wordpress

General, security February 7, 2017

Google Search Console fail over notifications for the WordPress updates

I have quite a lot of WordPress based websites which I run and maintain. One of these is this blog: www.SorinMustaca.com All my WordPress websites are configured to autoupdate to the latest WordPress update. The same applies to their plugins and themes. Google Search Console (GSC) is a tool I used to manage better the registration of my websites with the search engine and their advertising platform Adsense. Yesterday evening I received a couple of emails, one for each of my websites registered with the GSC : Here is the text: Recommended WordPress update available for http://sorinmustaca.com/ To: Webmaster of http://sorinmustaca.com/, Google has detected that your site is currently running WordPress 4.7.0 or 4.7.1, an older version of WordPress. Outdated or unpatched software can be vulnerable to hacking and malware exploits that harm potential visitors to your site. Therefore, we suggest you update the software on your site as soon as possible. Following are one or more example URLs where we found pages that have outdated software. The list is not exhaustive. http://www.sorinmustaca.com/set-up-an-ad-filter-with-privoxy-on-raspberry-pi-for-free/ Recommended Actions: 1 Update to the latest release of WordPress Visit the WordPress site for instructions on how to download and install the latest release. WordPress Update…

News August 5, 2015

Security release 4.2.4 for WordPress is available – update now

This release addresses six issues, including three cross-site scripting vulnerabilities and a potential SQL injection that could be used to compromise a site. Read more here: https://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/ WordPress 4.2.4 also fixes four bugs. For more information, see the release notes or consult the list of changes. If you have your site already at WordPress 4.x and it is properly configured, you should only see this email in your inbox: Howdy! Your site at http://www.sorinmustaca.com has been updated automatically to WordPress 4.2.4. No further action is needed on your part. For more on version 4.2.4, see the About WordPress screen: http://www.sorinmustaca.com/wp-admin/about.php If you experience any issues or need support, the volunteers in the WordPress.org support forums may be able to help. https://wordpress.org/support/ You also have some plugins or themes with updates available. Update them now: http://www.sorinmustaca.com/wp-admin/ The WordPress Team

Educational, News June 16, 2015

How much is a blog instance worth?

I wrote in the post Do you really know who’s visiting your website? about how often hackers probe my websites. IT Security News has of today this: 5,914 blocked malicious login attempts / was 2092 on May 8th 2,182 spam comments blocked by Akismet. / was 2115 on May 8th The login attempts more than doubled in just 5 weeks. Of course, they are all automated attacks, so we can’t really speak of an effort from anyone’s site. Why ? If a hacker “owns” a website he is able to do a few things: Change content and possible deliver malware to your readers Host individual “sub-pages” or “sub-websites” in your blog and reference them from email campaigns or post spams. Send mail from your blog to just anyone, but the worst is when it sends to your subscribers. All are very bad things as they ruin your website’s reputation and drives your visitors away. And they can happen all together or just any combination of them. What can you do? It turns out that you can do quite a lot of things: don’t user the default admin account (WordPress: admin) set a hard to guess password keep your blog and its extensions/plugins up to date don’t install…

General May 8, 2015

Do you really know who’s visiting your website?

We live in the world of Analytics where words like “Big Data” are everywhere to be seen. But, are you really sure that the visitors of your website or blog are really interested in your content? A few years ago, maybe… But now, the cybercriminals, or more exactly their bots, are trying to gain access to your website to serve their own content to your visitors. How do we know that? There are many ways to find that out, but the simplest ones are: – install a web application firewall If you have WordPress, you might want to try one of the “firewalls” that are available for free. You will be astonished to see that a lot of the visitors try to login into your WordPress. I wrote back in 2013 an article describing the anatomy of a live attack from China on a WordPress blog. On a period of 2 days: ~90% of the traffic was Spiders, Bots, Crawlers from Google, Baidu, ~8% of the traffic were attempts to register an account like the one below: ~2% were real visitors All this happened because the website was pretty good indexed and it had a good domain name (IT Security News). –…

Spam & Phishing January 19, 2015

Blog comment spam. Is it worth the effort?

My first article published on Kevin Townsend‘s ITSecurity.co.uk blog: Blog comment spam. Is it worth the effort? or go to this link: http://itsecurity.co.uk/2015/01/blog-comment-spam-worth-effort/

blog November 21, 2014

WordPress 4.0.1 update – important security fixes

All my blogs use WordPress. Why WordPress ? Because it is customizable and I can tweak it in any way I want… Well, almost… But from time to time there is the need to update it. Yesterday the update 4.0.1 was release which fixes important security bugs: Three cross-site scripting issues that a contributor or author could use to compromise a site A cross-site request forgery that could be used to trick a user into changing their password. An issue that could lead to a denial of service when passwords are checked. Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. Version 4.0.1 also fixes 23 bugs with 4.0, and we’ve made two hardening changes, including better validation of EXIF data we are extracting from uploaded photos. My ISP can’t update it automatically, so I have to update it manually. But it is not hard to do that and so far I managed to never…