Page 43 of 62

WordPress security

Speeding Up Your WordPress Site

 

CDNs are great for WordPress sites because much of the post content is static and can easily be cached and served by a CDN. With visitors receiving cached content from the closest CDN data center, origin server load decreases, allowing sites to load faster for site visitors. At the same time, serving a site from multiple data centers makes the origin server more robust. A fortuitous spike in traffic won’t take a site down as the data centers handle the increased load.

Visit wpdistrict.sitelock.com for the full story.

Speeding Up Your WordPress Site with a CDN

A content delivery network (CDN) is a network of powerful computers located in geographically disparate locations designed to serve web content to visitors with higher performance and efficiency. When a user visits a site using a CDN, the traffic routes through the closest or most efficient server for that user and serves up cached, or stored, versions of the site resources. This allows the site to load faster and eliminate requests back to the origin server. Common resources served by a CDN include static resources like images, HTML, CSS and JavaScript files.

Read More

IoT security needed

Does Your Coffee Maker Need IoT Security?

There’s no bigger buzzword in the security world now than the ‘Internet of Things.’ The Internet of Things, or IoT, is the connectedness of everyday devices and sensors to allow the quantification and control of systems. Video doorbells alert wayward homeowners of visitors. Bluetooth fobs connect car keys to smartphones. Thermostats track heating and cooling preferences to select a tailored temperature for a homeowner.  Unfortunately, the design complexity of a previously unconnected device now given intelligence and network access can lead to unforeseen issues and real-world consequences. Therefore, IoT security must be a consideration and, ideally, a foundational characteristic in their design.

Read More

Tax refund

Learn How to Protect Your Tax Refund from Hackers

Filing for your taxes can be a nuisance, but the refund you receive is well worth the effort, especially if you have big plans for your tax credit. But how would you feel if your refund check was stolen?

Read More

how to prevent security breaches

Authentication Failure in File Browser, Manager, Backup (+ Database) WordPress Plugin

While reviewing malware, the SiteLock Research Team detected suspicious code in a WordPress plugin. We reviewed the suspicious code and found the plugin wasn’t malicious per se, though it was potentially vulnerable to attack. We will discuss the plugin and analyze its unique authentication issues, and then discuss mitigation and the dangers of using unsupported plugins.

Visit wpdistrict.sitelock.com for the full story.

WordPress plugin vulnerability

Authentication Failure in File Browser, Manager, Backup (+ Database) WordPress Plugin

While reviewing malware, the SiteLock Research Team detected suspicious code in a WordPress plugin. We reviewed the suspicious code and found the plugin wasn’t malicious per se, though it was potentially vulnerable to attack. We will discuss the plugin and analyze its unique authentication issues, and then discuss mitigation and the dangers of using unsupported plugins.

Read More

WordPress security

A Brief Survey of Fake WordPress Plugins

In the latest article from the SiteLock research team, we’ll discuss how fake plugins get on to WordPress sites, analyze a well known fake plugin to provide a sense of what they can do, look at a non-exhaustive list of fake plugins and a couple of interesting features, and discuss ways to avoid being victimized by fake plugins.

Read the full story at our WordPress-focused site, wpdistrict.sitelock.com.

A Brief Survey Of Fake WordPress Plugins

Fake, malicious WordPress plugins are not new. The proliferation of fake plugins generating spam files, though, has blossomed in recent months. We’ve seen blatant rip-offs of existing plugins, fake plugins that are one letter away from their legitimate counterpart, and even a created-from-scratch, malware-serving plugin using a ripped version of the WordPress.org plugins site.

This week we’ll discuss how fake plugins get on to WordPress sites, analyze a well known fake plugin to provide a sense of what they can do, look at a non-exhaustive list of fake plugins and a couple of interesting features, and discuss ways to avoid being victimized by fake plugins.

How Fake WordPress Plugins Infect Sites

Unfortunately there’s no one concrete way fake plugins end up on WordPress sites. We can however discuss a few common ways they are “installed.” And the first method is just that–a fake plugin is installed by the site owner.

Website Owner Installs

Malicious plugin authors are adept and persistent. Bad actors will co-opt existing, usually not well-known plugins, steal the code and post the plugin on any number of third-party WordPress sites. Unsuspecting site owners looking for some capability find the fake, malicious plugin, install it, and the new capability may or may not work. What is likely to work is the malicious code inside the fake plugin.

Compromise Of A Legitimate Plugin

The most likely way a fake WordPress plugin makes it onto a  website is through the compromise of an existing, vulnerable plugin. The Revolution Slider vulnerability was a major and long-lasting battle with compromised WordPress sites and the resultant spam.

Compromised Website Logins

Another method fake plugins are installed is an FTP or hosting control panel credentials compromise. A compromised workstation is a password-stealing trojan away from transmitting sensitive user names and passwords to bad actors who may take complete control of a site and install any number of types of malware, including fake plugins.

An (In)famous Fake Plugin

We’ll begin our fake plugin survey with one of the most infamous fake WordPress plugins, the ‘Docs’ plugin. Docs, occasionally docs, is a spam file creator which creates hundreds if not thousands of .dat spam files. It places them in a directory named cache and maps the files with a file called sitemap.html. Here you can see the code that does just that.

snippet from malicious WordPress plugin Docs

Docs.php Code Snippet

And here is a partial directory listing of the generated spam files.

Spam file from malicious WordPress plugin Docs

Docs Spam Files

The spam files themselves, in this example, contain links shucking drug rehab.

<li><a href=”http://example.com/recovering-drug-addict-behavior”>Recovering drug addict behavior</a></li>

<li><a href=”http://example.com/recovery-from-pain-killer-addiction”>Recovery from pain killer addiction</a></li>

<li><a href=”http://example.com/drug-rehabilitation-near-me”>Drug rehabilitation near me</a></li>

<li><a href=”http://example.com/pcp-drug-treatment”>Pcp drug treatment</a></li>

<li><a href=”http://example.com/celebrities-in-recovery”>Celebrities in recovery</a></li>

.dat File Snippet

This spam will become an easy source of black hat SEO for the bad actors, boosting other sites’ rankings while hurting the SEO of the infected site — even causing the attacked site to become blacklisted by search engines.

A Few Fake WordPress Plugins We’ve Seen

Here is a non-exhaustive list of plugins we’ve seen while dealing with infected WordPress sites.

/wp-content/plugins/aciry/

/wp-content/plugins/acismittory/

/wp-content/plugins/Akismet3/

/wp-content/plugins/disable-commenis/

/wp-content/plugins/Docs/

/wp-content/plugins/page-links-mo/

/wp-content/plugins/regenerate-thumbnaius/

/wp-content/plugins/research_plugin_URQe/

/wp-content/plugins/theme-check/

/wp-content/plugins/WPupdate/

/wp-content/plugins/WPupdate1/

/wp-content/plugins/wp-amazing-updater/

/wp-content/plugins/wp-arm-config/

/wp-content/plugins/xcalendar-1/

/wp-content/plugins/xcalendar-2/

Sample Listing of Fake WordPress Plugins

A common tactic of fake plugins is to use legitimate comments or code to try to mask their existence. Take wp-amazing-updater for example. Wp-amazing-updater is a fake plugin which is a password protected uploader and more, and it uses the comments from the BNS Add Widget plugin in its main PHP file. Here are the fake plugin’s directory listing and the legitimate comments in the malicious plugin file.

Directory Listing from fake WordPress plugin

Directory Listing of wp-amazing-updater

Benign comments in WordPress plugin

Benign Comments in the Malicious wp-amazing-updater.php File

Another fake plugin, theme-check, uses a barely obfuscated shell, the WSO shell, in its included file, db.php. Here is a snippet of the shell’s code.

malware from fake WordPress plugin

Snippet of plugins/theme-check/db.php

Some fake plugins are overwhelmingly normal code while others are overwhelmingly malicious. Still others co-opt legitimate parts of a platform, here WordPress, to deliver the functions to exploit a site. The code below is from the ‘research_plugin’ that provides a simple to access backdoor. Function research_plugin(), which is an eval request to run arbitrary commands, is called whenever the theme is initialized through through the add_action hook.

Snippet of research_plugin from fake WordPress plugin

Snippet of ‘research_plugin’

How to Protect Yourself

It can be difficult to detect fake, malicious WordPress plugins installed on a  website, especially if you don’t know what you’re looking for. The best thing a site owner or developer can do is regularly check the installed plugins through the WordPress admin dashboard, and look through the installation files directly in /wp-content/plugins with an FTP client or hosting control panel. Look for any plugins listed above or any that you do not recognize, and then check wordpress.org/plugins to search for the plugin’s directory name to verify if it’s legitimate.

Also using a security scanner, like SiteLock INFINITY malware scanning solution, can monitor your site for the malware contained in fake plugins and alert you to the plugins and, in the case of INFINITY, automatically clean the malicious content for you.  Read what WP Buffs has to say about SiteLock then give us a call at 855.378.6200 to speak with a Website Security Consultant today.

online privacy

Privacy Matters – Expect It. Respect It. Protect It.

Data Privacy Day (DPD) is an international effort held annually on January 28 to create awareness around the importance of privacy and protecting personal information. SiteLock has committed to being a DPD Champion to acknowledge and bring attention to the value and importance of privacy. This year, Data Privacy Day is all about respecting privacy, safeguarding data and enabling trust.

Read More

Hacked WordPress site

What To Do After Your Hacked WordPress Site Is Fixed

The unfortunate happens and your WordPress site is compromised. You fix your site through backups or SiteLock’s malware removal service, yet you still feel at unease.

After Your Hacked WordPress Site Has Been Cleaned

The truth is, once a  website recovers from a compromise, there’s a bit more to do. Taking a few simple, post-compromise steps can help harden your hacked WordPress site from future attacks and possibly ease administration. We’ll discuss steps to improve WordPress user security, add preventative security measures, and improve maintenance techniques to aid recovery if the worst happens again.

Read More

Page 43 of 62

Powered by WordPress & Theme by Anders Norén