Security

Yuzo Related Posts Plugin Security Threat

If you have this plugin installed, even if it’s not active, delete it immediately! Yuzo Related Posts Zero-Day Vulnerability Exploited in the Wild by Dan Moen, Wordfence.com April 10, 2019 The Yuzo Related Posts plugin, which is installed on over 60,000 websites, was removed from the WordPress.org plugin directory on March 30, 2019 after an unpatched vulnerability was publicly, and irresponsibly, disclosed by a security researcher that same day. The vulnerability, which allows stored cross-site scripting (XSS), is now being exploited in the wild. These attacks appear to be linked to the same threat actor who targeted the recent Social Warfare and Easy WP SMTP vulnerabilities. The XSS protection included in the Wordfence firewall protects against the exploit attempts we have seen so far. Both free and Premium Wordfence users are protected against these attacks. Based on a deeper analysis of the security flaws present in the plugin we have also deployed protection against additional attack vectors. Premium customers will receive the update today, free users in 30 days. We recommend that all users remove the plugin from their sites immediately. Today, eleven days after this vulnerability was irresponsibly disclosed and a proof-of-concept (PoC) was published, threat actors have begun exploiting sites with Yuzo Related Posts installed. Exploits currently seen in the wild inject malicious JavaScript into the yuzo_related_post_css_and_style option value. When a user visits a compromised website containing the above payload, they will be redirected to malicious tech support scam pages. Three Vulnerabilities with a Lot in Common Our analysis shows that the attempts to exploit this vulnerability share a number of commonalities with attacks on two other vulnerabilities discovered in other plugins: Social Warfare and Easy WP SMTP. Exploits so far have used a malicious script hosted on hellofromhony[.]org, which resolves to 176.123.9[.]53. That same IP address was

Grammarly Adds Junk Code to WordPress Posts and Pages

Grammarly Adds Junk Code to WordPress Posts and Pages By Kris Gunnars, SearchTraffic.com April 4, 2019 [icon name=”quote-left”]  When you enable the Grammarly extension in your browser, it scans the text that you type for spelling and grammar errors and underlines them. This is what your text looks like if you have spelling errors with Grammarly enabled: When you hover over an underlined word, Grammarly shows a suggestion for a fix. You can simply click the suggestion and Grammarly corrects the text for you, which is very useful. Junk code added to the published pages If I publish the text block above, with the spelling errors still highlighted, Grammarly html code gets added to the published page. If you get a lot of Grammarly suggestions in your code and don’t take action to fix them, then your pages will become bloated with a lot of this type of junk code. I call this code “junk” because it doesn’t serve any purpose whatsoever on the live, published page that is consumed by real users and search engines. All it does is increase the size of your page, which can negative effects on site speed. Taking action on the code errors usually gets rid of the code, so you need to hover over each word and either select the suggested correction or click the “Ignore” button. Unfortunately, it doesn’t always work. Even if you take action on all of the suggestions, chances are that you will still find a lot of this unnecessary html junk code on your live pages. Some junk code may remain on the page I noticed while doing some article cleanup that most of my published articles had a bunch of this junk code added, including for parts of the text that didn’t have any errors. Here’s an

Seeing more contact form spam? Contact Form 7 now requires reCaptcha 3

I have been seeing more contact form spam in the past month or so from my own WordPress sites and clients are reporting the same. I assumed this was human spam and that little could be done to prevent it using the usual automated measures against spambots. However, while making changes on one of the sites, I noticed: that the form was no longer working, displaying a “There was a problem. Your email could not be sent.”, or words to that effect. that the reCaptcha 2 form was not being displayed below the form. I was vaguely aware that current versions of Contact Form 7 supported reCaptcha 3. What I failed to appreciate was that these versions were not backward compatible in that they no longer supported reCaptcha 2. That means, depending on the site, either visitors attempting to use your contact page were not getting their messages delivered; or messages sent via the form were no longer being intercepted by reCaptcha. If you use Contact Form 7 on any of your sites, make sure that you update them to reCaptcha 3: go to reCAPTCHA: Easy on Humans, Hard on Bots scroll down to the bottom of the page listing your sites and create a new listing for your domain to use reCaptcha 3 (there does not appear to be any way to just update a version 2 listing to version 3) delete your old site keys under the Integration option for Contact Form 7 and replace them with the new reCaptcha 3 site keys (Note: since these site keys apply to a domain plus any subdomains or subfolders under that domain, don’t delete your reCaptcha 2 keys until you are certain that you don’t have an application still using the old version. In particular, note that any custom HTML

Firefox Users Alert: New TRR feature: why and how to disable it

Mozilla’s new Firefox update puts user security at risk with TRR feature by AnkitGupta, TheWindowsClub.com August 7, 2018 Mozilla is all set to introduce two new features to its Firefox browser in its upcoming patch. Called as ‘DNS over HTTPs’ (DOH) and Trusted Recursive Resolver (TRR), Mozilla says that they are meant to enable additional security, with many security experts thinking otherwise. Signaling out TRR among the two, security experts at Ungleich say that this feature by default routes requests with a 3rd party service; thus making it less secure. With Trusted Recursive Resolver (TRR) turned on as default, any DNS changes that a Firefox user configured in the network will be overridden. This is because Mozilla had partnered with Cloudflare and will resolve the domain names from the application itself through a DNS server of Cloudflare located in the US. This allows Cloudflare to read user’s DNS requests. Lashing out on Mozilla for advertising TRR as a feature that ‘increases security’, the security expert at Ungleich mentions, “From our point of view, us being security geeks, advertising this feature with slogans like “increases security” is rather misleading because in many cases the opposite is the case. While it is true that with TRR you may not expose the websites you call to a random DNS server in an untrustworthy network you don’t know, it is not true that this increases security in general.” Cloudflare on its part, though commits to a ‘pro-user privacy’ policy and the detection of all personally identifiable data after 24 hours, there is no guarantee where a user’s data may finally end up. Mozilla’s TRR disables user’s anonymity With TRR allowing all DNS requests seen by Cloudflare, user’s anonymity stands completely destroyed. Government agencies always have the right to request data from the service owners,

Google S-Day Arrives: Chrome warns about non-HTTPS sites

True to their word, Google today released version 68 of their Chrome Browser and, as promised, they have changed the way they warn users about potential issues with web sites. In previous versions, Chrome (and Firefox and most other browsers) alerted users to sites that were not using SSL with a red padlock next to the URL, and sites with mixed content displayed an orange padlock. Starting with version 68, Chrome now uses a stronger warning system. If you haven’t yet converted your site to HTTPS / SSL, now is the time to give it serious consideration. You should also check that your site correctly redirects from HTTP to HTTPS in case anyone enters just the domain name into the browser. On their Google Chrome Help page, Check if a site’s connection is secure, they preview what this now looks like to users: Check if a site’s connection is secure To see whether a website is safe to visit, you can check for security info about the site. Chrome will alert you if you can’t visit the site safely or privately. In Chrome, open a page. To check a site’s security, to the left of the web address, look at the security status:  Secure  Info or Not secure  Not secure or Dangerous To see the site’s details and permissions, select the icon. You’ll see a summary of how private Chrome thinks the connection is. What each security symbol means These symbols let you know how safe it is to visit and use a site. They tell you if a site has a security certificate, if Chrome trusts that certificate, and if Chrome has a private connection with a site. Secure Information you send or get through the site is private. Even if you see this icon, always be careful when sharing

Chrome and Firefox Extensions Alert You to Stolen Passwords

With new stories about hacked websites and stolen passwords emerging almost daily, here are some new browser tools that alert you if you sign in anywhere using a password that has been breached. Here’s How To Find Out If Your Password Has Been Stolen By Hackers By Robin Andrews, IFLScience.com May 27, 2018 [Statistically, you] are likely to be someone who uses the same password for several logins, across websites or computers. There’s a fairly decent chance that at some point, one or several of your passwords have been stolen and posted on forums for other hackers to try out. Enter, Okta, whose plug-in for Chrome (a version for Firefox is coming soon) lets you know how safe, or unsafe, your passwords really are. Okta is described by CNET as a login management company, which doesn’t sound particularly thrilling. Popping over to their website, it appears that this is indeed what they do, but to put it in a mildly more exciting way: They are the guardians of the virtual gateways, those that stop nefarious hackers getting to you as you log in to whatever digital platform you or your company are using. They’ve recently gone one step further and released a browser plug-in named PassProtect. When you use a password to sign in to Twitter or anything of the sort, it’ll inform you just how many times the password in question has been exposed in a data breach. As noted, PassProtect is currently available as an extension for Chrome only, although they say a version for Firefox is in the works. In the meantime, if you are a Firefox user, you can try a similar add-on called Prevent Pwned Passwords. Prevent Pwned Passwords helps make sure you don’t use any password that’s known to have been part of a

Fake eMail leads to Browser Hijack and Malware

I’m neither a novice nor naïve when it comes to computers, the internet, and online security issues. However, I have to admit this one slipped by me. I was expecting a package or perhaps two to be delivered by Canada Post a couple of days ago. I was working away troubleshooting a website and a server problem, tired and a bit distracted because I was trying to do two things at once.Microsoft Outlook popped up a notice indicating that an email had arrived from Canada Post. Of course I went over to have a look and it claimed it had been unable to deliver a package to me the day before. I opened it and it certainly looked like it was from Canada Post. It contained a link for instructions on how to get it re-delivered. Now normally I am very suspicious about that sort of thing and one of the things I do regularly is hover over the link in any email so that outlook displays the actual destination in the notice bar. This time, tired and waiting for that package, I clicked on the link and it opened in my browser. Even as the page was rendering I saw in the address bar that it was certainly not Canada Post. The loaded site hijacked my browser before I could stop it and any attempts to backtrack or go to another site gave me a message that the site was insecure. Fake Canada Post Email Before it could do any more damage, I shut down the browser and rebooted to do a malware scan. As it booted up, it loaded something called php.exe or something similar. I killed that immediately. That turns out to be a Trojan, so it was a little extra left behind in addition to the

Autofill security risk in most browsers except Firefox

Here’s why you’ll probably want to turn off browser autofill Globalnews.ca January 18, 2017 It’s annoying to type your personal details — name, address, phone numbers, all the rest of it — every time you need to fill out on online form. Browser makers realized this years ago, which is why your browser spares you the tedium, helpfully filling in the blanks when you type the first letter of your name, or the first digit of your address. Finnish developer Viljami Kuosmanen demonstrated [last week] that in many (not all) browsers, if you start to fill in basic information like your name and email address, all your other autofill information becomes invisibly available to the site. That can include your name, home address, credit card details and workplace, not just the limited amount of information you thought you were giving away. If you’ve autofilled a form in a browser other than Firefox, you can give it a try on this site, which Kuosmanen set up to demonstrate the problem. Global News successfully used Kuosmanen’s site on Chrome, extracting a reporter’s address after he had only put in his name and email. Firefox doesn’t have the problem, but other browsers such as Chrome, Opera and Safari do. Test your browser HERE: if you’re vulnerable, the test page will show you what information is revealed and also includes a link in your browser automatically taking you to where you can turn autofill OFF. Here’s how to turn off autofill: In Chrome: Settings/Show Advanced Settings/Passwords and Forms, and unclick Enable Autofill to fill out Web forms. In Opera: Settings/Privacy & Security/Autofill and uncheck the box. In Safari: Preferences/Autofill tab/ and uncheck the appropriate boxes. In Firefox (though this shouldn’t be as necessary): Options/Privacy. In the Firefox will: menu, uncheck Remember search and form

WordPress Security Learning Center

The WordPress Security Learning Center – Wordfence Wordfence.com December 16, 2015 The makers of the WordPress security plugin, Wordfence and Wordfence Premium, announced a new free feature today: The WordPress Security Learning Center – Wordfence. It includes tutorials from beginner to advanced and developer level. Everything from WordPress Security basics, security threats and attack types to guides for developers to help them avoid writing vulnerabilities and to penetration test their own code. The Learning Center is a completely free resource. No registration is required and absolutely no payment is needed. We have put this together as a resource for the WordPress community to do our part to help secure WordPress as a platform. This new resource should prove to be an excellent resource for beginners to seasoned WordPress users. The articles and videos are written and designed for anybody wanting to learn more about WordPress Security; also, a great selection of back-to-the basic resources for any WordPress Network Pro or Admin, computer sciences (Comp Sci) student and professors too. They also include information on what to do if your WordPress site has been hacked. Check it out here: The WordPress Security Learning Center – Wordfence Disclaimer: I have no association or affiliation with Wordfence. However, I do use Wordfence on all my sites and on sites I create for others, and I highly recommend it to anyone.

Security and Your Small Business Website

A recent article by Megan Totka talks about the increasing targeting of small businesses in cyberattacks. When we think of cyber attacks, our minds often jump to major corporations, millions of dollars, and large scale media scandals. However, experts are saying that small businesses are increasingly at risk for data breaches and other cyber threats. …. In 2012, a report from Symantic Security Response found that attacks on small businesses had risen 300 percent over the previous year. That number has been on the rise ever since. The reason cyber attackers target small businesses is simple: it’s easier. They’re often less secure, with a smaller security budget, and the mindset that they’re too insignificant to attract attention. Given that most attacks are fully automated, these attackers can make it through a small business’s defenses much faster than they can a larger corporation, allowing them to target more companies in a shorter period of time. Unfortunately, the negative impact on small businesses may also be disproportionately higher. They often face a loss of public trust as well as a significant financial loss, which can be crippling to many businesses of this size. That’s precisely why today it is so important to build your small business website with security in mind and to ensure that your website is kept up to date to plug any security vulnerabilities that may arise in the future. All of the website designed by Psychlinks include site security as a top priority. For a free quote on creating a secure website and/or maintaining an existing website, please contact us today!
© Psychlinks Web Services. All rights reserved.