How Some Leaks Are Used In YOUR Favor

One of the security plugins we install on all our client’s sites compares (encrypted versions of) all the passwords of your WordPress user accounts against a massive database of millions of known-hacked passwords, typically available on “the dark web” to hackers for a small fee, and alerts you (and us) if any matches are found.

We’ll notify you if you’re at risk. You might not be able to log in temporarily if it’s a particularly risky password.

Use the “forgot password?” link on your login page to reset if needed.

More Leaky Fun

Sigh.  It seems that every time you turn around, some big company (or a small one with a massive collection of data) is found to have been hacked, stolen, or in this case just left wide open for anyone to access your private data.

https://www.wired.com/story/exactis-database-leak-340-million-records/

While not containing financial data or social security numbers explicitly, the type and depth of the data increases the probability of impersonation and profiling – “more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel.”

Some rules of thumb for keeping your personal data secure include lying on pre-formatted “additional security questions” like “where were you born”,  “in what city did you meet your spouse” and the classic “mother’s maiden name”.  Make up lies or answers which have nothing obvious to do with the question – for instance “what was the make and model of your first car” might be answered with the nickname you and your friends had for the car (C’mon, surely you named your first car, didn’t you?).  And your mother’s maiden name was TheDuneTrilogy.  This way you can be consistent in your answers from site to site, but not give away any real, useful, trackable data about yourself.

Arbitrary File Deletion Flaw Present in WordPress Core

This recently discovered security hole requires that a malicious actor has access to an account with Author or higher abilities, so it probably won’t be a big concern for most of our clients. We expect an update of WordPress to correct this problem soon.

In the meantime, we suggest that you review the Users section of your site for any Author or Admin accounts which are no longer needed. You can either downgrade them to simple Subscriber level access or “No role” access. If you choose to delete an account which was used to post valuable information on your site, you can transfer ownership of those posts to an account you will retain.

More details at https://www.wordfence.com/blog/2018/06/arbitrary-file-deletion-flaw-present-in-wordpress-core/