So, what do you know about the WordPress REST API? If you’re like me, the answer is “not much”. So it came out of the blue when a friend of mine contacted me last week about problems he was having with the REST API. The Issues 1) The URL https://www.example.com/wp-json/wp/v2/users can return information about ALL […]
WordPress
Hardening the Apache Webserver
One thing that should be done for those hosting their own Apache Webservers is to remove any unneeded information from Apache Error responses: Apache/2.4.48 (Ubuntu) Server at example.com Port 443 In the standard setup for Apache, Apache reveals it’s version number as well as the underlying O/S that it is running on. Why make it […]
WordPress 4.8.2: Update Now.
A new WordPress version, 4.8.2, has been released. As this contains security fixes, all WordPress sites should be updated immediately. The update includes a fix to $wpdb->prepare() to help protect against SQLi injection attacks. WordPress core is not vulnerable to SQLi injection attacks directly, but certain plugins and themes may be vulnerable depending on how […]
WordPress and Joomla Updates
There were two bugs discovered and fixed in the popular WordPress “WP Statistics” plugin. The first one is a SQL Injection vulnerability that could be exploited by a local, low-privileged user, like a “Subscriber” account. A SQL Injection attack could allow that subscriber to be able to add an “Administrator” account. About the time that […]
Top Attacking Countries: May 2017
No change in the Top 4 countries on the list from WordFence’s April summary:
Top Attacking Countries: April 2017
From WordFence’s monthly summaries:
Two PHP and WordPress Security Tips
If you have file transfer access to your WordPress site, use a simple text editor and create a file called “.htaccess” that consists of the following lines. These are the most often exploited folders (wp-includes and plugins) within WordPress. The syntax differs between Apache 2.2 and Apache 2.4 Apache 2.2: Order Deny,Allow <Files *.php> deny […]
Browser Changes & SSL Certificate Errors
Many secure, SSL webistes today now appear “insecure”, and give security warnings, Google’s Chrome browser, starting with version 57, released in January 2017, was the first browser to go to these extremes. Apparently in an effort not to be undone, Firefox followed suit, although it offers much more pertinent information. What has happened is that […]
Jared’s WordPress Downloads
I put up a new Download Center. The first files uploaded to it are both related to WordPress: WPSCAN and SHA512-PASS WPSCAN is a Unix command-line scanner that can be useful in identifying Hacked Pages and Backdoors within a WordPress site/directory structure. The next file is a PHP WordPress plugin called SHA512-PASS. It stores user […]
WordPress and the Hacks Thereof
On Thursday, 2/23/2017 a client’s WordPress got hacked. It wasn’t even noticed until a significant amount of spam was observed to be spewing forth from the server at the end of March. Suffice to say, that one little hack resulted in another, then another, until there was the corruption of a whole lot of data. […]