Tags Posts tagged with "Wordpress"

Wordpress

Do you own a custom domain or a blog under the wordpress.com domain name?
If yes, then there is good news for you.
WordPress is bringing free HTTPS to every blog and website that belongs to them in an effort to make the Web more secure.
WordPress – free, open source and the most popular a content management system (CMS) system on the Web – is being used by over a quarter of all websites across the world, and this new move represents a massive shift over to a more secure Internet
WordPress announced on Friday that it has partnered with the Electronic Frontier Foundation’s “Let’s Encrypt” project, allowing it to provide reliable and free HTTPS support for all of its customers that use custom domains for their WordPress.com blogs.
Now every website hosted on wordpress.com has an SSL certificate and will display a green lock in the address bar.
“For you, the users, that means you’ll see secure encryption automatically deployed on every new site within minutes. We are closing the door to unencrypted web traffic (HTTP) at every opportunity,” WordPress said in its blog post.
HTTPS has already been available for all sub-domains registered on wordpress.com, but with the latest update, the company will soon offer free SSL certs for its custom domains that just use the WordPress backend.
In short, users with custom domains (https://abcdomain.com) will now receive a free SSL certificate issued by Let’s Encrypt and on behalf of WordPress, and have it automatically deployed on their servers with minimal effort.
Until now, switching web server from HTTP to HTTPS is something of a hassle and expense for website operators and notoriously hard to install and maintain it.
However, with the launch of Let’s Encrypt, it is now easier for anyone to obtain Free SSL/TLS (Secure Socket Layer/Transport Layer Security) certificates for his/her web servers and set up HTTPS websites in a few simple steps.
Now WordPress is also taking advantage of this free, open source initiative for its websites.
So you might have a question in your mind:
What do I need to do to activate HTTPS on my WordPress blog?
You do not need to worry about this at all. WordPress.com is activating HTTPS on all of its millions websites without having you to do anything.
Let’s Encrypt is trusted and recognized by all major browsers, including Google’s Chrome, Mozilla’s Firefox and Microsoft’s Internet Explorer, so you need not worry about its authenticity.

WordPress.com, the fully hosted version of WordPress, has a received one of its biggest updates ever today. Codenamed Calypso, Automattic rewrote WordPress.com from scratch — everything is new under the hood. Here are the big changes.

First, WordPress.com is now fully separated from the WordPress core. WordPress.com is now an admin interface that interacts with the WordPress core just like any other third-party interface and app out there. It uses a REST API to fetch your posts, publish new ones, upload photos and more.

Second, the team behind WordPress.com switched to an entirely new stack. Instead of using PHP and MySQL, the developers built everything using JavaScript and API calls. It means that when you go to the website, the server will distribute a fully working WordPress client that mostly runs in your browser.

It’s a Single Page Application, meaning that you will get very few loading screens when you interact with the interface. It should work well on your phone and tablet as well — everything is responsive. If you were using the WordPress admin backend, you can still go directly to your backend. But you also have another option now on WordPress.com if you are using a hosted WordPress.com blog, a self-hosted WordPress with the Jetpack plugin or a WordPress VIP site (like TechCrunch).

Finally, everything is open source and on GitHub. You can look at the code, fork it and reuse it as long as you comply with the GNU General Public License version 2.

But the team didn’t stop there. You can also download a new Mac app to access WordPress.com. In many ways, this app works like the Slack desktop app. It leverages web technologies and desktop features so that you get more or less the exact same thing as on the WordPress.com website, but with a few goodies, such as notifications. Windows and Linux apps are in the works.

I downloaded the app and played with it for a few minutes. If you’re familiar with the WordPress.com interface, you’ll feel right at home as it looks exactly the same. But it’s always nice to have an app icon in the Dock.

So why did Automattic, the company behind WordPress.com, go through this painful rewriting process? WordPress.com now feels and works like a modern web app. It’s back in the game against newcomers, such as Medium.

While the editor lacks many features that WordPress power users make use of (including TechCrunch writers), WordPress.com is a clean, efficient writing interface that should appeal to many people who are writing today on Medium.

25 percent of the web today runs on WordPress. This is no small feat, and WordPress isn’t the young, hustling startup working against bigger companies — it’s a web giant. With today’s move, Automattic proves that it is still aware of its environment and potential threats. It’s an encouraging sign for the future of WordPress.

A critical vulnerability in glibc, a core Linux library, can be exploited remotely through WordPress and likely other PHP applications to compromise Web servers.

The buffer overflow vulnerability, dubbed Ghost, was reported Tuesday by researchers from security vendor Qualys. It is identified as CVE-2015-0235 in the Common Vulnerabilities and Exposures database.

The bug is located in the gethostbyname*() functions of the glibc (GNU C Library) version 2.17 and older. It was fixed in glibc-2.18, released in May 2013, but it wasn’t flagged as a security vulnerability at the time.

As a result, some Linux distributions, especially those developed for long-term support, did not backport the patch and were still using vulnerable glibc versions when the Qualys researchers identified the security implications of the bug during a code audit.

The buffer overflow in glibc was found in the __nss_hostname_digits_dots() function; that particular function is used by the _gethostbyname function call. PHP applications such as WordPress also use the gethostbyname() function wrapper, which expands the scope of the vulnerability even as Linux distributions roll out patches.

“An example of where this could be a big issue is within WordPress itself: it uses a function named wp_http_validate_url() to validate every pingback’s post URL,” wrote Sucuri research Marc-Alexandre Montpas in an advisory published Wednesday. “And it does so by using gethostbyname(). So an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server.”

Until now, the only a proof-of-concept was built against the Exim mail transfer agent (MTA). Experts agree that such an exploit would have to climb some significant hurdles.

“The exploitation depends on being able to convince a program to perform a DNS lookup of a host name provided by the attacker,” said researcher Michal Zalewski said. “The lookup has to be done in a very particular way and must lack a couple of commonly-employed (but certainly not mandatory) sanity checks.”

The vulnerability affects glibc 2.2 through 2.17, but was patched in May 2013, though the patch was not labeled a security vulnerability and as a result may not have been widely deployed. Several other mitigations have been made public. Exim, clockdiff, procmail and pppd have been identified as vulnerable to Ghost exploits.

“This is a very critical vulnerability and should be treated as such,” Montpas said. “If you have a dedicated server or VPN running Linux, you have to make sure you update it right away.”

Montpas provided test PHP code admins can run on a server terminal; if the code returns a segmentation fault, the Linux server is vulnerable to Ghost:

php -r ‘$e=”0″;for($i=0;$i<2500;$i++){$e=”0$e”;} gethostbyname($e);’
Segmentation fault

Patching Ghost in Linux systems figures to be a bit more streamlined than the Bash vulnerability affecting Linux, UNIX and Mac OS X systems last fall, with experts suggesting that patches from the respective Linux distributions followed by a system reboot should take care of the issue. So far, Debian 7, Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7 and Ubuntu 12.04 were running vulnerable versions glibc; all have released updates.

“To be clear, this is NOT the end of the Internet as we know it, nor is it another Heartbleed. In a general sense, it’s not likely to be an easy bug to exploit,” said Rapid7 CSO and Metasploit creator HD Moore. “Still, it could potentially be nasty if exploited so we strongly recommend immediate patching and rebooting.  Without a reboot, services using the old library will not be restarted.”

The users of WordPress, a free and open source blogging tool as well as content management system (CMS), are being informed of a widespread malware attack campaign that has already compromised more than 100,000 websites worldwide and still counting.
The news broke throughout the WordPress community earlier Sunday morning when Google blacklisted over 11,000 domains due to the latest malware campaign, that has been brought by SoakSoak.ru, thus being dubbed the ‘SoakSoak Malware’ epidemic.
While there are more than 70 million websites on the Internet currently running WordPress, so this malware campaign could be a great threat to those running their websites on WordPress.
Once infected, you may experience irregular website behavior including unexpected redirects to SoakSoak.ru web pages. You may also end up downloading malicious files onto your computer systems automatically without any knowledge.
The search engine giant has already been on top of this infection and has added over 11,000 websites to their blacklist that could have seriously affected the revenue potential of website owners, running those blacklisted websites.
The security team at the security firm Sucuri, which is actively investigating the potential vector of the malware, said that the infections are not targeted only at WordPress websites, but it appears that the impact seems to be affecting most hosts across the WordPress hosting spectrum.
SoakSoak malware modifies the file located at wp-includes/template-loader.php which causes wp-includes/js/swobject.js to be loaded on every page view on the website and this “swobject.js” file includes a malicious java encoded script malware.
If you run any website and are worried about the potential risk of the infection to your website, Sucuri has provided a Free SiteCheck scanner that will check your website for the malware. The exact method of intrusion has not been pointed out at this time, but numerous signals led to believe us all that many WordPress users could have fallen victim to this attack.
However, if you are behind the Website Firewall, CloudProxy, you are being protected from the SoakSoak malware campaign.
Source : THN

The users of WordPress, a free and open source blogging tool as well as content management system (CMS), that have a popular unpatched wordPress plugin installed are being cautioned to upgrade their sites immediately.
A serious vulnerability in the WordPress plugin, MailPoet, could essentially allows an attacker to inject any file including malware, defacements and spam, whatever they wanted on the server and that too without any authentication.
MailPoet, formerly known as Wysija Newsletter, is a WordPress plugin with more than 1.7 million downloads that allows developers running WordPress to send newsletters and manage subscribers within the content management system.
In a blog post, the security researcher and CEO of the security firm Sucuri, Daniel Cid, pointed out the vulnerability to be serious and said that within three weeks since the vulnerability unveiled, over 50,000 websites have been remotely exploited by the cybercriminals to install backdoors targeting the vulnerable MailPoet plugin.
Some of those compromised websites don’t even run WordPress or don’t have MailPoet plugin enabled in it, as the malware can infect any website that resides on the server of a hacked WordPress website, according the researcher.

The malware code had some bugs: it was breaking many websites, overwriting good files and appending various statements in loops at the end of files,” Cid said in a blog post. “All the hacked sites were either using MailPoet or had it installed on another sites within the same shared account –cross-contamination still matters.

To be clear, the MailPoet vulnerability is the entry point, it doesn’t mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighbouring website, it can still affect your website.

The security firm first reported about the vulnerability on the beginning of this month. The backdoor installed is a very nasty and creates an admin account that gives attackers full administrative control. It also injects backdoor code into all themes and core files.
The worst part with this infection is that the malicious code also overwrites valid files, which are very difficult to recover without a good backup in place. It causes many websites to fall over and display the message:

Parse error: syntax error, unexpected ‘)’ in /home/user/public_html/site/wp-config.php on line 91.

The Security firm is clarifying that every build of MailPoet is vulnerable except the only version which is the most recent released 2.6.7. So, users are recommended to update it as soon as possible.
Sucuri security firm is very dedicated in finding vulnerabilities in the WordPress CMS and encouraging users to install the updates. A week ago, it urged the users to upgrade WordPress version due to a vulnerability found in the WPtouch WordPress plugin that could potentially allow any non-administrative logged-in user to upload malicious PHP files or backdoors to the target server without any admin privileges.
Sucuri also found two serious vulnerabilities in the popular WordPress SEO plugin called “All in One SEO Pack” and a critical Remote Code Execution (RCE) flaw in “Disqus Comment System” Plugin of WordPress few weeks before.

SOCIAL CONNECTIONS

1,074FansLike
10Subscribers+1
1,000FollowersFollow
542FollowersFollow