If you would like to stop receiving WordPress security alerts and product updates from Wordfence, you can click here. You subscribed to this list via the Wordfence security plugin for WordPress. If you find this alert helpful, please give us a 5 star rating on WordPress.org.
There is a CSRF and directory traversal vulnerability in the commercial LayerSlider WordPress plugin version 4.6.1. The vulnerability was released publicly on March 11th. We haven't been able to find the change history with dates for LayerSlider, but the current version appears to be 5.1.1 and we suspect 4.6.1 is a recent version, so please check which version you're running and upgrade if necessary. The vulnerability may also affect older versions of LayerSlider. This is a popular plugin and is incorporated in many themes. You can find out more about the vulnerability on PacketStorm.
We're seeing an increase in brute force attacks (password guessing attacks) across WordPress sites from 2000/min to peaks of 15,000 currently. The attack started just after noon yesterday March 18th Pacific Time and gradually increased to a peak of 15,000 attacks per minute today March 19th at 5am and it's currently holding at that frequency. This looks like it will be a sustained attack and will likely last from 24 more hours to several days. Please keep a close eye on your WordPress sites for unusual activity and ensure your backups are current. Share this data with any other WordPress site owners you know. As always you can view/track the attack using our real-time graph and attack map at http://www.wordfence.com/
a
A vendor recently posted a blog entry on XMLRPC based distributed denial of service attacks. The post was picked up in the press and we have received several questions about this. The issue the vendor mentions is a well known item that the WordPress core team has been aware of since 2007. It generated a fair amount of press and WordPress creator Matt Mullenweg released the following statement:
"This tradeoff in pingback's design has been there for a decade now. It's seldom used outside of experimentation because it gets shut down by anti-spam providers like Akismet or web hosts when used at any scale, and there are cheaper, easier, and more effective ways to DDOS sites. That's why no serious attacks (above 2gbps) use it."
It's important to note that this issue does not introduce a vulnerability in sites that enable pingback via XMLRPC, but merely lets an attacker bundle your site into a huge number of other WordPress sites and use those sites to send a large amount of traffic to a target site in the hope of bringing that site to its knees under the heavy load. As Matt says, there are far easier ways to overwhelm a website with traffic.
Our recommendation is to install Akismet spam filtering for comments, which you've probably already done - and keep your themes, plugins and WordPress core versions current, which you're hopefully already doing. You should also be wary of running any software that is not maintained by an active author or development community and that includes your themes and plugins. If a legitimate vulnerability exists in WordPress core, the core dev team will release a fix in a timely fashion.
The WordPress.org publishing platform continues to be an excellent, well maintained and relatively secure platform, so go forth and publish and create with confidence.
If you found this alert helpful, please give us a 5 star rating on WordPress.org on the right of the page.
We're seeing an increase in brute force attacks (password guessing attacks) across WordPress sites from 2000/min to peaks of 15,000 currently. The attack started just after noon yesterday March 18th Pacific Time and gradually increased to a peak of 15,000 attacks per minute today March 19th at 5am and it's currently holding at that frequency. This looks like it will be a sustained attack and will likely last from 24 more hours to several days. Please keep a close eye on your WordPress sites for unusual activity and ensure your backups are current. Share this data with any other WordPress site owners you know. As always you can view/track the attack using our real-time graph and attack map at http://www.wordfence.com/
a
A vendor recently posted a blog entry on XMLRPC based distributed denial of service attacks. The post was picked up in the press and we have received several questions about this. The issue the vendor mentions is a well known item that the WordPress core team has been aware of since 2007. It generated a fair amount of press and WordPress creator Matt Mullenweg released the following statement:
"This tradeoff in pingback's design has been there for a decade now. It's seldom used outside of experimentation because it gets shut down by anti-spam providers like Akismet or web hosts when used at any scale, and there are cheaper, easier, and more effective ways to DDOS sites. That's why no serious attacks (above 2gbps) use it."
It's important to note that this issue does not introduce a vulnerability in sites that enable pingback via XMLRPC, but merely lets an attacker bundle your site into a huge number of other WordPress sites and use those sites to send a large amount of traffic to a target site in the hope of bringing that site to its knees under the heavy load. As Matt says, there are far easier ways to overwhelm a website with traffic.
Our recommendation is to install Akismet spam filtering for comments, which you've probably already done - and keep your themes, plugins and WordPress core versions current, which you're hopefully already doing. You should also be wary of running any software that is not maintained by an active author or development community and that includes your themes and plugins. If a legitimate vulnerability exists in WordPress core, the core dev team will release a fix in a timely fashion.
The WordPress.org publishing platform continues to be an excellent, well maintained and relatively secure platform, so go forth and publish and create with confidence.
If you found this alert helpful, please give us a 5 star rating on WordPress.org on the right of the page.
Mark Maunder
Wordfence Creator & Feedjit Inc. CEO.
PS: If you aren't already a member you can subscribe to our WordPress Security and Product Updates mailing list here. You're welcome to republish this email in part or in full provided you mention that the source iswww.wordfence.com. If you would like to get Wordfence for your WordPress website, simply go to your "Plugin" menu, click "add new" and search for "wordfence".
Aucun commentaire:
Enregistrer un commentaire