February 1, 2019 by Agnes Talalaev
What’s happening in the WordPress world – new WordPress update, advanced WordPress firewall, a plugin that is strongly advised to delete and new research in web application vulnerabilities about 2018.
WordPress 5.1 Beta 3 got published yesterday, but at this moment it’s not recommended to run it on a production site. WordPress suggests considering setting up a test site to play with the new version.
The PHP error protection handler is not in this version and will be in WordPress 5.2 instead. Some potential security issues were discovered in the implementation: rather than risk releasing insecure code, the team decided to pull it out of WordPress 5.1. You can read about the whole issue here: https://core.trac.wordpress.org/ticket/46130
A handful of smaller bugs have also been fixed in this release, including:
relattributes to links, ensure the value isn’t empty, and that it works as expected with customizer changesets.
Read more from WordPress.org
Developers of Total Donations plugin have gone missing, leaving former customers open to attacks. It’s strongly advised to delete the plugin from the servers to prevent hackers from exploiting an unpatched vulnerability in its code and take over affected sites.
It is said that the plugin contains an AJAX endpoint that can be queried by any remote unauthenticated attacker. The AJAX endpoint resides in one of the plugin’s files, meaning that deactivating the plugin doesn’t eliminate the threat. Attackers could simply call that file directly, and only removing the plugin in its entirety will safeguard sites from exploitation.
The zero-day affects all versions of Total Donations.
Read more from ZDNet.
Research has revealed that in 2018 the overall number of new web vulnerabilities elevated by 23% compared to 2017. The most common vulnerabilities in 2018 were injections with a 267% increase from 2017.
Cross-site scripting bugs also continued to grow throughout the year, becoming the second most common vulnerability.
WordPress vulnerabilities have increased by 30% since 2017. Its popularity in the CMS category has motivated more attackers to develop dedicated attack tools and try their luck searching for holes in the code.
Almost all of the WordPress vulnerabilities are related to plugins, which extend the functionality and features of a website or a blog. The top ten WordPress plugins with the most vulnerabilities discovered in 2018 include Ultimate Member, Event Calendar, Coming Soon Page and GD Rating System.
Only in this week, WebARX WordPress firewall has blocked more than 170 000 attacks targeted to WordPress sites.
In essence, what has been shown by this research is that more protection and security is needed to protect web applications. The best way to do this is to deploy a web application firewall, which can either be on-premises, in the cloud or a combination of both.
You can read more about the research from informationsecuritybuzz.com.
Create groups and assign firewall modules to policies. What’s even better you can create your own firewall rules and modules.
The new firewall engine provides first and foremost more flexibility and adjustment options. So, from the next version, you’ll be able to link the security rules you really need for each website or group of websites.
Additionally, you can choose between Log, Block and Redirect action, when the rule has been hit. This gives you greater flexibility and customisation options for even the most complex PHP applications.
Also, you will be able to create security measures and whitelist rules yourself. When creating your own rules, you have the ability to log, block, or redirect the user as well as defining the IP address for which that rule will apply. The new feature will be available for WordPress firewall and PHP firewall at the beginning of February 2019.