WordPress Security Revisited

Starting as just a good blogging system in 2003, WordPress has grown to be the most popular Content Management System (CMS), used in over 22% of the top 1 million web sites. It is the CMS that can be installed … [+]


WordPress Username Enumeration using HTTP Fuzzer

In many WordPress blogs, it’s possible to enumerate WordPress users using a well-known feature/bug related to author archives. This works if the following conditions are met: WordPress permalinks are enabled. By default WordPress uses web URLs which have question marks and lots of numbers … [+]

Known vulnerabilities found in popular WordPress plugins

WordPress Caching Plugins Remote PHP Code Execution

Two very popular WordPress caching plugins: WP Super Cache (4,373,811 downloads) and W3 Total Cache (1,975,480 downloads) have been affected by a vulnerability that allows remote users to execute arbitrary PHP code. The affected versions are: WP Super Cache (version 1.2 and below, … [+]

The Acunetix Team have found a pingback vulnerability in the new WordPress 3.5 build

WordPress Pingback Vulnerability

Recently somebody posted on Reddit about a WordPress scanner that is taking advantage of a new WordPress vulnerability. The vulnerability is abusing the Pingback system, which is a well-known feature that’s used by a lot of bloggers. What is a … [+]

Web Security Tip of the Week: Understanding Why WordPress has Vulnerabilities

Web Security Tip of the Week: Understanding Why WordPress has Vulnerabilities

Did you know that if a system has an IP address or a URL, then it’s fair game for attack from a hacker? That’s been the universal law and it always will be. So why is it that WordPress security … [+]

How can I change the WordPress database table name prefix?

**Do not do the below change unless you are comfortable with PHPMyAdmin and making changes to MySQL. If not, ask someone who is familiar with WordPress and MySQL to assist you.  Also, backup your blog; it is of utmost importance … [+]

Recently Backdoored WordPress Plugins

Recently Backdoored WordPress Plugins

In the previous article, The Rise of the Backdoored WordPress Plugins, I discussed the ever-growing threat to WordPress security in the form of compromised plugins. As promised, here are the changes made by attackers to the popular plugins, WPtouch,  W3 … [+]

The Rise of Backdoored Wordpress Plugins

The Rise of Backdoored WordPress Plugins

It all started a few months ago when I was visiting Lester Chan’s website looking for some information about one of his plugins. Lester Chan has written a good number of very popular WordPress plugins that are used by millions … [+]

Attack of the WordPress worm – SQL Injection

Just about every single entity involved in computing requires some form of updates — whether it’s the newest software version of Firefox or the newest graphics driver for your computer. We all know this can get annoying… every few minutes … [+]

AcuSensor Technology in action; finding backdoors in web applications

AcuSensor Technology in action; finding backdoors in web applications

On March 2, 2007 the following was posted on the WordPress blog: Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you … [+]