Dan and Eric discuss their top picks for WordPress news stories of the week and the topic of professionalism. What is it β what does it mean for us in the WordPress community, and how does it relate to a healthy open source project and business ecosystem?
Remote Access Trojans (RATs) are new to me β apparently, you can get one on a Windows machine as a malware payload from fake CloudFlare DDoS alert pages on hacked WordPress sites. Ben Martin at Sucuri explains “a recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead…
My first experiences with “nulled” (or back in the day “cracked”) software date back to the golden days of the Atari 8-bit and Commodore Amiga. Blank floppy disks were cheap, and like most kids, I did not have a lot of money or even at times access to legitimate software distributors. Naturally, the way we…
David and Cory talk about the Post Status job board and #gigs Slack channel, as well as WordPress settings screens that make Brian scream. π±
This is a security nightmare: a researcher managed to breach over 35 major companies’ internal systems (including Microsoft, Apple, PayPal, Shopify, and more) in a software supply chain attack. π± The attack comprised uploading malware to open source repositories including PyPI, npm, and RubyGems, which then got distributed downstream automatically into many companies’ internal applications….
Sucuri has found some malware that can disable security plugins to avoid detection. π¨ This is really devious! Luke Leal explains: “If a user tries to reactivate one of the disabled security plugins, [the Malware] will momentarily appear to activate only for the malware to immediately disable it again. This behavior will prevail until the…
Add this to the list of crappy things in 2020: Ben Martin at Sucuri shares another newly discovered variation of a credit card swiper he found on a WordPress WooCommerce site. π³ Ben says, “2020 appears to be the year of the credit card swiper, and more and more of this malware seems to be…
Ben Martin, who is Sucuri‘s Remediation Team Lead, breaks down the way dedicated credit card swiping malware works within WordPress. π³ This is not common, but as Ben points out, we can expect more of it: “With WooCommerce recently overtaking all other eCommerce platforms in popularity, it was only a matter of time before we…
Cloudflare has introduced 1.1.1.1 for Families, an easy way to “to add a layer of protection to your home network and protect it from malware and adult content.”
Wordfence published a comprehensive whitepaper analyzing WP-VCD, which is the name for an intensifying malware campaign that is spread via βnulledβ or pirated plugins and themes. β οΈ
WebKit recently released its tracking prevention policy, which defines covert tracking as a type of malware it will “do its best to prevent.” π It will be interesting to see how adtech companies and those who rely on covert tracking will respond.
Denis Sinegubko from Sucuri notes a recent malware redirect campaign that targets vulnerable tagDiv themes and the Ultimate Member PluginΒ which was recently updated. This is a good reminder to keep your themes and plugins updated, but another good piece of advice from Denis is to “make sure to clean and harden all the sites that…
In fewer than six years, Sucuri went from a team trying to decide when the founders should go full time, to a team of more than one hundred people, and an acquisition deal in their hands from one of the world’s largest web hosts. The company was founded in 2009, but it wasn’t until January…
Jetpack 4.5 has several new features, including a newly designed VideoPress that I look forward to checking out further. But what caught my eye the most is that Automattic is now making WordAds — their home grown ad platform that has run on WordPress.com for centuries — available to all Jetpack users. This is an…
Denis Sinegubko from Sucuri demonstrates what lessons we can learn from WordPress WP-Login malware in a recent post. If your site is ever hacked, always remember that hackers can take over existing legit admin accounts – so Denis recommends not even have the default admin account exist, along with the usual recommendations most of us…
Wordfence is getting into the “forensic” and malware cleaning business for WordPress sites. The service is a pretty logical extension of the plugin, and they’re charging $179 to clean sites, or $120 for Wordfence Pro customers.
End of content
End of content
