Disposable mail security updates for 29 April – 10 minute mail

For continuous coverage, we push out major Disposable mail security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

 

CVE-2020-11514: WordPress seo-by-rank-math Privilege Escalation

Rank Math is a WordPress SEO plugin with over 200,000 installations. Most recently, a critical RCE vulnerability was discovered that allowed an unauthenticated attacker to update arbitrary metadata, which includes the ability to grant or revoke administrative privileges for any registered user on the site.

A more detailed code analysis on the vulnerability can be found here:
https://www.wordfence.com/blog/2020/03/critical-vulnerabilities-affecting-over-200000-sites-patched-in-rank-math-seo-plugin/

Atlassian Confluence Knowledge Base Exposure

There have been numerous write-ups on the exposure of internal company documentation and web pages. As more and more companies are migrating online due to COVID-19, this issue is becoming more prevalent. Most recently, Crowdsource has implemented a module that checks Atlassian Confluence instances for the public exposure of their internal wikis.

CVE-2020-11455: LimeSurvey Path Traversal

LimeSurvey is a free and open-source online survey tool. Recently, it was found that a path traversal vulnerability was found in the software that would allow an attacker to read sensitive data from the server.

 

Questions or comments on the latest Disposable mail security updates? Let us know in the comments below.

Begin a scan for the latest vulnerabilities today. Start a free trial with Disposable mail here!

Already have an account? Login to check your assets.

Disposable mail is a continuous web vulnerability scanner service and we release Disposable mail security updates at least bi-weekly. Disposable mail offers a crowdsource-powered testbed of 2000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Gehaxelt – How WordPress Plugins Leak Sensitive Information Without You Noticing – 10 minute mail

Sebastian Neef (@gehaxelt) is a IT security freelancer and a top contributor from the Disposable mail Crowdsource community. In this guest blog, he looks at ways WordPress plugins leak sensitive data in the wild:

Guest blog post from Crowdsource hacker gehaxelt

The OWASP Top 10 puts Sensitive Data Exposure on the 3rd place of the most common web security issues. In this blog post we will have a look at sensitive data exposure that you might not be aware of. 

WordPress is probably one of the most used Content Management Systems out there. The vast amount of available WordPress plugins certainly plays a huge role, as it allows your WordPress blog to become a full-fledged online shop (i.e link: woocommerce). But relying on 3rd-party plugins to customize your blog or shop comes with certain security risks. There are no restrictions on who can publish a plugin on wordpress.org, so the code quality and therefore security can vary a lot. 

I have analyzed how the most popular WordPress plugins leak information with remediation tips so you can continue using WordPress in a more secure way. 

This research was part of my attempt to get some more valid submissions to the Disposable mail Crowdsource platform, so my focus was only on the top-ranking WordPress plugins. To qualify as a valid submission for Disposable mail Crowdsource, the vulnerable plugin needs to have at least 300,000 active installations and the issue needs to be exploitable remotely without any form of authentication. At least for the information disclosure the criteria was met for the following plugins: 

* A module for this plugin was not implemented due to an increased request complexity.

Taking all installation counts from the above list together and assuming that one installation equals one website, we end up with about 19 million websites that are potentially affected by an information leak issue.  

Let’s first have a look on what kind of information is leaked by those plugins. I think there are three categories of leaked data, which also seem to match with certain CWE (Common Weakness Enumeration Database) categories:

    • Credentials (CWE-200: Information Exposure)
    • Personal Identifiable Information (PII) (CWE-359: Exposure of Private Information (‘Privacy Violation’))
    • System Information (CWE-215: Information Exposure Through Debug Information)

Credentials

From the attacker’s perspective, gaining access to credentials is the jackpot. It might allow them to obtain usernames, passwords or API keys that could be used to escalate their privileges. A WordPress administrator account is allowed to edit themes or plugins, thus gaining remote code execution is trivial. Leaked API keys are no better, because they might allow the attackers to abuse them, gain unauthorized access or just create huge financial damage.

Here’s a list of things that fall into this category and that I’ve seen leaked:

    • Passwords to protected posts
    • Backup files or zips
    • SMTP credentials

Personal Identifiable Information (PII)

The next level in the hierarchy is, in my opinion at least, personal identifiable information. Especially in 2020 with the new digital information processing laws and GDPR, it might become a company’s nightmare if customers’ PII become public due to hefty fines. For that reason, I was even more surprised to find several plugins to leak the following customers’ or users’ data:

    • Names
    • Email addresses
    • Usernames

System Information

The third category comes down to the remainder of information about the system running WordPress or its configuration. Most of the following types might not have direct, critical security implications, but could still give the attacker useful information for more sophisticated exploitation chains. Most of the WordPress plugins were leaking the following information:

    • Internal host names 
    • Database tables, SQL queries
    • Security logs
    • Full path disclosures
    • File names
    • Software versions (OS, PHP, MySQL, WordPress)
    • PHP Configuration (safe_mode, memory limits, execution limits, etc)

So far we have discussed what plugins leak information and what kind of information is leaked, but we haven’t looked at how this information is potentially exposed to the attackers. 

At the core, the issue lies within WordPress’ file permission scheme which mentions that the wp-content/ folder should be writable, because some plugins might need write permissions there. Depending on how secure you or your WordPress administrator is, the whole wp-content/ might have full rwx permissions, and therefore most plugins choose to create directories and files there. 

This is not a problem by itself, but becomes one as soon as some plugins begin to create log files with the above discussed information that the web administrator does not know about. Plugin developers are not guaranteed a writable “data” folder outside the document root, where they could securely store such log files containing sensitive information in a non-volatile way. PHP’s sys_get_temp_dir could be an option, because it is system agnostic (not everyone runs Linux), but it might not offer persistence. The latter is pretty important for log files. Therefore, most plugin developers opt for a folder that they can assume to be writable on most WordPress installations as this stackoverflow thread suggests:

    • wp-content/uploads/
    • wp-content/*

The former works in most cases, because files uploaded through WordPress’ media library end up there, so it is writable to not break core functionality. The latter includes all subfolders, such as wp-content/plugins/ or wp-content/themes, if the administrator wants to easily install new plugins or edit themes.  

If you are a security-minded person and you are running a WordPress instance, now is the time to ask yourself if you have reviewed the source code of all active plugins, or did you simply install a plugin, because someone needed it to change the website’s functionality? You should review your plugins, but first continue reading to know what you should look for.

I have noticed two different patterns that developers use to create log files, and only one of them has basic security principals in mind. However, both approaches become ineffective security-wise once the administrator forgets to properly configure the web server. Therefore, we cannot just put all blame onto the WordPress plugin developers for leaks, but we need to reinforce basic security principles at any time.  

Static file paths

Developers are not naturally security experts, and often they focus on building solutions that work. There is nothing easier than using WordPress’ wp_upload_dir() or WP_CONTENT_DIR to obtain the path a writable folder and appending a plugin specific suffix. 

Here is a list of example paths:

/wp-content/all-in-one-seo-pack.log
/wp-content/uploads/mc4wp-debug.log
/wp-content/uploads/wp-google-maps/error_log.txt
/wp-content/plugins/ewww-image-optimizer/debug.log
/wp-content/plugins/all-in-one-wp-migration/storage/error.log
/wp-content/plugins/all-in-one-wp-migration/storage/import.log
/wp-content/plugins/all-in-one-wp-migration/storage/export.log
….

Let’s recall that the wp-content/ folder lives in the DocumentRoot is accessible from the internet, thus all the files within it are usually accessible, too. This makes it trivial for an attacker to access those log files and their content by navigating to the well-known paths.

Random file names

A good portion of the plugins implemented their logging functionality with more security in mind. By adding a random portion to the file name, it cannot be requested directly without knowing the random part.

Depending on the implementation, the portion’s randomness varied greatly:

  • an incremented 6-digit number (not really random)
  • a randomly generated string
  • a cryptographic hash (MD5 or SHA)
/wp-content/cache/log/000000/dbcache.log
/wp-content/logs/newsletter/antibot-2018-09-87agc333.txt
/wp-content/uploads/wc-logs/geoip-2019-03-17-57e9aab19e941762b0e731c2f65dc325.log
….

To a developer, this approach might look pretty robust and secure, but it disregards the fact administrators also play a role. Given that WordPress is an entry-level CMS, it might be set up and operated by novice administrators, who just followed a tutorial “to make things work”.

The file name randomization is instantly defeated if the administrator (accidentally) forgets to turn off “directory listing” on their web server. In such a case, an attacker just needs to browse to the respective folders to get a list of the random file names. 

index of /wp-content/uploads/wc-logs

While working on this topic, I have found several examples of such misconfigured web servers on the internet. It is not just a hypothetical scenario. 

If you have made it this far, you might be asking yourself how I discovered all those log file disclosures. I will happily answer this question in this section, so that you can review your own plugins.  There were basically three approaches to this topic: 

    • Find existing files
    • Review the plugins’ source code
    • Use a search engine

While the first method did not show anything interesting in particular, the second one was the most fruitful, but also the most time-intensive. There were over 115 plugins to review, so naturally I could not invest the time to do a thorough in-depth source code review, but rather took some shortcuts and educated guesses. Last but not least, I used search engines to discover files that I might not have seen with the two methods before. 

Let’s have a look at them in detail. 

Find-ing existing files

find is a small linux command line tool to quickly find files or directories in a file system hierarchy. After installing some plugins, I ran it on my test WordPress instances like this:

$> cd path-to-wordpress/wp-content/
$> find . -type f -name ‘*log*’ -ls 
$> find . -type f -name ‘*txt*’ -ls
987828	4 -rw-r--r--   1 gehaxelt gehaxelt  	229 Feb  9  2018 ./sc_cache.txt 

This showed me a few files containing log or txt, thus matching either of the two regular expressions. It is by far the most efficient method to check if such files exist on your web server. If you are administering any WordPress instances, take a note and check your web servers  after you have finished reading.

Source Code Review

Most of the work done was source code review using a few lines of bash, grep and less. 

As the first step, I downloaded all plugins with more than 300k installation from the wordpress.org website and extracted them into separate folders. A few lines of python helped with that task. 

The next step was to look for and identify paths where log entries are written to. PHP offers a few methods such as file_put_contents or fopen to create files. By having access to the source code, using the command line text searching tool “grep” was a suitable choice. Keywords such as “file_put_contents”, “file_get_contents”, “fopen”, “log”, gave a good idea where to look for. 

From there, it became going bottom-up through the code and deducing where the file would be written and if it is randomized or not. 

Google Dorks

(Ab-)using search engines and their specific search keywords for security purposes is often referred to as “dorking”. No sophisticated hacking tools are required for such an attack, just a web browser, a search engine such as google and a query like inurl:"/wp-content/uploads/wp-google-maps/error_log.txt" would be enough to find a whole lot of affected websites.

I took the route of searching for a plugin’s directory name while adding keywords like log or txt etc. It gave mediocre results, but that was better than nothing and also helped to verify the findings from the previous step. 

Overall the results using this method are limited to web sites that usually have DirectoryListing enabled and make their contents indexable by certain search engines. 

We all know that breaking things is much easier than fixing it. I tried to come up with ideas for how to prevent such information leaks to make the ecosystem more secure.  

Rule #1: Use randomized file names

Static file paths make it insignificant for an attacker to check the existence of a file and download it. Using randomized file names might take a bit more time for a developer to implement, but boosts the security immensely. Especially since the majority of web servers should have directory listing disabled, so that an attacker cannot guess the correct file name. 

Rule #2: Prevent directory listing

Even the scenario of a directory-listing enabled web server can be mitigated by the plugin developer: For every folder that is created and where plugin-specific log files are written, an empty index.php file should be created. On literally every web server the index.php file is configured as the DirectoryIndex, meaning instead of showing all contents of a directory, this file will be executed. As an empty file has no content, the attacker won’t see a list of file names, but an empty page. 

Rule #3: Workaround

If Rule #1 and Rule #2 are not followed by a plugin, then one could try to move the created folder outside the “DocumentRoot” (i.e. using a symlink). Alternatively, explicit rules must be created to prevent access to static or randomized log files. Depending on the used web server, simple “.htaccess” files could be used. 

Rule #4: WordPress hardening

The WordPress developers have a lengthy article on WordPress security and hardening. At the time of writing it contained a neat statement which fits this topic perfectly: 

If a plugin wants write access to your WordPress files and directories, please read the code to make sure it is legit or check with someone you trust. 

It is always a good idea to go over this article and check if oneself has considered and implemented the given hardening tips.

To round this section up, I firmly believe that most plugins should be able to implement and follow Rule #1 and Rule #2. The other two rules, Rule #3 and #4, lean more towards the side of the system administrators, but we cannot take them out of the equation. If a WordPress instance is provided for you, don’t forget to ask the responsible administrator to go over the issues mentioned in this article.  

All of the initially listed WordPress plugins and their potentially leaked log files have been implemented into Disposable mail’s automated security and asset monitoring since September – November 2019. The security modules will give you insight into which log files on your web server are discoverable by an attacker. That means, the modules can:

    • easily identify the “static file path” log files 
    • detect the “randomized file path” log files, too, as long as the randomization can be circumvented with the method discussed earlier

My research doesn’t stop here. I am continuously pursuing this topic in order to bring more log file disclosures to users to secure more websites through the Disposable mail and the Crowdsource platform.

 

Written by:
Sebastian Neef
IT Security Freelancer and Disposable mail Crowdsource hacker

Sebastian Neef (@gehaxelt) is a security researcher at heart and has been interested in IT security since the age of 15. He became an IT security freelancer and consultant during his A-Levels back in 2012 when bug bounty and responsible disclosure programs were just starting out. Sebastian enjoys sharing his knowledge on conferences or his blog 0day.work, breaking things, playing CTFs with ENOFLAG and helping companies to improve their security. 


How can Disposable mail help?
Disposable mail works with highly skilled ethical hackers like Gehaxelt to crowdsource the most up-to-date security research. Check for the latest WordPress vulnerabilities and 1500+ other known vulnerabilities with a start of a Disposable mail scan. Begin your 14-day free trial today.

Additional reading:
Improving WordPress plugin security from both attack and defense sides

How to Improve Your WordPress Security: Plugins and Themes


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

WordPress Exploit Framework – A Ruby Tool For WordPress Penetration Testing

To install the latest stable build, run  gem install wpxf .

After installation, you can launch the WordPress Exploit Framework console by running  wpxf .

If you have issues installing WPXF’s dependencies (in particular, Nokogiri), first make sure you have all the tooling necessary to compile C extensions:


It’s possible that you don’t have important development header files installed on your system. Here’s what you should do if you should find yourself in this situation:

If you are experiencing errors that indicate that  libcurl.dll  could not be loaded, you will need to ensure the latest libcurl binary is included in your Ruby bin folder, or any other folder that is in your environment’s PATH variable.

The latest version can be downloaded from curl.haxx.se/download.html. As of 16/05/2016, the latest release is marked as  Win32 2000/XP zip 7.40.0 libcurl SSL . After downloading the archive, extract the contents of the bin directory into your Ruby bin directory (if prompted, don’t overwrite any existing DLLs).

How To Use WordPress Exploit Framework

Start the WordPress Exploit Framework console by running  wpxf .

Once loaded, you’ll be presented with the wpxf prompt, from here you can search for modules using the  search  command or load a module using the  use  command.

Loading a module into your environment will allow you to set options with the set command and view information about the module using  info .

Below is an example of how one would load the symposium_shell_upload exploit module, set the module and payload options and run the exploit against the target.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Release: Improved PDF report and new WordPress vulnerabilities – 10 minute mail

We are continuously developing our scanner and service. In the latest release we have added a new improved PDF report which now has an executive summary. We have also added a couple of new vulnerabilities for WordPress.

New improved PDF report

Export full report or just executive summary

The new PDF report is released that will give you the ability to export the findings and share it with your colleagues. You also now have the opportunity to export an executive summary that will give you an understanding of your security status in a comprehensible format.

Export is located at the top right in the report

You find the export button in the top right corner of your dashboard.

New vulnerabilities added for WordPress

We have added a couple of new vulnerabilities for WordPress to the scanner. This is part of our continuous improvement and we are constantly looking out for new vulnerabilities.

We hope that these new features will serve you well. If you have any feedback on our new release or ideas for new features do not hesitate to tell us, either in the comments below or at [email protected]

Happy scanning!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Updates on the security status of WordPress and Yoast – 10 minute mail

WordPress is amazing, we can’t argue with that. It’s efficient, powerful, and functional. However, given that it is the most popular Content Management System (CMS) in use, it is also the most vulnerable CMS platform out there.

The WordPress Pingback Vulnerability – Check old campaign sites!

The WordPress Pingback vulnerability allows an attacker to use your WordPress instance as a proxy server. The vulnerability itself is pretty old, but still the reason behind many DDoS attacks. It can be used to camouflage criminal behaviour and make it appear to originate from your service or gain access to internal networks.

SOLUTION: All default installations of WordPress 3.5 come with the vulnerable feature enabled, so we recommend you to run scans on old campaign sites to see if they are affected. If they are, make sure to reconfigure your WordPress version.

With great websites, come great plugins… and more vulnerabilities

Are you using the SEO plugin Yoast to increase search engine traffic? Many plugins have vulnerabilities, and Yoast has had both SQL injections and CSRF vulnerabilities in the past. This is yet another reminder of how important it is to update your plugins on a regular basis.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Vulnerabilities | Disposable mail Blog – 10 minute mail

The internet is awesome, but it can also be a pretty dangerous place. This is why we at Disposable mail are always on the lookout for vulnerabilities! If you’d like to learn more about different vulnerability types and staying safe online, check out the articles on this list.

MOST COMMON VULNERABILITIES

Misconfigured email servers open the door to spoofed emails from top domains

Email authentication configurations are often lacking and leave domains vulnerable to spoofing. To establish how widespread this problem is, we have researched the SPF and DMARC records of the top 500 Alexa domains.

Cross-site Scripting (XSS)

Cross-site Scripting is a very common vulnerability that is easy to exploit. Check out our list of articles about Cross-site Scripting to read more about this vulnerability and learn how to protect your web application.

The basics of Local File Inclusions

In this blog post, we explain what Local File Inclusions are and how you can avoid them and make your code safer.

What is an SQL Injection and how do you fix it?

SQL injection flaws are very critical as they enable a remote attacker to gain access to the underlying database. In the worst case scenario, this allows the attacker to read, write and delete content in the database.

First Encounters Through the Eyes of Our Scanner

Read about how we scan for the most common vulnerabilities and what websites look like through the eyes of our scanner.

OWASP TOP 10

This blog series offers an insight into each of the 10 vulnerability types on OWASP’s list. We describe the vulnerabilities, the impact they can have, and highlight well-known examples of events involving them. Of course, we also explain how to discover these vulnerabilities, providing code examples and helpful remediation tips.

OWASP TOP 10: Injection (#1)

OWASP TOP 10: Broken Authentication and Session Management (#2)

OWASP TOP 10: Cross-site Scripting (#3)

OWASP TOP 10: Insecure Direct Object Reference (#4)

OWASP TOP 10: Security Misconfiguration (#5)

WORDPRESS

With its large number of plugins and themes, WordPress is often subject to vulnerabilities.

WordPress Security

Curious about how you can make your WordPress site more secure? Go ahead and explore our articles on WordPress security to keep up to date with vulnerabilities and best practices.

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

IT Security FAQ 2: What should you think about when installing a new plugin on WordPress? – 10 minute mail

To add different functions to the popular CMS WordPress – like social media icons or contact forms – it’s usual for people to install and activate different plugins. However, it is important to keep in mind that most security breaches that happen on WordPress are due to vulnerabilities in these plugins.

Comment from our expert:
”My number one advice when installing a WordPress plugin is to ask yourself; do I really need this? Anyone can create a plugin for WordPress, and every new line of code is a possibility for something to go wrong. If you install a plugin with bad code, it could end up with someone hacking your website.”

”To check if a plugin is safe, start of by googling it to see if it has any known vulnerabilities, or if it has been known for having many flaws in the past. Who is the developer of the plugin and does that person seem to know what they are doing?”

”Every now and then, go through the plugins you have already installed and look up if they have any new vulnerabilities. Maybe they haven’t been updated for awhile, which means that they might be easier to hack. Most of the time, if it is a popular plugin with thousands or hundreds of thousands of users, it should be fairly updated and thus might also be safer to use. But when it comes to plugins, the old saying less is more really does apply,” says Johan Edholm at Disposable mail.

wordpress plugins

 

Want more IT security information? Don’t miss out on the other parts of our IT Sec FAQ series!

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

How To Improve Your WordPress Security – 10 minute mail

WordPress is a great Content Management System, it’s easy to use, maintain and there is an ocean of plugins and themes from developers worldwide. What started out as a very simple blogging platform is now much more.

In the early versions, vulnerabilities were found much more frequently than today. Some of them were really bad – take this one for example:

“WordPress before 2.8.3 allows remote attackers to gain privileges via a direct request to (1) admin-footer.php, (2) edit-category-form.php, (3) edit-form-advanced.php, (4) edit-form-comment.php, (5) edit-link-category-form.php, (6) edit-link-form.php, (7) edit-page-form.php, and (8) edit-tag-form.php in wp-admin/.”

This nasty vulnerability was found back in 2009.

However, fewer and fewer vulnerabilities are found in the core and WordPress takes security very seriously. Despite that, there are still several outdated WordPress installations out in the wild. According to WP White Security – in 2014 over 70% of all WordPress installations were vulnerable. The core is relatively secure but the more you add to the installation, themes, and plugins, the higher the risk of your site becoming vulnerable.

You can never be 100% secure and this also applies to WordPress. However, there are easy fixes that can make your site more difficult to target.

  • Don’t use admin or any variants of this username on any account
  • Of course – set a strong password and have a good password policy if you have multiple users
  • Don’t use ‘wp_’ as any table prefix, choose something that is less obvious
  • Avoid posting with the administrator account
  • Enable two factor authentication for each of your users
  • And again – keep everything updated
  • This may be obvious to most people, but download WordPress from the official site, WordPress.org!
  • Keep an eye on vulnerabilities by using a security monitoring tool like Disposable mail

Remember, it’s not just the WordPress CMS you need to keep secure and updated, don’t forget about the WEB server, FTP server, database, file permissions, etc.

Read more:
WordPress
How to Improve Your WordPress Security: Plugins and Themes
http://www.wpbeginner.com/wordpress-security/

Stay safe!


Author: Anders Raldin

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

How to Improve Your WordPress Security: Plugins and Themes – 10 minute mail

A clean WordPress installation is not much fun, but plugins and themes can have security issues that should not be ignored. In this blog post, we explain what is good to take into consideration when installing a plugin or theme, and give tips on some useful WordPress security plugins that can make your WordPress experience safer.

Plugin Security Checklist

Themes and plugins open up a whole new world of possibilities and allow you to do more with WordPress. But what about security? Before you start installing themes and plugins, stop to consider the following:

  • Take some time to do some research about the developers.
  • Check the ratings – this could be a good indicator, but don’t trust it blindly.
  • Check the reviews – if people take their time to write a review, it’s awesome or terrible.
  • Has the plugin or theme had known vulnerabilities previously? If so, how did the developers or security team handle it?

Use your favorite search engine and search for ‘wordpress + plugin name + exploit’ or ‘wordpress + plugin name + vulnerabilities’ and take a look at the results, also search in databases like  https://web.nvd.nist.gov/view/vuln/search and https://www.exploit-db.com. Doing so will give you a pretty good idea about the plugin or theme. Things like how many vulnerabilities have been discovered, is there any known vulnerability in the latest version, and so on.

Security plugins

There are a lot of plugins made to enhance your WordPress site’s security, some of them are good and some of them never should have been made from the beginning.

Below are three of the most popular security plugins.

1. Wordfence

Wordfence

This safety plugin protects you against malware and several other things. It will scan all your files – core, plugins and themes for malware infections, it will stop bruteforce attacks, check for known backdoors such as c99, R75, WSO, etc., and you can add two-factor authentication.

In 2014 ‘vexatioustendencies.com’ discovered two stored XSS vulnerabilities in Wordfence. The vulnerabilities should never have existed, however the Wordfence team acted quickly and patched them within 12 hours.

The vulnerabilities are pretty interesting, you can read more about them here.

 

2.  Bulletproof security

BPS Security Shield

Another security plugin that is very popular, it also protects against XSS, RFI, CRLF, CSRF, Base64, Code Injection, and SQL injections among other things.

Update: In March 2016, XSS vulnerabilities were discovered in Bulletproof Security. The issues that affected version 53.3 were fixed, but the incident illustrates both the importance of responsible disclosure and continuous security testing and research.

3. All In One WP Security & Firewall

All In One Security and WP wall

This popular plugin has a web application firewall. This plugin protects against  XSS, SQL injections and other attacks, it has backup functions and more.

In 2013 Checkmarx did a static code analysis of the 50 most popular plugins and came to the conclusion that 18 were vulnerable. These plugins, together had 18.5 million downloads. You can read their full analysis here.

Several of the plugins and themes out there have had problems with security and they are going to have more problems in the future. That’s ok. What’s more important is how the situation gets handled when the vulnerability is discovered.

See Mark Jaquith talk about Theme & Plugin Security:

Read more: Do you know how to set up WordPress for maximum security? Check out our WP security tips!

Stay safe!


Author: Anders Raldin

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

WordPress Security | Disposable mail Blog – 10 minute mail

WordPress is amazing, we can’t argue with that. It’s efficient, powerful, and functional. However, given that it is the most popular Content Management System (CMS) in use, it is also the most vulnerable CMS platform out there. To learn more about WordPress vulnerabilities and ways to improve the security of your site, take a look at this list of our WordPress articles and updates.

How To Improve Your WordPress Security

Although WordPress is safer then it used to be, outdated installations and vulnerable plugins are still a threat. We list a few easy fixes that can help you improve your site’s security.

How to Improve Your WordPress Security: Plugins and Themes

A clean WordPress installation is not much fun, but plugins and themes can have security issues that should not be ignored. In this blog post, we explain what is good to take into consideration when installing a plugin or theme, and give tips on some useful WordPress security plugins that can make your WordPress experience safer.

IT Security FAQ

We love talking about security and we believe that security knowledge should be easily accessible and fun. This is why we came up with our IT Sec FAQ series! In 10 short Q&A format posts, we explain basic web security concepts combined with tips and comments from our very own security experts.

IT Security FAQ 2: What should you think about when installing a new plugin on WordPress?

So many plugins, so little time! One of the great things about WordPress is the wide variety of plugins available. What about security?

IT Security FAQ 6: What CMS is the most vulnerable?

Trying to settle on a CMS and not sure what to choose? We explain what you should keep in mind when choosing a CMS.

Alerts & Release Updates

[Alert] Stored XSS in WordPress Plugin Jetpack
[Alert] New WordPress XSS Vulnerability Discovered
Updates on the security status of WordPress and Yoast
Release: Improved PDF report and new WordPress vulnerabilities

More reading 

OWDT: Check out 8 tips on how to protect your WordPress website in 2017 

Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.