlogVault plugin nor the servers can be exploited.

 

Your Trust Continues to Be Important to Us

During this period, many of you who have reached out to us via our chat channels, email or even Twitter. We realize that you have not received the level of service on which we pride ourselves, and for this we apologize.

At BlogVault we are committed to being transparent and accountable to you. I know that we had received some questions about details regarding the issue. We were unable to respond to them because we had prioritized the security of the affected sites of our customers. We also wanted to ensure that we would refrain from adding to any speculations and only communicate facts.

We have set up an FAQs page that addresses some of the questions you might have regarding the security issue (these are different from the FAQs we received at first), and address the measures we have taken to secure sites. Please find the link to this page here. https://blogvault.net/security-updates-faqs/

The security of your sites and your trust is of utmost importance to us at BlogVault. Please reach out to us with any further queries you might have.

 

Thank You

You have been extremely understanding and generous to me and my entire team over this period; and we want to personally thank you for that.

Security is an ongoing process and we remain committed to making our service more robust.

 

We recently discovered a security breach at BlogVault which led to some data being exposed. Here are some details about the issue. We are currently in the middle of an extensive investigation and we will share updates with more detail as and when we learn more about the issue.

 

Update to The Latest Version

To mitigate risks from the data exposure we have updated our plugin with additional security measures. If you are learning about this for the first time and you are a BlogVault user then please update to BlogVault plugin version 1.45 from the WordPress plugin repository.

 

An ‘Updates Page’ for Clear Communication

We have reached out to all our customers informing them about the situation. We have also set up a ‘Security Updates’ page to be communicative throughout the process. The page also has some FAQs and contact details. Please follow this link for more details: https://blogvault.net/help/info

 

app backup & restore

We understand that it can be frustrating for you; as it is for us, to not have all the information. We aim to be comprehensive in our response to the issue. Once we have safeguarded our customers’ data, and our investigation is complete we will be able to share more details. Security is essential for all even while an app backup & restore.

 

Lastly, we have reached out all BlogVault customers and we are deeply moved by the patience and understanding displayed by many of them. We are working round the clock and have prioritized safeguarding your data.

Watching dominoes fall is always fun. And why wouldn’t it be? It’s a harmless, yet mesmerizing display of organized chaos. But if it did represent something harmful, there would be much reason to worry. Cross-site scripting attacks, at their worst, are the dominoes of common website vulnerabilities.

Cross-Site Scripting is a website attack that can be compared to dominoes falling, because of the damage it causes.
Once dominoes start falling, there’s no stopping them.

Cross-site scripting, generally known as XSS, is a type of Injection attack. It works a little differently from most other attacks, because of it in addition to exploiting WordPress websites and their servers, the attack also utilizes web browsers.

How it works in general

Cross-Site Scripting starts out the way most injection attacks (such as SQL Injection) do: by accepting user inputs. An attacker injects malicious scripts into good WordPress sites through a part of the website that accepts users’ inputs (like a comment field). So if an attacker could use, say malicious JavaScript code within “<script>… </script>” tags in the comment section, the code would run on the browser. This would allow the attacker access to any information they can glean from the visitor’s browser, from cookies to saved or entered login credentials.

How to prevent Cross-Site Scripting

There are a few sure ways to prevent XSS attacks on your WordPress site. Some of them include making sure that your:

  • Web browser makes use of the same origin policy- Web browsers usually have a set of rules, by which one web page is allowed to access script on another only if they had the same origin. If a browser doesn’t check the origin of the script of web pages, it results in a vulnerability that can be used by attackers to inject malicious scripts.  This means that users’ browsers would execute the code. All of this is moot though, if one of your website’s visitors uses a browser that doesn’t have this policy… in which case stricter security measures on your site would help.
  • Website can tell the difference between markup tags and actual content on a page– Web sites are vulnerable to XSS attacks when they can’t make out the difference between markup code and content that has to load on its pages. This means that if there were a piece of text, like an equation having the ‘<’ sign, and executable code (containing the <script> tag, the browser would mess them both up. This could be because the developers forgot to implement rules that dictated that “<” signs in text on the web page would be represented as “&lt;”. When this happens, the website is vulnerable.
  • Website has input validation and sanitization- None of this would happen if the standards of accepting users’ inputs were very high.

Categories of XSS attacks

Cross-Site Scripting is a very complex attack especially because of how it can be categorized. It can be put in buckets, based on the following criteria:

  1. Whether the malicious script (from users’ inputs) is stored-
    1. If the malicious script is stored on the website or browser’s database, the attack is categorised as a Stored (or Persistent) XSS attack.
    2. If it’s reflected to other visitors instead, it’s called a Reflected XSS (or Non-persistent) attack.
    3. There is also another kind of XSS attacks, called the DOM (Document Object Model)-based XSS attack that we’ll explain later some time.
  2. Which side accepts unvalidated user-inputs (this categorization overlaps the Stored and Reflected categorisation)-
    1. Server-side XSS attacks
    2. Client-side XSS attacks

Stored (or persistent) XSS Attack

Stored XSS usually occurs when user inputs are taken and stored in a database. In this case, the user is affected because unsafe data is run on the browser. Any attacker could input malicious code on a vulnerable website just once, and it would get stored (persistently) on the server. When any other user accesses the website, they would get affected. The malicious code infects the user’s browser, and retrieves sensitive data, (such as usernames and passwords) for any site the user might use the browser to visit. Here is what a Stored (or Persistent) XSS attack looks like:

Stored XSS attacks can cause a lot of damage. This image shows how one works, in general.
Stored XSS attacks can cause a lot of damage. This image shows how one works, in general.

One of the most well-known, real-world examples of this attack, is that of the MySpace worm of 2005. The worm was scripted in JavaScript to be self-propagating. So instead of just affecting people who visited the point of origin of the worm, it affected visitors of the original victims, thus propagating exponentially. Here’s how it loosely worked:

Samy Kamkar hacked MySpace in 2005, and introduced an XSS worm that took over 1 million profiles in 6 hours. It was an example of the scope of a Stored XSS attack.
Samy Kamkar hacked MySpace in 2005, and introduced an XSS worm that took over 1 million profiles in 6 hours.

This attack is precisely why we compared XSS attacks to dominoes falling.

Reflected (or non-persistent) XSS attack

Reflected XSS attacks are a different thing altogether. They are the most well-known sort of XSS, and can pose a serious threat, if not prepared for. Here’s a general example, to explain how this attack could work:

Reflected XSS is the more well-known sort of XSS attack.
Reflected XSS is the more well-known sort of XSS attack.

This attack could be used to do anything from launching a DDoS attack (as seen in the above example), to scanning the websites/ profiles/ browsers of every visitor to your website, for vulnerabilities that could later be exploited.

Cross-Site Scripting could use information from any website/web service you use.
Cross-Site Scripting could use information from any website/web service you use.

The Cross-site Scripting attack is one that has existed for a long time. Unfortunately, until the MySpace worm was created, not many in the realm of internet security took it very seriously. However, according to a report by WhiteHat Security in 2015, even 10 years after the MySpace worm, 47% of all websites are still vulnerable to this kind of attack. This attack relies on user inputs not being validated or sanitised before being processed. So the best way to protect your WordPress website, is to make sure that it doesn’t take your subscribers’ inputs lightly. This obviously means you should make sure that the plugins and themes on your site accepting user inputs validate them first. But even otherwise, choosing an extra security feature can never cause harm. If you’d like to try out a website scanner that is 100% accurate, requires no technical assistance, and also helps you remove hacks, visit MalCare.

Removing malware from your website, and getting rid of hacks is a painstaking process. When you’re a website owner whose site has been hacked, your online reputation takes a hit. It’s only more distressing when you keep getting hacked. The reason behind this, most of the time, is a ‘backdoor’.

Having a backdoor could be explained with some ease, by comparing it to something we could call a “spare-key situation”.

Suppose you had a spare key to your house, but you dropped it somewhere on your street. Someone creepy has found it, and unfortunately for you, this person also knows exactly where you live. Of course you don’t know about it, but you notice changes at home.

Whether all the furniture in your house is gone, or whether the sofa is always a little warmer in the morning depends entirely on what this person with the spare key is doing in your house. This means unless you change your locks or employ other security measures, this stranger has full access to your home, and will keep coming back.
keyboard-621830_1920

Hackers also do something similar when they hack WordPress sites.

When a hacker exploits a vulnerability and hacks a site, they want to be able to enter it again in the future. They also want to do so, without needing to put in the effort again. This becomes difficult though, if the site owner closes the vulnerability by updating the exploitable theme/plugin. That is why hackers leave behind code called backdoors on the site. This way, even if the vulnerability is fixed, the backdoor remains. Backdoors are inconspicuous, because the longer they stay hidden, the longer the attacker has a way to get back in.
Backdoors can give hackers complete control through Arbitrary Code Execution. One of the most common backdoors is ‘Filesman’. Since it’s feature-rich, it allows hackers to perform a variety of functions. However, there are others too, which might be just three-four words of code, but prove to be equally dangerous.

A lot of the time, backdoors are disguised as WordPress files, and are hidden by the hacker in a place only they know. You, as an admin, could find the file only if you combed through all the WordPress files. This is especially difficult because backdoors can go in so many different places.

Here are a few places backdoors are usually hidden on your WordPress site:

  1. In core WordPress folders: Adding a new file to, or modifying an existing file in a core WordPress folder (e.g. wp-includes or wp-admin or wp-content) can easily go unnoticed. Especially in the wp-includes folder, since it contains every file ever included to the site. This is why we noticed a lot of backdoors here.
  2. In new, innocent-looking folders: Hackers could add hackfiles to new files that look completely innocuous, like ./images/
  3. Plugins and Themes: Not many people bother to check these folders after the plugins/themes have been installed. This makes these folders a perfect target. Moreover, a lot of plugins have their own vulnerabilities. Another way hackers install backdoors, is by adding a new plugin to the site that looks normal, but is actually malware.

Just to give you a general idea, this is how you identify a backdoor (that looks like a plugin file):

Backdoor

These vulnerabilities are sneaky. They can be passed off by a number of malware scanners as legitimate files, because of the way they’re named. This is why it’s so difficult to identify backdoors.

Backdoors are especially infuriating because sometimes hackers choose to leave more than one of them, in many locations. So even if one was discovered, there would be another way in.
Accurate, efficient scanning and hack removal requires time, and technical assistance (which is expensive usually). If you’d like to test the only one-click, automated hack-cleaner that misses nothing, and sounds no false alarms, we suggest that you try MalCare, for free.

Having your website hacked could be compared to having an annoying roommate sometimes. Everything’s a mess, no matter how many times you keep putting things back. Your shampoo, food and other resources are always running out. Thanks to them, shows you’ve never even heard of turn up in your ‘Continue Watching’ list on Netflix… And to top it, none of your friends want to come over any more.

But that’s where the similarities end.

You can always talk things out with a roommate, or probably move out… But hacks have devastating consequences. And there’s no way you can just end the problem by walking out. Your website’s reputation is at stake, and the internet never forgets.

barbed-wire-765484_1920

There are a number of reasons hackers attack your WordPress website even when they know nothing about you, or what your site stands for. In fact, most of the time, hackers use crawler bots, like the ones search-engines use, to check the web for sites that exhibit vulnerabilities.

Once they identify weak websites, hackers attack for one of the following reasons:

  • They want to gain critical information from the website. (This could be any sensitive information, like login credentials)
  • Modifying your site allows them to serve your visitors malicious content (like viruses, or malicious code that could track your visitor’s cookies)
    • Defacing a website helps hackers send some sort of message across. These kinds of attacks make up for only a small number of hacks
  • Your website could be another notch in the hacker’s belt: damaging your website could help them climb ranks in the hacker community
  • Exploiting your site’s resources could prove to get them some kind of monetary benefit. Stealing your visitors identities and selling them on the web is something a lot of hackers do. Hackers could also try to gain control of your server, in which case they could do anything.

Once an attacker gains control of your server, the amount of power they wield depends only on what they want to do. They could do anything from sending out spam mail, to even deleting your website. In fact, some malware is designed to lock you out of your website until you give in to the hacker’s demands. Malware designed for this purpose, is called ransomware, (for obvious reasons). The data stolen from websites could also be held for ransom. Hackers could declare to release it in case their terms of payment isn’t met. But those are headline-worthy scenarios… What hackers stand to gain by remaining undetected, is a lot more. Undetected hacks mean that hackers could keep siphoning off information, and using it for their own purposes.

In fact, the Netflix scenario we mentioned earlier actually happened earlier this year. Netflix users’ login credentials were stolen after the site got hacked, and then sold on the web. Identity theft is a huge business, and hacks like these thrive on the premise that the website owner isn’t in the know. So even if you’re only a WordPress site owner who has subscribers, you have reason to worry.

It’s  been a while since WordPress core has had any vulnerabilities, but plugins and themes are a different story altogether. Developers creating these plugins and themes usually don’t anticipate the exploitation of vulnerabilities… or they build first, and then fix later. But with hackers becoming more and more competent, hacks keep getting more complex, and difficult to identify.

Most vulnerabilities open doorways to other exploits and attacks, each with their own scope of damage. The cumulative damage could be disastrous for you, as a WordPress website owner. Moreover, your site could keep getting hacked because of exploits like Backdoors. They maintain a foothold to your website’s server, and your website.

This is why security options like WordPress firewalls, and antiviruses make sense. You’ll have to notice that something is wrong first though, (and do it fast).

Having your very own website used to be something reserved for developers once upon a time. All that changed with WordPress, and for the better.
But it’s never over.

Whether you run a small blog with a loyal following or a big e-commerce window, your website is an integral part of your life. It represents your passions and reflects your abilities.

Maintaining a WordPress site is a lot of work
Maintaining a WordPress site involves a lot of time, and work.

Being hacked takes away from you the power to share your best with your readers or customers. In some cases, the damage to your site may be too deep for you to get your site back up with all the data.

And the worst part is that it looks like a senseless act, especially when your website has no information worth stealing.

This is why we’ve compiled a list that we hope you, a site owner, gain some insight into:
Why hackers hack your site, how hacks cause so much damage, and some common attacks along with real-world examples of those attacks.

Why hackers hack your site

While some hacks are aimed at gaining information from your site, most attacks are to accessing your hosting and database servers. If accessed, files on your website’s server could provide to anything from yielding sensitive information, to unlimited access.

Where vulnerabilities are found and how to protect your website

Most vulnerabilities are found in plugins and themes. Keeping them up to date, or deleting ones that you don’t use, is one way you can protect your website, and server.
There are other ways you can keep your website safe though. We’ll talk about them in another post.

The types of hacks

One thing you need to know, is that by knowing the kinds of attacks out there, and parts of your site design you have to pay more attention to, you understand how to stay more secure. However, hacks happen in a number of ways and can be difficult to categorize and understand.

That’s what this two-part series is aimed at helping with. We’ve tried to present a lot of information, in a format that is easy to understand. Hopefully, it helps even those of us who aren’t very fluent in code.

In this part, we’re going to talk about:

  1. Arbitrary/Remote Code Execution (one of the most powerful ways to take control of a site)
  2. File Inclusion-
    1. Remote File Inclusion
    2. Local File Inclusion
  3. Injection attacks-
    1. SQL Injection attacks
    2. Cross-Site Scripting (XSS) attacks
  4. Backdoors (remember this: it’s how websites keep getting reinfected)

Now that we’ve got all of that out of the way, let’s get down to business.

  1. Arbitrary / Remote Code Execution attacks

    In an ideal scenario, only trusted code associated with your WordPress site can be run on your site/server. The Arbitrary Code Execution (or Remote Code Execution) exploit though, allows hackers to run unauthorized code on your server. Arbitrary Code Execution is dangerous because it allows attackers to take complete control over the website, or the server it’s hosted on, or both.

    How the attack works

    Attackers first need to get the executable code to your website. Vulnerabilities on your website, like the ones that allow File Inclusion (more on this below) lets them do this. They then run it on your server remotely.

    A real-world example of an attack exploiting the Arbitrary / Remote Code Execution Vulnerability

    Vulnerability Arbitrary Code Execution
    Locations and version(s) with vulnerability WP Super Cache: <= v 1.2
    W3 Total Cache: <= v 0.9.2.8 and below
    Current version(s) WP Super Cache: v 1.4.8
    W3 Total Cache: 0.9.4.1

    WP Super Cache and W3 Total Cache are both plugins designed to cache dynamic WordPress pages in order to reduce the sites’ load times for visitors. Plugins like these sometimes use special tags to differentiate static content from dynamic content. Dynamic content is executed on the server.
    The problem with this was that WP Super Cache, and W3 Total Cache had vulnerabilities that could be exploited when websites using them, also used comment fields. You see, these vulnerabilities allowed website’s visitors to post comments with (dynamic) PHP code inside special tags.
    Since these special tags were executable, attackers used them to run arbitrary commands, knowing that the plugins would execute them. As a result, the comments would return whatever information the attacker requested.

    Note: The next few sections will use the terms ‘remote’ and ‘local’. The best way to explain these terms, would be with reference to the hosting server.
    You see, a hosting server is a lot like your computer.

    • Anything on the computer/ hosting server is local (like a local file, folder, or drive).
    • Anything from outside the computer/ hosting server (like an external hard disk), would be remote.

    2. File Inclusion attacks

    a. Remote File Inclusion attacks

    Most of the time, attackers need to ‘include’ a hack file to your website’s hosting server before they run it. If the vulnerability on your site allows for the file to be included from a ‘remote’ location, it’s called Remote File Inclusion.

    How the attack works

    Remote File Inclusion is a type of vulnerability that allows an attacker to request your website to include a remote file, which usually consists of executable code. (PHP files are an example). Once your website processes the request and includes the file to your server, the attacker executes the code remotely. (This is why we explained Arbitrary Code Execution first).
    Once the attacker does this, depending on what the included file was created to do, it can cause data-theft, or other serious damage to your site.

    A Real-World Example of an attack exploiting the Remote File Inclusion Vulnerability

    Vulnerability Remote File Inclusion
    Locations and version(s) with vulnerability TimThumb: v 1.10 to 2.0
    Current version(s) The developer of TimThumb no longer supports or maintains the plugin

    Attackers exploited a vulnerability on the TimThumb plugin to first perform Remote File Inclusion, and then Arbitrary Code Execution. And even when the vulnerability was patched in version 2.0, this plugin was so widely used, that it caused millions of sites to be hacked. Even today, we see hacks because of it.
    TimThumb let users import images from image-hosting websites (like flickr.com and imgur.com) and edit them on the fly, especially to make thumbnails. The plugin had a list of trusted websites, and only URLs that came from websites were accepted. This process of allowing access based on a list is called ‘whitelisting’.
    The problem with TimThumb though, was that it didn’t check the actual source of the file; only checked for URLs that looked like they came from a trusted website.

    Here’s a brief explanation of what the plugin did:

    How TimThumb's vulnerability was exploited and used for Arbitrary Code Execution
    How TimThumb’s vulnerability was exploited and used for Arbitrary Code Execution

    Once the plugin accepted URLs that linked to an executable PHP hack file, the file got included remotely to the website’s server. Attackers could then run it, and cause massive damage.
    *Disclaimer: None of the URLs or file names in the example are real; they’re only used to illustrate the example.

    b.     Local File Inclusion attacks

    The Local File Inclusion vulnerability is somewhat similar to Remote File Inclusion, except that it includes ‘local’ files. Attackers could also use this kind of file inclusion as a prelude to executing Arbitrary Code.

    How the attack works

    This vulnerability allows attackers to access files on the hosting server, that aren’t typically available to the regular visitor. Such files can be used to get admin access, steal confidential data etc.

    Let’s say your site allows users to access website files through URL parameters. This is one bad way to have coded your site:

    <?php include($_GET[‘file’]); ?>

    The logic used to write this command is bad the user can enter any filename into the URL parameter. If your WordPress site has a file with this name, it’ll get executed.

    Since our bad code is including files without validation, an attacker can use it to access sensitive files (like passwd file):

    http://example.com?file=../../../../etc/passwd

    Attacks that employ exploits like these, are called Local File Inclusion attacks.

    A real-world example of attacks exploiting the Local File Inclusion vulnerability

    Vulnerability Local File Inclusion
    Location and version(s) with vulnerability Ultimate Member: < v 1.3.64
    Current version(s) Ultimate Member: v 1.3.68

    Ultimate Member is a WordPress plugin that makes it possible for visitors to your site to sign up and to create user profiles for them. The plugin exhibited a vulnerability in July this year, when it incorporated user-supplied input in the ‘page’ parameter without proper validation. This allowed for anyone who had access to the membership form to retrieve some sensitive information from local WordPress PHP files.

    3. Injection attacks

    All websites require user inputs, whether it’s for logging in, or even just to go to the next page through a click. When a website allows visitors to enter inputs, hackers can introduce code to attack the website, or its server. Exploits that follow this method, are known as Injection attacks.

    There are many different kinds of Injection attacks, but a couple of the most rampant ones include SQL injection (which allows access to your website’s database through MySQL commands or queries), and Cross-Site Scripting.

    a.     SQL Injection attacks

    This Injection attack exploits text fields that allow users’ entries. The reason this attack is so dangerous, is because SQL commands could be used to add, modify or delete data on your WordPress’ database.

    How the attack works

    Every one of us has seen the WordPress login page– you enter your username and password to access the dashboard.

    Suppose your username is ‘admin’ you enter it in the login form.

    (Just to be clear:  if your username in real life is actually ‘admin’, we recommend that you change it immediately for security reasons).

    This input is then looked up in the database to check if such a user exists. The thing is, instead of a valid username, you could also input some SQL code.

    Now if, for some reason the website directly used the dangerous SQL while looking up the user, the site could be exploited. Fortunately, core WordPress takes extreme care to make sure that user inputs are sanitized before being used while accessing the database. Various themes and plugins, however, sometimes don’t validate input, thus leading to an exploit.

    One of our favorite comic strips from xckd.com
    Image credit: https://xkcd.com/327/

    Again, the modifications that could be made to your database are innumerable, and the results depend on what is modified. Here are a couple of a generic examples of how an attacker could carry out SQL injection, and why it would be dangerous:

    SQL_2_
    Here’s another example of SQL injection (this time in code)… Suppose we input ‘admin’ in the following code:

    SQL_3_

    The following code would be executed:

    SQL_4_

    So just imagine what would happen if you entered:

    SQL_5_

    (cue: violin screech from Psycho)

    This goes to show you need to have a lot of checkpoints to make sure your plugins are safe. You can never be sure enough.

    *Disclaimer: Again, code in the example above isn’t something you could execute. It’s just there for illustrative purposes.

    A couple of real-world examples of attacks exploiting the SQL injection vulnerability:

    Vulnerability SQL Injection
    Locations and version(s) with vulnerability Booking Calendar: v 6.2
    Yoast SEO: < v 1.7.3.3
    Current version(s) Booking Calendar: v 6.2.2
    Yoast SEO 3.4.1

    1. Booking Calendar is a WordPress plugin that was used for making online reservations based on availability. Unfortunately, just a couple of days ago, an SQL injection vulnerability was discovered on this plugin. The vulnerability allowed an attacker to view data from websites’ servers’ databases. Fortunately, the vulnerability was revealed to the developers of the plugin before anyone else, and they fixed it in an update.
    Note: If you’ve got this plugin installed in a theme, or it’s on your website as a standalone plugin, we ask that you update it immediately.

    2. Yoast SEO is one of the most popular SEO plugins for WordPress with over a million installs.
    Versions before 1.7.3.3 had a SQL vulnernability issue. This issue existed in spite of the plugin actually taking measures to protect against SQL Injection. This was because the authors of the plugin made use of a WordPress function called ‘esc_sql()’, which opened a doorway for the vulnerability. So the plugin wasn’t foolproof.

    b.    Cross-Site Scripting (also known as XSS)

    Cross-site scripting usually affects web applications, when user inputs are directly included as part of web pages.

    How the attack works

    Web browsers usually have a set of rules to make sure they’re safe from attacks like Cross-Site Scripting. Those that don’t have such rules in place though, have vulnerabilities that allow hackers to inject malicious Javascript.
    This means if you’re an admin of a WordPress site, attackers could use XSS to get access to your cookies, or login information, or even just change the content on your site, without you even knowing it. Your sites’ visitors seeing that page via a vulnerable browser would get affected too.

    A real-world example of an attack exploiting the Cross-Site Scripting vulnerability

    Vulnerability Cross-Site Scripting
    Location and version(s) with vulnerability Jetpack: v 3.0
    Current version(s) Jetpack: v 4.1.1

    Jetpack, again one of the most popular WordPress plugins available, offers WordPress.org users the ease-of-use that WordPress.com users enjoy.
    Jetpack version 3.0 had a vulnerability that allowed attackers to send WordPress admins a link, that would execute malicious JavaScript.
    More recently though, the Jetpack plugin had another XSS vulnerability, that was patched in version 4.0.3.
    See, the plugin analyzed HTML code looking for things like video links that it could embed in the page automatically.
    Unfortunately, the plugin didn’t check if video links were also surrounded by malicious HTML tags. The vulnerability allowed an attacker to include executable, malicious JavaScript in the comment section. This script ran in the browsers of those visiting the site, as well as the site owners.

    4.     Backdoors

    If you’ve detected hacks on your website, and have painstakingly gotten them removed, you’d understandably be perplexed when the site is hacked again. The thing is, hackers often leave a bit of malicious code hidden in another part of your website that allows them to re-enter and reinfect your site again and again. This is obviously why it’s called a ‘backdoor’.

    How the attack works

    Backdoors are sneaky little vulnerabilities. Most of the time hackers use other vulnerabilities to try and launch one kind of attack. Once they get access to the website, they immediately put in an infected file in an inconspicuous folder completely different from where the original attack started. The file never links to any URL, whether on your website or off, or calls attention to itself. In fact, one of the only ways to find it is if the admin of the website combs through the site’s file system. This makes it extremely hard to detect, even by malware scanners. However, since the hacker knows exactly where the file is, he or she can access, and execute it to override any admin functions.

    One specific, yet highly popular backdoor, is the ‘Filesman’. Filesman is feature-rich, so it can do a variety of things, including giving complete access to everything on your site.

    With a vulnerability like the Backdoor, it’s important to keep deleting plugins and themes that you’re not using.

    It’s easy to ignore the notification on your WordPress admin dashboard that says you have a bunch of plugins to update, but your WordPress site’s security relies heavily on it.

     

    As you can see, finding hacks and getting rid of them can be a ridiculously tedious affair. Most efficient hack-scanning and cleaning systems available require technical assistance. And if you take time-zones into consideration, removal could take about 12 hours or so.

    This is why the team behind BlogVault built an automated, one-click hack-detecting and cleaning system, that requires no technical assistance. Click here to check out the free trial!

    We hope this list of vulnerabilities and exploits helped you. Let us know what you thought of it in the comments!

Fans of Dennis Cooper, the experimental artist and writer, have expressed concern over Google’s removal of the artist’s Blogger account and blog of 14 years. What’s worse, his Gmail account, the medium through which most of his correspondence was conducted was also rendered inaccessible.
The writer’s blog, was a choice destination for followers of transgressive, avant garde writing and experimental art, some of which included ‘Frisk’ and ‘Luster’ (books that later spawned movies in 1995 and 2002), as well as the critically acclaimed book, ‘Closer’. The American artist’s work often depicted graphic violence and savage sexuality.

 

Back to back: Dennis Cooper. The artist might have to sue Google to get his work back. (Image courtesy: http://bbook.com)
Back to black: Dennis Cooper might have to sue Google to get his life’s work back.
(Image from here)

His blog was updated six times a week, with literature, film and music he enjoyed, some of which followed in the same vein. It’s understandable, therefore, that readers would be offended by it. However, the blog contained a warning, stating that it contained mature and violent content. So the question is, whether this was an attempt at censorship.

In a talk with the Guardian, Pati Hertling, an art lawyer, explained that the First Amendment rights to free speech, (which any American citizen is entitled to), do not apply to the world of private corporations like Google or Facebook. This is because the amendment only protects you against public censorship. “Because it’s Google, they’re a private corporation, it’s a private realm, they can do whatever they want”, she said.

Dominant technology companies, such as Google and Facebook, have a vested economic interest in controlling content management. In fact, according to a report by Gizmodo, a former news journalist who curated news for Facebook said that the members of the ‘news curating’ team suppressed content that held ‘conservative views’. The problem is that when tech giants like these create ‘walled gardens’ for content, they wield power over what the general public is exposed to. And since these areas are great to look at, and have great publicity, the trade-off for creators, is between ease-of-use & productiveness; and creativity & freedom. When the reins are handed over to these firms with a click to ‘Agree to terms and conditions’, things don’t look too good for an artist.

Being in complete control of the content you put up is an important thing to consider, when you’re an artist whose livelihood depends on freedom of expression. This is one of the reasons open source projects, that allow you to host your own site have become so popular. No matter which open platform you choose to host on, you’re in control of your content, and there are much lesser chances of forced censorship. WordPress.org currently powers about 26% of the world’s websites, and it continues to attract creators and inspire a community of contributors. One of the reasons behind this is the platform’s mission to democratize and socialize the publishing world.

When Cooper contacted Google over various channels, the response he received said that the blog was in “violation of the terms of service agreement.” Cooper has no confirmation of whether the blog and his email account have simply been disabled, or whether they have been deleted altogether.

The deactivation of Cooper’s account have serious consequences– his contacts collected for over a decade, as well as recent offers to various platforms for his performance artwork were all on his email account, and are now gone. Moreover, all of his work, (including his last gif novel,, which he had been working on for seven months), was hosted only on his blog. He had no backups, and no data stored anywhere else.

“As long as you back everything up. I don’t see really the danger,” agrees Dennis Cooper. “But if you’re at the mercy of Google or someplace like Google, obviously I’m a living example of not to be blind like that and think that everything is hunky dory.” Open source platforms are a great way to have complete control over your content, but having your resources backed up is an essential safety measure.

WordPress has a number of backup solutions, all of which could help you get back online. These safeguard your work, in case your website gets taken down by a hack, or is offline because of a human error, or because of your web host. Choosing one according to your needs, and your technical expertise, acts as a sort of insurance policy. Solutions like BlogVault offer WordPress backup services that ensure your data’s safety. It also gets your website back online automatically in case your website has been taken down, so you can have peace of mind.

Plugin Vulnerability

Do you use Sitepress’s Multilingual CMS plugin? If yes, this post could be very useful to you. A vulnerability was found recently in this plugin that can compromise your entire site. The vulnerability exposes your site to an SQL injection attack that’ll allow hackers to access your database. The issue has been fixed in version 3.1.6. Unfortunately this plugin doesn’t allow automatic updates from the WordPress dashboard and thus requires a manual upgrade. This leaves a lot of sites open for attack as many people may easily miss the update to the change log. So if you haven’t upgraded the plugin yet, do it now!

The blogVault team scanned its customer sites for the vulnerable plugin and found over 99 sites that are susceptible to an SQL injection attack. We have notified all of them to upgrade their plugin immediately. This is, of course, restricted to our customers. Our service is unlike any other backup plugin that is available today. Sign up for blogVault to avail the benefits of the best backup service for your site.