WordPress Security Revisited

Starting as just a good blogging system in 2003, WordPress has grown to be the most popular Content Management System (CMS), used in over 22% of the top 1 million web sites. It is the CMS that can be installed in less than 5 minutes, easy to use, stable, robust and secure. Out of the […]

Read More →

WordPress Username Enumeration using HTTP Fuzzer

In many WordPress blogs, it’s possible to enumerate WordPress users using a well-known feature/bug related to author archives. This works if the following conditions are met: WordPress permalinks are enabled. By default WordPress uses web URLs which have question marks and lots of numbers in them; however, WordPress offers the ability to create a custom URL structure for your […]

Read More →

WordPress Caching Plugins Remote PHP Code Execution

Two very popular WordPress caching plugins: WP Super Cache (4,373,811 downloads) and W3 Total Cache (1,975,480 downloads) have been affected by a vulnerability that allows remote users to execute arbitrary PHP code. The affected versions are: WP Super Cache (version 1.2 and below,  version 1.3.x and up are OK) W3 Total Cache (version 0.9.2.8 and below, version 0.9.2.9 is […]

Read More →

WordPress Pingback Vulnerability

Recently somebody posted on Reddit about a WordPress scanner that is taking advantage of a new WordPress vulnerability. The vulnerability is abusing the Pingback system, which is a well-known feature that’s used by a lot of bloggers. What is a Pingback? Quoting Wikipedia: A pingback is one of three types of linkbacks, methods for Web […]

Read More →

Recently Backdoored WordPress Plugins

In the previous article, The Rise of the Backdoored WordPress Plugins, I discussed the ever-growing threat to WordPress security in the form of compromised plugins. As promised, here are the changes made by attackers to the popular plugins, WPtouch,  W3 Total Cache and AddThis. WPtouch This backdoor is using some advanced PHP tricks. It’s masked […]

Read More →

The Rise of Backdoored WordPress Plugins

It all started a few months ago when I was visiting Lester Chan’s website looking for some information about one of his plugins. Lester Chan has written a good number of very popular WordPress plugins that are used by millions of people. Some of the most popular ones are WP-PageNavi, WP-DBManager, WP-PostRatings, WP-Polls and WP-PostViews. While […]

Read More →

Attack of the WordPress worm – SQL Injection

Just about every single entity involved in computing requires some form of updates — whether it’s the newest software version of Firefox or the newest graphics driver for your computer. We all know this can get annoying… every few minutes another application is telling me I should update it and sometimes you can just forget, […]

Read More →