20% of the most popular WordPress plugins are vulnerable • WordPress Help

 wordpress hacking

A study by the firm Checkmarx has revealed that more than 20% of the 50 most popular WordPress plugins are vulnerable to common attacks like SQL Injections.

In addition, 7 of the 10 most popular e-commerce plugins contain vulnerabilities .

The final effect is that have been downloaded more than 8 million vulnerable WordPress plugins .

Some details of the report:

    • 20% of the most popular WordPress plugins are vulnerable to common web attacks. These plugins are vulnerable to: SQL Injections (SQLi), Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF) and Path Traversal (PT).
    • 7 of the 10 most popular WordPress plugins for e-commerce are vulnerable to habitual web attacks. This means that more than 1.7 million vulnerable e-commerce plugins have been downloaded. These plugins are vulnerable to SQLi, XSS, CSRF, RFI / LFI and PT.
    • There is no direct relationship between the number of lines of code (LOC) and the vulnerability level of the plugins
    • Only 6 plugins solved vulnerabilities completely in a period of 6 months, even though all the plugins were upgraded to higher versions during this same period.

A couple of tables demolishing the report:

 Vulnerabilities 50 most popular plugins

Vulnerabilities 50 plugins most popular

 Vulnerabilities 10 most popular ecommerce plugins

Vulnerabilities 10 most popular ecommerce plugins

The Checkmarx study warns that this is an alarming and dangerous situation . Hackers can exploit these vulnerable plugins to access sensitive information, such as user data, financial details (especially in e-commerce plugins) and other information provided by users who register on sites with vulnerable plugins.

Other vulnerabilities could allow hackers to pull down websites or redirect them to sites controlled by the hacker, taking full control of the vulnerable websites and adding them to a zombie network .

report takes advantage to make recommendations to webmasters and bloggers that the readers of WordPress Help will already sound you of the pesadito that I put myself remembering them:

  • Download plugins only from the official website of WordPress.org
  • ] Scan any plugin to detect security problems
  • Make sure all your plugins are up to date
  • Delete any plugin that you no longer use en

And, so you do not forget, here are a few important safety tips :

If you want to review the full report, titled " WordPress Security Status, the top 50 plugins ", here is a direct download link …
[download id=”150″]

And no, they do not say in the report the names of the vulnerable plugins, although I hope if they have communicated it to the developers. If you want, you can guess a few based on the description and the number of downloads indicated in the tables. In the meantime, we will follow good old security advice.

Noticia original: Checkmarx

NOTICE : this publication is from two years ago or more. If it's a code or a plugin it might not work in the latest versions of WordPress, and if it's a news story it might be obsolete. Then do not say we have not warned you.

Loading …

That may also help you:

SecurePress, total security in WordPress

SecureLive is a website security system not exclusive to WordPress (there are versions for Joomla, PHP, Magento and more) but that also exists as free plugin that you can install from the plugin installer or the official SecurePress page .

What it offers SecurePress is a comprehensive detection and alert system hacking and exploits for WordPress that not only detects attacks but that blocks alerts you and even sends you reports by email or text messages. SecureLive says that detects 98.9% of the possible attacks, that's nothing, although you already know that in the security software we always go behind the attackers and nobody is going to guarantee 100% effectiveness.

If you want to try it you can download it at the official site or install it from your WordPress (it is in the official repository ).

The system is really complete, and even there is a video of the concept and functioning, this …

How to display WordPress error messages

It is not the first time that comes to the fore the curious way that WordPress has protect the system against prying eyes. The bad thing is that in some things is passed from caution and in others careless.

Ya saw how careless it is when it comes to reporting errors of erroneous data, and we saw a possible solution, but What happens when we want to see the errors and do not show them ?. And, by default, WordPress hides the display of lots of errors, based on the theory that there is no need to give clues to possible intruders.

Now, if you need to see the errors of an installation, something very common when you have failures for yourself or for a client's site, there is no way that WordPress will inform you of what is failing .

Solution? fortunately very simple . You just have to add the following line at the top of the file .htaccess hosted in the root folder of the WordPress installation to show you all the possible errors generated by your site:

You can do it even from your WordPress admin panel if you do not feel comfortable with FTP clients. And, of course, keep in mind that this should only be used for search and resolution of errors, it is not a code to leave permanently in your file .htaccess

content / themes / rmv.php – Security Risk • WordPress Help

Although there are usually site hacks, most of the time they are benign issues. Typically, the hacking types place a few spam links in the back of your template. This type of issues is usually solved easily with an update and little else. But there has never been anything with the tenacity of remv.php ((Comes from phpRemoteView a script that, although it is not used much if it has danger when you do not know how to remove it)). It's something serious, it's almost a little scary. It seems that it can facilitate a DDoS attack (Distributed Denial of Service), and it would do the file remv.php somewhere hidden in your folder wp-content / themes / . But since everything has a solution in this life, here is the complete process, developed by Jason Cosper to eliminate this uncomfortable visitor in your blog:

All this will not be a problem for you if you always keep your blog a day, especially with security updates, so be sure to visit WordPress Help and the WordPress Development Blog . If you know something else about the infamous "remv.php" share it in the comments, we will be happy to learn more about this bug. It seems that it is not the system currently used by hackers but if you search on Google you will see that more than one has fallen .

Have you hacked your Theme?

Nowadays it is not impossible to hack a WordPress theme if you do not fulfill a minimum rules of security someone could insert code in your theme but not only that, it's much easier. Because taken by the searches you can get to download a theme from a doubtful site instead of the official site, and activate it in your blog without knowing that it has included malicious code .

If you have doubts, or want to make sure, you can check it with the plugin Theme Authenticity Checker (or TAC). What it does is search the files of your installed theme and try to detect malicious code . If it finds code of this type it shows the path to the theme file, the line number where it is and a small sample of the suspect code .

Now is that code safe to be malicious code? . There are chances that it will not be like that. Not that there are many but if there are some creators of themes that include hidden codes in Base64 or similar to, for example, prevent from withdrawing credits to the author or its patricinators.

So how do I know if the code is malware or not? . The easiest thing is to contact the author to check, or if you want to download the "official" version and compare the possible differences.

In any case, Theme Authenticity Checker gives you clues about codes that should not be there which are not normal in a WordPress theme .

What you read is an original content of WordPress Help – Resources, themes, plugins and tutorials in Spanish and it was published Fernando Tellado first here: Have you hacked your Theme?

Two tips: Install WP 2.5.1 and disable Google XML Sitemaps

If you do not know what to do today for tomorrow, do not think about it: install the update to WordPress 2.5.1 for avoid being hacked and disable the Google plugin XML Sitemaps to alleviate the memory load of your blog . We already did it as soon as we could .

The entry Two tips: Install WP 2.5.1 and disable Google XML Sitemaps first published Fernando Tellado in Help WordPress . Do not copy content, do not say anything good about you to your readers.

Vulnerability in WordPress 2.3.3

I'm sure we have a new version of WordPress 2.3 … 4 since we have discovered a vulnerability in which you can create folders and pages in wp-content. It was announced in Smackdown and commented on Girl SEO and in Inkilino .

It seems that can be solved temporarily by adding these two lines to your file robots.txt :

I also recommend review this post to protect your installation, and let's hope it does not happen there. At the moment you can see the list of blogs hacked by this system in this Google search .