Posts

WordFence Security Update

We are seeing exploits in the wild appear within the last week for the following WordPress themes and plugins. If you are running any of these themes or plugins, check if there is a recent security update and install the update, or remove the item from your system if there is no security update. If you’re unsure, contact the theme/plugin developer or vendor.

  • Cubed Themes version 1.0 to 1.2. Remote file upload vulnerability. Distributed by themeprofessor.com. Exploit released on 9 November 2013.
  • Army Knife Theme, unspecified version. CSRF File Upload vulnerability. Theme is distributed by freelancewp.com. Exploit released 9 November 2013.
  • Charcoal Theme. CSRF File upload vulnerability. Distributed by the official WordPress repository. The theme hasn’t been updated for several years, so we recommend deleting all files from your system.
  • WP Realty Plugin may contain an email sender vulnerability. Please contact vendor for clarification. We’re seeing exploits that claim to exploit this hole. Plugin is distributed by wprealty.org.
  • The following themes distributed by orange-themes.com appear to contain a remote file upload vulnerability and we’re seeing exploits appear in the wild, all published around November 12, 2013: Rockstar Theme, Reganto Theme, Ray of Light Theme, Radial Theme, Oxygen Theme, Bulteno Theme, Bordeaux Theme. Please contact the vendor to find out of your theme is applicable and what action to take.
  • Amplus Theme version 3.x.x contains a CSRF file upload vulnerability. We’re unclear who the vendor is, but it appears to be Themeforest.
  • Make a Statement Theme version 1.x.x (also known as MaS ) contains a CSRF file upload vulnerability. Exploit distributed November 17, 2013. Vendor is themes.mas.gambit.ph.
  • Dimension Theme, unspecified version, contains a CSRF file upload vulnerability. Theme is distributed by ThemeForest. Exploit appeared November 17th, 2013.
  • Euclid Version 1 Theme contains a CSRF File Upload Vulnerability. Exploit appeared today. Theme is distributed by FreelanceWP.com.
  • Project 10 Theme, Version 1.0. Remote file upload vulnerability. Distributed by ThemeForest. Exploit appeared today.

Please remember: Deactivating a theme or plugin with a security hole does not make it safe. You need to remove all files from your system to remove the security hole in a theme or plugin. If your theme or plugin is listed here, don’t panic. First contact your theme or plugin author or vendor. Work with them to determine if your particular version contains the vulnerability we’ve publicized and get their advice on what action to take. If they are not contactable after a reasonable amount of time, work with your hosting provider or site developer to determine if you have a vulnerability and what action to take.

Source: www.wordfence.com

 

Secure your Website with Wordfence Plugin

The First Step in Securing Your Website – Install Wordfence

I’m going to start blogging about my list of go-to plugins. Plugins can sometimes be the weak link in a website, particularly when a site relies on too many plugins and no one makes it their duty to update plugins or find ways to hardcode around relying on them.

That said, some plugins are worth their weight in gold. And that’s particularly the case when you stumble across a free plugin.

Wordfence is the leading cyber security solution for WordPress

With wordfence, you can block a hacker even if they’re changing IP addresses by banning their network, their range of IP addresses, or even their entire country. If your site has been hacked, you can use source code verification tools to determine what has been changed and help repair hacked files, even if you don’t have backups. Wordfence combines data on the newest hacks and their sources and uses the data to block the newest distributed attacks. On top of all of that, wordfence has a regular blog and email post publicizing weak plugins and themes.

Download Wordfence or ask your wordpress administrator about it as soon as possible. It could be lifesaving. Or, at least website saving.