WordPress Vulnerability Roundup: March , Part 2

WordPress
vulnerability roundup

Written by

Michael Moore
on

March 16, 2021

Last Updated on March 16, 2021

New WordPress plugin and theme vulnerabilities were disclosed during the third week of March. This report covers recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. The severity ratings are based on the Common Vulnerability Scoring System.

In the March, Part 2 Report

WordPress Core Vulnerabilities

WordPress 5.7 “Esperanza” Released – Update Now!

A new WordPress core version was released on March 9, 2021: WordPress 5.7 “Esperanza.”

Be sure to update all your sites to this latest version of WordPress. Check out 21 new features and enhancements in WordPress 5.7 to see what’s new, including:

  • An easier way to send password reset emails/links
  • Upgrade a site from HTTP to HTTPS with a single click
  • Custom icon and background colors + sizes for social icons block

WordPress Plugin Vulnerabilities

WordPress Theme Vulnerabilities

No new theme vulnerabilities have been disclosed this month.

March Security Tip: Use Two-Factor Authentication to Secure

Using two-factor authentication for your WordPress website user logins can help keep your website secure even if you use one of the plugins in this edition of the vulnerability roundup with an authentication bypass vulnerability.

Using two-factor authentication for your WordPress website user logins can help keep your website secure even if you are using a plugin with an authentication bypass vulnerability.

Why? Two-factor authentication makes it nearly impossible for an unauthenticated user to login to your website.

What is two-factor authentication? Two-factor authentication is a process of verifying a person’s identity by requiring two separate methods of verification. Two-factor authentication adds an extra layer of WordPress security to verify it’s actually you logging in and not someone who gained access (or even guessed) your password.

Here are a few more reasons to use two-factor authentication to add another layer of protection to your WordPress login.

  • Reused passwords are weak passwords. According to the Verizon Data Breach Investigations Report, over 70% of employees reuse passwords at work. But the most important stat from the report is that “81% of hacking-related breaches leveraged either stolen or weak passwords.”
  • Even though 91% of people know reusing passwords is poor practice, a staggering 59% of people still reuse their passwords everywhere!
  • Many people are still using passwords that have appeared in a database dump. A database dump occurs when a hacker successfully gains access to a user database and then dumps the contents somewhere online. Unfortunately for us, these dumps contain a ton of sensitive login and account information.
  • The “Collection #1″ Data Breach that was hosted on MEGA hosted included 1,160,253,228 unique combinations of email addresses and passwords. This kind of score will provide a malicious bot with over a billion sets of credentials to use in brute force attacks. A brute force attacks refer to a trial and error method used to discover username and password combinations to hack into a website.
  • Even if you have a strong password, you’re only as secure as every other admin user on your site. Okay, so you are the type of person that uses a password manager like LastPass to create strong and unique passwords for each of your accounts. But what about the other administrator and editor users on your site? If an attacker was able to compromise one of their accounts, they could still do a ton of damage to your website.
  • Google has said two-factor authentication is effective against 100% of automated bot attacks. That alone is a pretty good reason.

How to Add Two-Factor Authentication to Secure Your WordPress Login with iThemes Security Pro

The iThemes Security Pro plugin makes it easy to add two-factor authentication to your WordPress websites. With iThemes Security Pro’s WordPress two-factor authentication, users are required to enter both a password AND a secondary code sent to a mobile device such as a smartphone or tablet. Both the password and the code are required to successfully log in to a user account.

WordPress Vulnerability Roundup: March 2021, Part 2 1

To start using Two-Factor Authentication on your website, enable the feature on the main page of the iThemes Security Pro settings.

WordPress Vulnerability Roundup: March 2021, Part 2 2

In this post, we unpack all the steps of how to add two-factor authentication to your site with iThemes Security Pro, including how to use a third-party app like Google Authenticator or Authy.

See how it works

WordPress Disaster Week Starts Today! Live Webinars March 16 – 18, 2021

Are you ready if disaster strikes your WordPress website today? From running an update that breaks everything to hacks or accidentally deleting an important file, the reality is it’s not a matter of if but when something will go wrong with your site. And now, more than ever, the security threats your website faces are very real. 

To help you combat the threat of website disasters, we’re hosting the biggest free, online iThemes training event of the year so that EVERYONE can have a plan if and when a website catastrophe strikes.

Grab your spot here for WordPress Disaster Week, happening March 16, 17 & 18, 2021, with daily sessions happening from 1:00 – 3:00 p.m. (CT).

During this training, we’ll cover a complete plan for how to prevent and recover when website calamity strikes, including:

  • How to defend your site from the most common types of attacks in 2021
  • Signs you’ve been hacked
  • How to restore your site from a backup when something goes wrong
  • How to strengthen your site’s security with the iThemes Security Plugin
  • How to make money selling website backup & security services to clients

Can’t make the live training time? Go ahead and register and we’ll email you the video replays to watch at your convenience. See webinar time in your time zone here

Register now

vulnerability roundup

Keep reading the article at WordPress News and Updates from iThemes – iThemes. The article was originally written by Michael Moore on 2021-03-16 12:03:58.

The article was hand-picked and curated for you by the Editorial Team of WP Archives.

Disclosure: Some of the links in this post are "affiliate links." This means if you click on the link and purchase the product, We may receive an affiliate commission.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

WordPress Vulnerability Roundup: March , Part 1

WordPress
WordPress Vulnerability Roundup: December 2020, Part 2

Written by

Michael Moore
on

March 3, 2021

Last Updated on March 3, 2021

New WordPress plugin and theme vulnerabilities were disclosed during the first week of March. This post covers the recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. The severity ratings are based on the Common Vulnerability Scoring System.

In the March, Part 1 Report

WordPress Core Vulnerabilities

WordPress Plugin Vulnerabilities

WordPress Theme Vulnerabilities

No new theme vulnerabilities have been disclosed this month.

March Security Tip: Why You Should Use Two-Factor Authentication

Using two-factor authentication for your WordPress website user logins can help keep your website secure even if you use one of the plugins in this edition of the vulnerability roundup with an authentication bypass vulnerability.

Using two-factor authentication for your WordPress website user logins can help keep your website secure even if you are using a plugin with an authentication bypass vulnerability.

Why? Two-factor authentication makes it nearly impossible for an unauthenticated user to login to your website.

What is two-factor authentication? Two-factor authentication is a process of verifying a person’s identity by requiring two separate methods of verification. Two-factor authentication adds an extra layer of WordPress security to verify it’s actually you logging in and not someone who gained access (or even guessed) your password.

Here are a few more reasons to use two-factor authentication to add another layer of protection to your WordPress login.

  • Reused passwords are weak passwords. According to the Verizon Data Breach Investigations Report, over 70% of employees reuse passwords at work. But the most important stat from the report is that “81% of hacking-related breaches leveraged either stolen or weak passwords.”
  • Even though 91% of people know reusing passwords is poor practice, a staggering 59% of people still reuse their passwords everywhere!
  • Many people are still using passwords that have appeared in a database dump. A database dump occurs when a hacker successfully gains access to a user database and then dumps the contents somewhere online. Unfortunately for us, these dumps contain a ton of sensitive login and account information.
  • The “Collection #1″ Data Breach that was hosted on MEGA hosted included 1,160,253,228 unique combinations of email addresses and passwords. This kind of score will provide a malicious bot with over a billion sets of credentials to use in brute force attacks. A brute force attacks refer to a trial and error method used to discover username and password combinations to hack into a website.
  • Even if you have a strong password, you’re only as secure as every other admin user on your site. Okay, so you are the type of person that uses a password manager like LastPass to create strong and unique passwords for each of your accounts. But what about the other administrator and editor users on your site? If an attacker was able to compromise one of their accounts, they could still do a ton of damage to your website.
  • Google has said two-factor authentication is effective against 100% of automated bot attacks. That alone is a pretty good reason.

How to Add Two-Factor Authentication to Secure Your WordPress Login with iThemes Security Pro

The iThemes Security Pro plugin makes it easy to add two-factor authentication to your WordPress websites. With iThemes Security Pro’s WordPress two-factor authentication, users are required to enter both a password AND a secondary code sent to a mobile device such as a smartphone or tablet. Both the password and the code are required to successfully log in to a user account.

To start using Two-Factor Authentication on your website, enable the feature on the main page of the iThemes Security Pro settings.

WordPress Vulnerability Roundup: March 2021, Part 1 3

In this post, we unpack all the steps of how to add two-factor authentication to your site with iThemes Security Pro, including how to use a third-party app like Google Authenticator or Authy.

See how it works

WordPress Disaster Week is Coming, March 16 – 18, 2021

Are you ready if disaster strikes your WordPress website today?

From running an update that breaks everything to hacks or accidentally deleting an important file, the reality is it’s not a matter of if but when something will go wrong with your site. And now, more than ever, the security threats your website faces are very real. 

To help you combat the threat of website disasters, we’re hosting the biggest free, online iThemes training event of the year so that EVERYONE can have a plan if and when a website catastrophe strikes.

Grab your spot here for WordPress Disaster Week, happening March 16, 17 & 18, 2021, with daily sessions happening from 1:00 – 3:00 p.m. (CT).

During this training, we’ll cover a complete plan for how to prevent and recover when website calamity strikes, including:

  • How to defend your site from the most common types of attacks in 2021
  • Signs you’ve been hacked
  • How to restore your site from a backup when something goes wrong
  • How to strengthen your site’s security with the iThemes Security Plugin
  • How to make money selling website backup & security services to clients

Can’t make the live training time? Go ahead and register and we’ll email you the video replays to watch at your convenience. See webinar time in your time zone here

Register now

WordPress Vulnerability Roundup: March 2021, Part 1 4

Keep reading the article at WordPress News and Updates from iThemes – iThemes. The article was originally written by Michael Moore on 2021-03-03 10:15:01.

The article was hand-picked and curated for you by the Editorial Team of WP Archives.

Disclosure: Some of the links in this post are "affiliate links." This means if you click on the link and purchase the product, We may receive an affiliate commission.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

WordPress Vulnerability Roundup: February , Part 2

WordPress
vulnerability roundup

Written by

Michael Moore
on

February 24, 2021

Last Updated on February 24, 2021

New WordPress plugin and theme vulnerabilities were disclosed during the second half of February. This post covers the recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. The severity ratings are based on the Common Vulnerability Scoring System.

In the February, Part 2 Report

WordPress Core Vulnerabilities

However, WordPress version 5.6.2 was released to fix a few bugs introduced in WordPress version 5.6.1.

WordPress Plugin Vulnerabilities

1. Post SMTP Mailer/Email Log

Vulnerability: CSRF Nonce Bypass
Patched in Version: 2.0.21
Severity: Medium – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

WordPress Theme Vulnerabilities

No new theme vulnerabilities have been disclosed this month.

February Security Tip: Why You Should Be Logging Website Security Activity

Security logging should be an essential part of your WordPress security strategy. Why?

Insufficient logging and monitoring can lead to a delay in the detection of a security breach. Most breach studies show that the time to detect a breach is over 200 days!

That amount of time allows an attacker to breach other systems, modify, steal, or destroy more data. For this reason, “insufficient logging” landed on the OWASP top 10 of web application security risks.

WordPress security logs have several benefits in your overall security strategy, helping you:

  1. Identity and stop malicious behavior.
  2. Spot activity that can alert you of a breach.
  3. Assess how much damage was done.
  4. Aid in the repair of a hacked site.

If your site does get hacked, you will want to have the best information to aid in a quick investigation and recovery.

The good news is that iThemes Security Pro can help you implement website logging. iThemes Security Pro’s WordPress security logs tracks all these website activities for you:

Stats from your logs are then displayed in a real-time WordPress security dashboard that you can view from your WordPress admin dashboard.

WordPress Vulnerability Roundup: February 2021, Part 2 5

Check out this feature spotlight post where we unpack all the steps of adding WordPress security logs to your website using iThemes Security Pro.

See how it works

A WordPress Security Plugin Can Help Secure Your Website

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.

Get iThemes Security Pro

vulnerability roundup

Keep reading the article at WordPress News and Updates from iThemes – iThemes. The article was originally written by Michael Moore on 2021-02-24 10:21:10.

The article was hand-picked and curated for you by the Editorial Team of WP Archives.

Disclosure: Some of the links in this post are "affiliate links." This means if you click on the link and purchase the product, We may receive an affiliate commission.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

WordPress Vulnerability Roundup: January , Part 2

WordPress
WordPress Vulnerability Roundup: December 2020, Part 2

Written by

Michael Moore
on

January 27, 2021

Last Updated on January 27, 2021

New WordPress plugin and theme vulnerabilities were disclosed during the second half of January. This post covers the recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

This weeks WordPress Vulnerability Roundup is divided into four different categories: WordPress core, WordPress plugins, WordPress themes, and Server.

Each vulnerability will have a severity rating of Low, Medium, High, or Critical. The severity ratings are based on the Common Vulnerability Scoring System.

In the January, Part 2 Report

WordPress Core Vulnerabilities

WordPress Plugin Vulnerabilities

1. Easy Contact Form Pro – Critical

The vulnerability is patched, and you should update to version 1.1.1.9.

2. FV Flowplayer Video Player – Medium

WordPress Vulnerability Roundup: January 2021, Part 2 6

The vulnerability is patched, and you should update to version 7.4.38.727.

3. Simple Job Board – High

WordPress Vulnerability Roundup: January 2021, Part 2 7

The vulnerability is patched, and you should update to version 2.9.4.

4. Easy Media Gallery Pro – Medium

WordPress Vulnerability Roundup: January 2021, Part 2 8

The vulnerability is patched, and you should update to version 1.3.0.

5. Contact Form Submissions – Medium

WordPress Vulnerability Roundup: January 2021, Part 2 9

Remove the plugin until a security fix is released.

6. 301 Redirects – Critical

WordPress Vulnerability Roundup: January 2021, Part 2 10

The vulnerability is patched, and you should update to version 2.51.

7.WP Shieldon – Medium

WordPress Vulnerability Roundup: January 2021, Part 2 9

Remove the plugin until a security fix is released.

8. Contact Form 7 Database Addon – Critical

WordPress Vulnerability Roundup: January 2021, Part 2 12

The vulnerability is patched, and you should update to version 1.2.5.6.

9. WP24 Domain Check

WordPress Vulnerability Roundup: January 2021, Part 2 13

The vulnerability is patched, and you should update to version 1.6.3.

WordPress Theme Vulnerabilities

No new theme vulnerabilities have been disclosed this month.

Sever Vulnerabilities

Security researchers at Qualys discovered a Privilege Escalation vulnerability in the Linux program sudo. An attacker could exploit the vulnerability to increase the privileges and take over the server.

For more information, check out our post covering this new Linux vulnerability.

January Security Tip: Scan Your Websites for Vulnerabilities

60% of website breaches involve vulnerabilities for which a patch was available but not applied. This means having software with known vulnerabilities installed on your site gives hackers the blueprints they need to take over your site.

Every day, it gets harder and harder to keep track of every disclosed WordPress vulnerability. You have to compare that list to the versions of plugins and themes you have installed on your site… and make sure you’re constantly updating.

To solve this problem, the iThemes Security Pro plugin just rolled out a better way to protect your sites against software vulnerabilities, the number one culprit of hacked and compromised WordPress sites.

The new, improved WordPress Security Site Scan powered by iThemes performs automatic checks for known website vulnerabilities and, if a patch is available, iThemes Security Pro will automatically apply the fix for you … so you don’t have to. Whew. that’s some peace of mind. 

Site Scan Vulnerability Details

A WordPress Security Plugin Can Help Secure Your Website

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.

Get iThemes Security Pro

WordPress Vulnerability Roundup: January 2021, Part 2 14

Keep reading the article at WordPress News and Updates from iThemes – iThemes. The article was originally written by Michael Moore on 2021-01-27 13:31:12.

The article was hand-picked and curated for you by the Editorial Team of WP Archives.

Disclosure: Some of the links in this post are "affiliate links." This means if you click on the link and purchase the product, We may receive an affiliate commission.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Start typing and press enter to search

Show Your ❤️ Love! Like Us
WPArchives
Scroll to Top