Tag Archives: Security

WordPress.org Introduces New Security Measures for Plugin and Theme Authors – WP Tavern

[ad_1] Starting October 1st, 2024, WordPress.org will roll out new security measures aimed at enhancing the safety of accounts with commit access to plugins and themes. This was announced by the Automattic-sponsored developer Dion Hulse. Mandatory Two-Factor Authentication Beginning next month, WordPress.org will make two-factor authentication (2FA) mandatory for all plugin and theme authors. Authors can configure 2FA by visiting their WordPress.org profiles, and the platform has already started prompting them to do so.  Dion Hulse emphasized the importance of securely storing backup codes, as losing access to both 2FA methods and backup codes could complicate account recovery. SVN Passwords for Commit Access WordPress.org will also introduce SVN passwords for committing changes to plugins and themes. This feature separates commit access from the main WordPress.org account credentials, offering an extra layer of security. Authors can generate SVN passwords through their profiles, ensuring that their main account passwords are protected. Those using deployment scripts, like GitHub Actions, will need to update their stored passwords with these new SVN credentials. For those wondering why the Plugin Review Team is not using 2FA with SVN, Dion explained, “Due to technical limitations, 2FA cannot be applied to our existing code repositories, that’s why we’ve chosen to secure WordPress.org code through a combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features (such as  Release Confirmations).” For more information, authors can refer to the guides on Configuring Two-Factor Authentication and Subversion Access and Chris Christoff’s post on Keeping Your Plugin Committer Accounts Secure Community Reaction  The community has reacted positively to these changes, with some expressing that these updates were long overdue. “At least we were earlier than someone stepping on Mars, ” joked developer Toma Todua. Recently, the WordPress Plugin Team has ramped up efforts to enhance platform security. In June, they temporarily halted plugin releases and forced all plugin authors to reset their passwords after five WordPress.org user accounts were compromised. [ad_2] Source link

Continue reading

WooCommerce 5.7.0 Patches Security Issue that Could Potentially Leak Analytics Reports – WP Tavern

[ad_1] WooCommerce shipped version 5.7.0 through a forced update for some users earlier this week. The minor release was not billed as a security update but the following day WooCommerce published a post explaining that the plugin was vulnerable to having analytics reports leaked on some hosting configurations: On September 21, 2021, our team released a security patch to address a server configuration setup used by some hosts, which under the right conditions may make some analytics reports publicly available. This was technically classified as a broken access control vulnerability, according to the WPScan. WordPress.org pushed an automatic update to affected stores beginning on September 21, for all sites that have not explicitly disabled automatic updates. The WooCommerce team created a patch for 18 versions back to 4.0.0, along with 17 patched versions of the WooCommerce Admin plugin. Those whose filesystem is set to read-only or who are running WooCommerce versions older than 4.0.0 will not have received the automatic update and should proceed to manually update their sites. WooCommerce recommends users update to the latest version, which is now 5.7.1, or the highest number possible in your release branch. The security announcement post has detailed instructions for how store owners can check to see if their report files may have been downloaded. More than 5 million WordPress sites use WooCommerce. At the time of publishing, 59.8% are running on version 5.4 or older. Only 12.8% are using the lates 5.7.x release. It’s not possible to see how many sites are still vulnerable, because WordPress.org only displays a breakdown for the major branches users have installed. Some site owners running older versions may still be active in applying security patches but not prepared to update to the latest release. WooCommerce 5.7.1 was released earlier today after the team received multiple reports of broken sites following the 5.7.0 update. This release includes fixes for regressions and new bugs identified in the previous update. Like this: Like Loading… [ad_2] Source link

Continue reading

Weekly WordPress News: WordPress 5.8.1 Security Release

[ad_1] Hey, WordPress fans. We are checking in with your latest dose of weekly WordPress news. This week, WordPress released a security and maintenance update with 60 bug fixes and 3 security fixes. We recommend updating your sites if you haven’t yet.  Beyond that, Jetpack acquired Social Image Generator, a plugin that automatically creates social share images. We also have a lot of news, tutorials, and roundup posts for you. Let’s get to all of this week’s WordPress news… WORDPRESS NEWS AND ARTICLES TUTORIALS AND HOW-TOS RESOURCES [ad_2] Source link

Continue reading

ACF 5.10 Introduces Block API v2 Support, Block Preloading, and Security Improvements – WP Tavern

[ad_1] Advanced Custom Fields (ACF) has released version 5.10, the first major release since the plugin was acquired by Delicious Brains. It introduces several new features that were previously experimental, closing out tickets that were started by previous owner Elliot Condon. The release enables HTML escaping by default, which helps prevent Cross-Site Scripting (XSS) attacks. It runs content rendered by ACF through the WordPress wp_kses() function. There was a little confusion about how this works and the release post has been updated to clarify: “It’s important to note that this only affects content rendered by ACF in your WordPress dashboard or any front-end forms rendered through acf_form(),” Iain Poulson said. “This will not affect field values loaded through API functions such as get_field() and the_field(). We don’t make any assumptions about where you are using your field values within your theme and do not escape to them as a result.” Version 5.10 also introduces support for the WordPress Blocks API v2 for ACF blocks. WordPress 5.6 came with a new Block API that makes it easier for theme and plugin developers to style the block content with more consistent results matching the front end. The ACF team has created a Block API v2 help doc with examples that help developers update their blocks and make use of the new block filters included in the update. Other features introduced in this release include block preloading turned on by default, a new full-height setting for blocks, opacity support for the color-picker, and many bug fixes. Next up on the roadmap for the plugin is adding WordPress REST API support to ACF field groups. “As API-powered JavaScript front-ends become more and more popular in the WordPress space, it’s clear that many of our customers want this functionality included in ACF core,” Poulson said. “We also plan to improve the performance of the plugin and work on other quality of life features. Now that our development team has a solid handle on the codebase and the release process, we can start working on these more complicated but long-requested features.” Shortly after the acquisition, Delicious Brains representatives published a pinned thread in the forum, clarifying expectations for free support and response times. The official support forum for both free and PRO users can be found at support.advancedcustomfields.com, which is more active than the WordPress.org forums. Since the plugin is more developer-focused, the team is taking a looser approach to support by giving the community a place to help each other: We rarely provide support in either forum. The exception is after a major release, when we keep an eye on both forums to spot any problems caused by the release. The primary purpose of both forums is for people in the WordPress community who are having trouble with Advanced Custom Fields to help each other. Response times can range from a few days to a few weeks and will likely be from a non-developer. We jump in now and then when the description sounds suspiciously like a bug.  The release of version 5.10 is a good sign that ACF will continue to make progress under its new ownership and a reassuring milestone for the small minority of users who were unsure about the plugin’s future. Like this: Like Loading… [ad_2] Source link

Continue reading

Wordfence and WPScan Publish Mid-Year WordPress Security Report – WP Tavern

[ad_1] WPScan is on track to post a record-breaking year for WordPress plugin vulnerabilities submitted to its database, according to a collaborative mid-year security report the company published with Wordfence. In the first half of 2021, WPScan has recorded 602 new vulnerabilities, quickly surpassing the 514 reported during all of 2020. The report is based on attack data from Wordfence’s platform and data from WPScan’s vulnerability database, providing a more comprehensive picture of the current state of WordPress security than either company could present alone. One of the trends highlighted in the report is the increase in password attacks. Wordfence blocked more than 86 billion password attack attempts in the first half of 2021. Attackers use a variety of methods to gain access to WordPress sites, including testing sites against lists of compromised passwords, dictionary attacks, and more resource intensive brute force attacks. Wordfence found the standard login to be the primary password attack target for 40.4% of attempts, followed by XML-RPC (37.7%). Since these attacks seem to be increasing, the report recommends that site owners use 2-factor authentication on all available accounts, use strong secure passwords unique to each account, disable XML-RPC when not in use, and put brute force protection in place. Data from Wordfence’s Web Application Firewall shows more than 4 billion blocked requests due to vulnerability exploits and blocked IP addresses. The report includes a breakdown of the percentage of requests blocked by firewall per firewall rule. Directory Traversal accounts for 27.1% of requests. This is when an attacker attempts to access files without being authorized and perform an action such as reading or deleting a site’s /wp-config.php file, for example. This breakdown also highlights the fact that certain older vulnerabilities are still frequently targeted by attackers. The vast majority of the vulnerabilities you hear about in the WordPress ecosystem come from plugins, with themes making up a much smaller portion. The report notes that only three of the 602 vulnerabilities catalogued by WPScan in the first half of this year were found within WordPress core. In analyzing vulnerabilities by type, WPScan found that Cross-Site Scripting (XSS) vulnerabilities accounted for more than half of all them (52%), followed by Cross-Site Request Forgery (CSRF) at 16%, SQL Injection (13%), Access Control issues (12%), and File Upload issues (7%). Using scores from the Common Vulnerability Scoring System (CVSS), WPScan found that 17% of reported vulnerabilities were critical, 31% high, and 50% medium in severity. Both Wordfence and WPScan claim that the greater number of vulnerabilities reported this year is indicative of the growth of the WordPress ecosystem and a maturing, healthy interest in security. Themes and plugins aren’t getting more insecure over time but rather there are more people interested in discovering and reporting vulnerabilities. “First and foremost, we aren’t seeing a lot of newly introduced vulnerabilities in plugins and themes but rather we are seeing a lot of older vulnerabilities in older plugins and themes being reported/fixed that just weren’t detected until now,” Wordfence Threat Analyst Chloe Chamberland said.  “Vulnerabilities aren’t being introduced as frequently and more vulnerabilities are being detected simply due to the higher activity of researchers which is in turn positively impacting the security of the WordPress ecosystem. Considering it isn’t newly introduced vulnerabilities that are being frequently discovered, I feel confident in saying that the increase in discoveries doesn’t indicate that the ecosystem is getting less secure at all but rather getting more secure.” Chamberland also said she believes there is a domino effect when vulnerabilities are disclosed to vendors and they learn from their accidents, causing them to develop more secure products in the future.   “Speaking from experience as I spend a lot of my time looking for vulnerabilities in WordPress plugins, things have definitely been getting more secure from my perspective,” she said. “Today, I frequently find capability checks and nonce checks in all the right places along with proper file upload validation measures in place, and all the good stuff. It’s become harder to find easily exploitable vulnerabilities in plugins and themes that are being actively maintained which is a great thing!” The mid-year report is available as a PDF to download for free from the WPScan website. WPScan founder and CEO Ryan Dewhurst said he expects there will be an end of the year report for 2021. He has not yet discussed it with Wordfence but the companies are brainstorming about other ways they can collaborate. Like this: Like Loading… [ad_2] Source link

Continue reading

WooCommerce 5.5.2 Fixes Performance Issues Found After Forced Security Update – WP Tavern

[ad_1] WooCommerce has shipped version 5.5.2 as a follow-up to the forced security update that patched a SQL Injection vulnerability last week. The vulnerability impacted versions 3.3 to 5.5 of the WooCommerce plugin, as well as versions 2.5 to 5.5 of the WooCommerce Blocks feature plugin. The team created a patch for more than 90 releases, which was sent as a forced security update from WordPress.org, due to the potential severity of impact for millions of WooCommerce installations. Shortly after the automatic update rolled out, many store owners started reporting serious performance issues on both WordPress.org and GitHub. Some users reported database crashes after receiving the automatic security patch in 5.5.1. One user reported a painfully slow, endless query that was “crippling to our operations,” with similar reports on GitHub of this same query “causing the entire server to go down.” Those with a large number of products in their databases were impacted more frequently. “We run a fairly big DB – 17k products,” one user said. “This has been a nightmare.” Store owners affected by this issue had resorted to downgrading to the previous releases at WooCommerce’s recommendation. They shared temporary workarounds to disable the query while WooCommerce investigated the issue. The problem was reported so frequently that it became a high priority for the team to fix. A week ago, WooCommerce developer Adrian Duffell reported back that they had determined the cause was twofold: A slow SQL query used to retrieve the products that are low in stock. This SQL has been in WooCommerce for a number of releases. A REST API request, which executes this SQL query, is called more frequently in WooCommerce 5.5 than in previous versions. A combination of these factors was causing the degraded server performance when users updated to WooCommerce 5.5. A fix was released in WooCommerce Admin 2.4.4 three days ago, and the fix was also added to core today in 5.5.2. Users who had put workarounds in place are advised to remove them after updating to the latest release. Like this: Like Loading… [ad_2] Source link

Continue reading

WooCommerce Patches Critical Vulnerability, Sending Forced Security Update from WordPress.org – WP Tavern

[ad_1] WooCommerce has patched an unspecified, critical vulnerability identified on July 13, 2021, by a security researcher through Automattic’s HackerOne security program. The vulnerability impacts versions 3.3 to 5.5 of the WooCommerce plugin, as well as version 2.5 to 5.5 of the WooCommerce Blocks feature plugin. “Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch fix for every impacted version (90+ releases) which was deployed automatically to vulnerable stores,” WooCommerce Head of Engineering Beau Lebens said in the security announcement. WordPress.org is currently pushing out forced automatic updates to vulnerable stores, a practice that is rarely employed to mitigate potentially severe security issues impacting a large number of sites. Even with the automatic update, WooCommerce merchants are encouraged to check that their stores are running the latest version (5.5.1). Since WooCommerce backported this security fix to every release branch back to 3.3, store owners using older versions of WooCommerce can safely update to the highest number in their current release branch even if not running the very latest 5.5.1 version. At the time of publishing, only 7.2% of WooCommerce installations are using version 5.5+. More than half of stores (51.7%) are running on a version older than 5.1. WordPress.org doesn’t offer a more specific breakdown of the older versions, but it’s safe to say without these backported security fixes, the majority of WooCommerce installs might be left vulnerable. The security announcement indicates that WooCommerce cannot yet confirm that this vulnerability has not been exploited: Our investigation into this vulnerability and whether data has been compromised is ongoing. We will be sharing more information with site owners on how to investigate this security vulnerability on their site, which we will publish on our blog when it is ready. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information. For those who are concerned about possible exploitation, the WooCommerce team is recommending merchants update their passwords after installing the patched version as a cautionary measure. The good news for WooCommerce store owners is that this particular critical vulnerability was responsibly disclosed and patched within one day after it was identified. The plugin’s team has committed to being transparent about the security issue. In addition to publishing an announcement on the plugin’s blog, WooCommerce also emailed everyone who has opted into their mailing list. Concerned store owners should keep an eye on the WooCommerce blog for a follow-up post on how to investigate if their stores have been compromised. Like this: Like Loading… [ad_2] Source link

Continue reading

Jetpack 9.8 Introduces WordPress Stories Block Alongside Forced Security Update – WordPress Tavern

[ad_1] Jetpack 9.8 was released this week, introducing WordPress Stories as the headline feature. The Story block, which allows users to create interactive stories, was previously only available on mobile. It can now be used in the web editor. Stories went into public beta on the Android app in January 2021, and were officially released on the mobile apps in March. Version 9.8 also included a security patch for all sites using the Carousel feature. The vulnerability allowed the comments of non-published pages/posts to be leaked. It was severe enough for the Jetpack team to work with WordPress.org to release 78 patched versions – every version of Jetpack since 2.0. Sites not using the Carousel feature were not vulnerable but could be in the future if it was enabled and left unpatched. In a rare move, WordPress.org pushed a forced update to all vulnerable versions, surprising those who have auto-updates disabled. Several Jetpack users posted in the support forums, asking why the plugin had updated automatically without permission and in some cases not to the newest version. So this update was a forced update on WordPress sites even with auto-updates disabled? We had this go live on a prod site at 2am last night that has auto-updates disabled for very specific reasons. Not cool Jetpack. https://t.co/55upBmyeHp — Brad Williams (@williamsba) June 3, 2021 Jetpack team member Jeremy Herve said the vulnerability was responsibly disclosed via Hackerone, allowing them to work on a patch for the issue. After it was ready to go, the Jetpack team reached out to the WordPress.org security team to inform them of a vulnerability impacting multiple versions of the plugin. “We sent them the patch alongside all the info we had (a PoC for the vulnerability, what features had to be active, what versions of Jetpack were impacted),” Herve said. “They recommended we release point releases for older versions of Jetpack as well. “We created those new releases, and when we were ready to release them, someone from the WordPress.org team made some changes on the WordPress.org side so folks running old, vulnerable versions of the plugin would get auto-updated, just like it works for Core versions of WordPress.” Jetpack team member Brandon Kraft estimated the number of vulnerable sites at 18% of the plugin’s active installs. He said that Jetpack was not part of the discussion about the pushing out a forced update. We weren’t part of the discussion. Provided details and got the response, but I wouldn’t expect a security convo to be public. But, yes. Single feature impacted. A few things need to be all true for it to matter on a site, which looked like qualified about 18% of sites IIRC. — A Guy Called Kraft 😷💉 (@Kraft) June 3, 2021 “What probably adds to the confusion is that WordPress 5.5 added a UI for plugin (and theme) autoupdates,” Herve said. “That UI, while helping one manage plugin autoupdates on their site, is a bit different from Core’s forced update process. Both of those update types can be deactivated by site owners, just like core’s autoupdates can be deactivated, but I don’t believe (and honestly wouldn’t recommend) that many folks deactivate those updates.” Brandon Kraft dug deeper into the topic and published a post that explains the differences between auto-updates and forced updates. It includes how to lock down file modifications if you don’t want to receive any forced updates in the future. Forced updates, however, are exceedingly rare, and Kraft counts only three for Jetpack since 2013. In this instance, the Jetpack team followed the official process for reporting a critical vulnerability to the plugin and security teams who determine the impact for users based on a set criteria. Users who received an email notification about an automatic update from Jetpack, despite having the UI in the dashboard set to disable them, should be aware that these forced updates can come once in a blue moon for security purposes. Tony Perez, founder of NOC and former CEO at Sucuri, contends that forcing a security update like this violates the intent users’ assign when using the auto-updates UI in WordPress. He highlighted the potential for abuse if the system were to become vulnerable to a bad actor. “The platform is making an active decision that is arguably contrary to what the site administrator is intending when they explicitly say they don’t want something done,” Perez said. “Put plainly, it’s an abuse of trust that exists between the WordPress user and the Foundation that helps maintain the project. “My position is not that it shouldn’t exist. That’s a much deeper ideological debate, but it is about respecting an administrators explicit intent.” Like this: Like Loading… [ad_2] Source link

Continue reading