From time to time we do forensic investigations of WordPress breakins. When we do the investigation there is often one or more backdoors placed in the filesystem or modified legit WordPress-related files in wp-includes, themes or plugins. This is not only related to WordPress but all sites running PHP such as Drupal, Magento etc. Finding backdoors in the filesystem can be time consuming and doing checksum checking is not always possible. So I wanted to find out how good antivirus software are these days to find PHP and WordPress backdoors. On my personal Gist Github I have collected more than 10 different backdoors found on real breakins and forensic investigations. Test 1 – VirusTotal The Google owned VirusTotal.com service allows[…]

During the weekend our CTO Jonas Lejon has been doing some research into the most recent Apache vulnerability named Optionsbleed. The Optionsbleed vulnerability is a bug in the Apache webserver and makes it possible for an attacker to read remote webserver memory such as session cookies, password etc. The Apache is a very common webserver according to w3techs: Apache is used by 48.9% of all the websites whose web server we know In our lab we set up a Apache webserver, installed WordPress and added the following line to .htaccess: <Limit GET POST PUT REQUEST WPSCANS MPUT OKASDOAKSDOKASDIJ 12U1UH2OIEJ12OPEJOI IDJAIOSDJIOjd> Allow from all </Limit> The above lines would probably trigger the vulnerability since the Limit-line contains some spelling errors. With the following[…]

Falco, or Sysdig Falco, is a behavior activity monitoring tool for keeping track of what’s going on on your servers in real time. It works similarly to tools like OSSEC, but only detects and alerts, lacking the means to take any action, like block offensive traffic. It’s a kernelspace tool which works by loading a kernel module onto the system and monitors all syscalls the system sees. In this way, Falco keeps track of any activity passing through the system. When Falco is started, it reads settings from a configuration file named falco.yaml, and rules from a file named falco_rules.yaml, both under the etc directory. Falco’s rules determines what the application alerts on, and are very easy to write and[…]

👉 Run a free WordPress Security Scan at WPScans.com > WordPress 4.8.2 is now available for download at WordPress.org. This is a security release for all previous versions and WPScans strongly encourage you to update your sites immediately. WordPress versions 4.8.1 and earlier are affected by these security issues: $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Slavco A cross-site scripting (XSS) vulnerability was discovered in the oEmbed discovery. Reported by xknown of the WordPress Security Team. A cross-site scripting (XSS) vulnerability was discovered in the visual editor. Reported by Rodolfo Assis (@brutelogic) of Sucuri Security.[…]

  The popular WooCommerce WordPress plugin, used by 28 percent of all online stores, was just patched against a reflected cross-site scripting vulnerability (XSS). The vulnerability was found by the company SiteLock. The plugin vulnerability was disclosed to Automattic, the owner of, via its HackerOne security bounty program. The fix for the vulnerability was released on July 28th and if you use WPScans.com you can scan for this vulnerability or use our premium version and get an E-mail warning. The vulnerability can be tested with: curl -X POST -d “vendor_description=<script>alert(“xss”)</script>” “https://steelpress.org/index.php/product-vendor-registration-form/?confirm_email=1&email=1&firstname=1&lastname=1&location=1&register=Register&username=1&vendor_description=1&vendor_name=

OSSEC is an open source host-based intrusion detection system (HIDS) that can be used to monitor file system changes on an operating system. In this article, you’ll learn how to use it to monitor directory and file system changes on WordPress installations. OSSEC in a manager-agent HIDS, where the manager and agent can be installed on the same server, or on different servers. In this article, we’ll use the former approach, with all the components on the same server that WordPress is installed on. And the WordPress installation used for this article was running on an Ubuntu 16.04 server. The same configurations may be used on most other Linux distributions. Prerequisites To complete this article, you’ll need to have the[…]

The following six new WordPress plugin vulnerability checks has been added to WPScans: AddToAny Share Buttons <= 1.7.14 – Conditional Host Header Injection Link-Library <= 5.9.13.26 – Authenticated SQL Injection I Recommend This <= v3.7.7 – Authenticated SQL Injection wordpress-gallery- transformation 1.0 – Blind SQL Injection rk-responsive-contact-form 1.0 – Authenticated Blind SQL Injection Event Espresso Lite <= 3.1.37.11.L – Authenticates Blind SQL Injection Run your free scan at https://wpscans.com

As part of a vulnerability research project for our WordPress Security Scanner at WPcans.com, we have been auditing popular WordPress plugins looking for security issues. While auditing the WordPress plugin Loginizer, we discovered a SQL Injection vulnerability and a Cross-Site Request Forgery (CSRF). This plugin is currently installed on 500,000+ websites. About the plugin According to WordPress.org: Loginizer is a WordPress plugin which helps you fight against bruteforce attack by blocking login for the IP after it reaches maximum retries allowed. You can blacklist or whitelist IPs for login using Loginizer. You can use various other features like Two Factor Auth, reCAPTCHA, PasswordLess Login, etc. to improve security of your website. Are You at Risk? This vulnerability is caused by the lack of[…]

This is our new logo for the WPScans.com WordPress Security Scanner. The logo was created by the talented Makmoer at 99designs.com, you see some of his work here.