This site uses cookies in accordance with our Privacy Policy.
Wordfence Research and News
Category: WordPress Security
WordPress Security: Remote Scanning vs Source Code Scanning
After chatting to old and new friends at WordCamp San Francisco over the weekend about WordPress security I realized there’s some confusion about what the real value is of scanning your website source code vs remote scanning for infections on your website.
Zero Day Vulnerability in WP CopySafe Web and WP CopySafe PDF WordPress Plugins
Update: The issue has been confirmed, the plugins have been temporarily removed from the repository until the author fixes the issue.
Why your site is being Spamvertized – and what to do about it.
You’re running a popular and honest WordPress website and all of a sudden an abuse ticket arrives in your email from your hosting provider.
Please stop password protecting your /wp-admin folder because it breaks public AJAX for WordPress.
There are many helpful articles like this one that explain how to add “another level of security” to your website by password protecting access to the /wp-admin folder.
Research: Finding the source of the current surge in brute force attacks on WordPress sites.
As you can see on our home page there is a large brute force attack underway that started around 10am Pacific Time yesterday (Thursday the 17th of April).
One week after HeartBleed, 1% of WordPress sites we tested running SSL are still vulnerable
Highlight: Wordfence 5.0.4 is currently in beta and will be released tomorrow around noon.
Vulnerabilities in WordPress older than 3.8.2, Twitget Plugin and Quick Page Post Redirect Plugin.
WordPress Vulnerability: WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role.
Serious Vulnerability in JetPack. Upgrade immediately.
In what is turning out to be the worst week for security in recent history, JetPack has a major vulnerability which allows an attacker to post to your site without permission.
Removing the ability to disable XML-RPC in emergency release 5.0.3
We screwed up. Wordfence 5 was a very big release for us and in our haste to get it out the door we didn’t sufficiently test one of the features we added towards the end of the development cycle: The ability to disable XML-RPC.
What WordPress site owners need to do about the HeartBleed vulnerability
[Updated 10:26am EST]: Here is where you can test whether your site is vulnerable to HeartBleed.
Breaking WordPress Security Research in your inbox as it happens.
