The Register: Thousands of websites run buggy WordPress plugin that allows complete takeover

The Register: Thousands of websites run buggy WordPress plugin that allows complete takeover. “Miscreants have reportedly scanned almost 1.6 million websites in attempts to exploit an arbitrary file upload vulnerability in a previously disclosed buggy WordPress plugin. Traced as CVE-2021-24284, the vuln targets Kaswara Modern WPBakery Page Builder Addons and, if exploited, it would allow criminals to upload malicious JavaScript files and even completely take over an organization’s website.”

WordPress: 7 Best Security Plugins to Protect Your WordPress Site

WordPress: 7 Best Security Plugins to Protect Your WordPress Site. “f your website is running on WordPress and you haven’t invested in a robust security plugin, your site could be next on the hit list. Thankfully, there are a number of reliable and highly adaptable plugins available for WordPress sites (you can browse a few of the options available at Envato) but how do you know which one is right for your business?”

WP Tavern: rtCamp Launches WordPress Plugin Compare Project

WP Tavern: rtCamp Launches WordPress Plugin Compare Project. “The team behind rtCamp, a 125-person agency and a WordPress VIP Gold agency partner, has launched a new tool called WordPress Plugin Compare Project (WPPC) to help users extend WordPress with the right plugins for their needs. WPPC lets users search for plugins to compare and customize each selection displayed on [a] chart.”

The Hacker News: YODA Tool Found ~47,000 Malicious WordPress Plugins Installed in Over 24,000 Sites

The Hacker News: YODA Tool Found ~47,000 Malicious WordPress Plugins Installed in Over 24,000 Sites. “As many as 47,337 malicious plugins have been uncovered on 24,931 unique websites, out of which 3,685 plugins were sold on legitimate marketplaces, netting the attackers $41,500 in illegal revenues. The findings come from a new tool called YODA that aims to detect rogue WordPress plugins and track down their origin, according to an 8-year-long study conducted by a group of researchers from the Georgia Institute of Technology.”

Ars Technica: Researchers find backdoor lurking in WordPress plugin used by schools

Ars Technica: Researchers find backdoor lurking in WordPress plugin used by schools. “The premium version of School Management, a plugin schools use to operate and manage their websites, has contained the backdoor since at least version 8.9, researchers at website security service JetPack said in a blog post without ruling out that it had been present in earlier versions. This page from a third-party site shows that version 8.9 was released last August.”

Search Engine Journal: How to Block, Scrapers, Hackers and Spammers with Wordfence

Search Engine Journal: How to Block, Scrapers, Hackers and Spammers with Wordfence. “Wordfence is a popular WordPress security plugin. Among the features are scanner that monitors for hacked files and a firewall with regularly updated rules that proactively blocks malicious bots. There’s also a useful feature tucked away in the tool that makes user-configurable firewall rules available that can supercharge your ability to block hackers, scrapers and spammers.” These are powerful techniques that look like they could go powerfully wrong, so proceed with caution.

MakeUseOf: The Top 7 Plugins for Cloning a WordPress Website

MakeUseOf: The Top 7 Plugins for Cloning a WordPress Website . “Cloning your WordPress website is a useful way of backing up your files or transferring your site to a staging or live environment. You can do this the manual way if you’re comfortable working on the backend of websites. But an alternative approach is to use a WordPress plugin. A plugin is the easier method, and in this article, we’ll take a quick look at seven of the best.”

Bleeping Computer: Nearly 30% of critical WordPress plugin bugs don’t get a patch

Bleeping Computer: Nearly 30% of critical WordPress plugin bugs don’t get a patch. “Patchstack, a leader in WordPress security and threat intelligence, has released a whitepaper to present the state of WordPress security in 2021, and the report paints a dire picture. More specifically, 2021 has seen a growth of 150% in the reported vulnerabilities compared to the previous year, while 29% of the critical flaws in WordPress plugins never received a security update.”

Bleeping Computer: WordPress force installs UpdraftPlus patch on 3 million sites

Bleeping Computer: WordPress force installs UpdraftPlus patch on 3 million sites. “WordPress has taken the rare step of force-updating the UpdraftPlus plugin on all sites to fix a high-severity vulnerability allowing website subscribers to download the latest database backups, which often contain credentials and PII. Three million sites use the popular WordPress plugin, so the potential for exploitation was substantial, affecting a significant share of the internet, including large platforms.”

Bleeping Computer: Massive attack against 1.6 million WordPress sites underway

Bleeping Computer: Massive attack against 1.6 million WordPress sites underway. “Wordfence analysts report having detected a massive wave of attacks in the last couple of days, originating from 16,000 IPs and targeting over 1.6 million WordPress sites. The threat actors target four WordPress plugins and fifteen Epsilon Framework themes, one of which has no available patch. Some of the targeted plugins were patched all the way back in 2018, while others had their vulnerabilities addressed as recently as this week.” I’m seeing a definite uptick in compromised WordPress sites in my Google Alerts.