Critical Vulnerability Patched in WooCommerce Upload Files

Please note that this is a separate plugin from the main WooCommerce plugin and is designed as an add-on to that plugin.

All of our current clients are protected against this vulnerability.

The threat researchers at WordFence detailed a critical 0-day vulnerability in the WooCommerce Upload Files plugin that would have allowed attackers to infect and completely take over a website. This vulnerability has been patched in version 59.4, and we recommend that all users update to the latest version of the plugin as soon as possible, which is 60.1 at the time of this writing.

Full article at: https://www.wordfence.com/blog/2021/03/critical-vulnerability-patched-in-woocommerce-upload-files

Medium Severity Vulnerability Patched in User Profile Picture Plugin

Discovered 2/15/21, update issues 2/18/21.

User Profile Picture is a plugin designed to allow site owners to upload profile pictures for individual users. By default, WordPress will set a users profile picture to the associated Gravatar, if present, for any given email. This plugin makes it so that user profile pictures can be customized and can override the Gravatar associated with an email address.

One feature the plugin offered was the ability to add user profiles to a post using a Gutenberg block. When adding the block to a post, the plugin made a request for user data to retrieve the users profile picture and username for users with access to the Gutenberg editor in order to add the information to the block. To retrieve this information, the plugin registered the REST API route /mpp/v2/get_users tied to the rest_api_get_users function.

Unfortunately, this REST API endpoint returned more information than was required for its functionality. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information.

Full article: https://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patched-in-user-profile-picture-plugin

One Ransomware Victim Every 10 Seconds in 2020

A new organization became a victim of ransomware every 10 seconds in 2020 with remote workers experiencing a sharp uptick in threats, according to Check Point.

The security vendor’s 2021 Security Report is compiled from its ThreatCloud intelligence sensor data, its own research and recent surveys of IT professionals.

The report claimed that consumers and organizations face 100,000 malicious websites and 10,000 malicious files every day, with double extortion ransomware in particular on the rise. In Q3 2020, nearly half of all ransomware incidents involved theft of data from the targeted organization.

“Once a single victim is infected, the attackers leverage that person’s old email conversations for malware distribution, forwarding the last email of the thread and adding malicious files as attachments,” the report explained.

Full article: https://www.infosecurity-magazine.com/news/one-ransomware-victim-every-10/

Multiple Vulnerabilities In Ninja Forms WordPress Plugin Could Allow Site Takeovers Attribution

Some serious security vulnerabilities existed in the Ninja Forms WordPress plugin that risked over a million sites. Exploiting these vulnerabilities could allow an attacker to takeover target websites and redirect incoming traffic to malicious links.

Of course, any sites under management by ProtectYourWP.com have already been updated with the latest fixes.

Full article: https://latesthackingnews.com/2021/02/22/multiple-vulnerabilities-in-ninja-forms-wordpress-plugin-could-allow-site-takeovers/

WordFence offers free security audits to K-12 public schools using WordPress

Know a K-12 public school using WordPress?

Wordfence is offering free site security audits and site cleaning for public and government-funded schools, now available worldwide. (The original announcement said U.S. only, but apparently they’ve extended it.) Check out their announcement, and please share this offer with a state-funded school, anywhere in the world, that could benefit from their services.

Whitehouse.gov uses WordPress

The big buzz in the WordPress community this month is that the new administration is using WordPress to serve Whitehouse.gov.

And while you and I probably don’t have anywhere near the manpower behind our sites that the Federal Government can muster to keep one of the most visible – and probably one of the most attacked – websites on the internet safe from all manner of security threats, it’s reassuring to know that they trust it enough for something this important.

So rest assured that YOU have made a good choice in using WordPress.

Is WordPress perfect? Definitely not – no computer program is. Does it hit that sweet spot of balance between ease of use, flexibility, security, and cost? I’d say yes.

The Value of a Testing or Staging Site

A well accepted practice in the software development world is to run major software updates through a series of tests before running them on the live site. This allows the developer to catch as many bugs as possible before putting the changes in front of users. Unfortunately, that’s not a practice that many WordPress site owners employ.

Most WordPress updates come with the standard warning that you insure you have a fresh backup of the site before running them. But the support forums are full of panicking site owners asking for help: “I just updated <WordPress, a theme, or a plugin> and now <some function> is not working! How do I get it back?” so it’s pretty obvious that even that level of caution is often ignored.

Many site hosts (SiteGround, some GoDaddy plans, etc) offer the ability to create a staging site – essentially a mirror copy of the live site with a different web address – with just a click or two, at no extra cost. Ask your host if that’s available for yours. If your host doesn’t offer staging sites we can set you up with one for a fee – contact us for details.

Ideally, you’ll upgrade your staging site and give it a run through to make sure everything looks right and functions correctly. Check things like menu drop-downs, contact forms, product ordering pages (have a cheap test product as a draft – or use a real product and cancel the purchase afterwards), embedded videos, site banners, as well as the general layout. If anything is broken, get it fixed and re-tested before moving forward. If possible, make those same fixes on the live site before upgrading it.

Once everything checks out OK on the testing/staging site, take a full backup of the live site, then perform the upgrade there and re-test. Sometimes there are bugs which only show up on the live site, despite your having passed all the tests on the staging site!

WordPress 5.6 May Break Sites on December 8 2020

From Search Engine Journal:

“WordPress 5.5 rolled in August 2020 and soon after millions of websites across the Internet broke. Get ready because WordPress 5.6 has the potential to do the same thing.

One of the WordPress developers behind the jQuery Migrate Plugin said in a support thread that the plugin would become “useless” once 5.6 rolls out. Anyone still depending on it in December will experience the rubber bands snapping off their sites all over again.”

The article goes into some detail on why the update in August broke many sites and why the 5.6 update might as well.

At ProtectYourWP.com we’ll be very cautious about this update, insuring we have a clean backup prior to updating. See also our post about testing on a staging site.

If you want to be extra careful about your updates, consider signing up for our Automated Visual Testing.

PHP 8 Released Nov 26

The latest update to PHP, the programming language which powers a lot of WordPress, was released on Nov 26, 2020. We can expect a

We can expect a lot of changes as WordPress and the plugin and theme developers incorporate the extensive code changes they’ll be required to make – and we’ll see a much more secure PHP. It has been predicted that a good number of plugins and themes will not be compatible, and that some developers will drop support of their creations rather than go through the work required to make them function.

Fortunately it’ll be a while before PHP8 hits at the user level, though WordPress 5.6 (currently scheduled for release December 8th +/- a few days) aims to be PHP8 compatible. But most web hosts will still need to test PHP8 versions on their equipment before rolling it out for general consumption, and plugin and theme developers will also need to do extensive testing and possibly rewrite a lot of code.

PHP is on a 2-year upgrade cycle; version 8 will be actively updated for the next two years and will then get one year of security upgrades after that.

more details on the WordFence blog

more details on PHP.net