The first release candidate for WordPress 5.5 is now available! This is an important milestone in the community’s progress toward the final release of WordPress 5.5. “Release Candidate” means that the new version is ready for release, but with millions of users and thousands of plugins and themes, it’s possible something was missed. WordPress 5.5 […]
Archive for security
1002 results.
WordPress 5.5 Beta 4
Jul27
WordPress 5.5 Beta 4 is now available! This software is still in development, so it’s not recommended to run this version on a production site. Consider setting up a test site to play with the new version. You can test WordPress 5.5 Beta 4 in two ways: Try the WordPress Beta Tester plugin (choose the […]
Spam is a huge challenge for anyone who hosts email, even though users only see a tiny fraction of the spam they’re sent. Most unwanted messages never reach inboxes, but an incredible 54 percent of all email traffic is spam, and that’s down from 70 percent a decade ago. The good thing is ISPs and hosting providers are better at stamping out spammers, and users are more aware of the risks. Still, hundreds of billions …
Comment
Solving a hostname security warning: The first time a user tries to log in to WHM on a newly-installed server, they see a security warning. It can be scary, especially for users on a trial license running cPanel & WHM for the first time. This happens because most modern browsers display a warning whenever a user tries to visit a site or domain with an invalid or self-signed certificate. cPanel & WHM attempts to secure …
WordPress 5.5 Beta 3
Jul21
WordPress 5.5 Beta 3 is now available! This software is still in development,so it’s not recommended to run this version on a production site. Consider setting up a test site to play with the new version. You can test WordPress 5.5 Beta 3 in two ways: Try the WordPress Beta Tester plugin (choose the “bleeding […]
Good news for MySQL 5.5 users! We have been able to remove the blocker from cPanel & WHM version 78 which prevented you from upgrading to our LTS version 86. Now you can upgrade to the supported version 86 even if you are still using MySQL 5.5. Keep in mind that cPanel and WHM version 86 contains rudimentary functionality only for existing installations of MySQL 5.5, and you should upgrade to MySQL 5.7 as soon …
Headless WordPress is a new and increasingly popular way to build web apps that combine WordPress’s peerless content management with the power and flexibility of JavaScript front-end interfaces. Many developers, including WordPress creator Matt Mullenweg, see headless as the future of web app development. We’re going to take a closer look at what headless WordPress is, how to use a headless content management system, and why you’d want to. But first, let’s talk about how …
WordPress 5.5 Beta 2
Jul14
WordPress 5.5 Beta 2 is now available! This software is still in development, so it’s not recommended to run this version on a production site. Consider setting up a test site to play with the new version. You can test WordPress 5.5 beta 2 in two ways: Try the WordPress Beta Tester plugin (choose the “bleeding edge nightlies” […]
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.0.0-3.9.19
- Exploit type: Information Disclosure
- Reported Date: 2020-Jun-17
- Fixed Date: 2020-July-14
- CVE Number: CVE-2020-15698
Description
Inadequate filtering in the system information screen could expose redis or proxy credentials
Affected Installs
Joomla! CMS versions 3.0.0 – 3.9.19
Solution
Upgrade to version 3.9.20
Contact
The JSST at the Joomla! Security Centre.
Reported By: Phil Taylor
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.0.0-3.9.19
- Exploit type: XSS
- Reported Date: 2020-Jun-08
- Fixed Date: 2020-July-14
- CVE Number: CVE-2020-15696
Description
Lack of input filtering and escaping allows XSS attacks in mod_random_image
Affected Installs
Joomla! CMS versions 3.0.0 – 3.9.19
Solution
Upgrade to version 3.9.20
Contact
The JSST at the Joomla! Security Centre.
Reported By: Phil Taylor
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.0.0-3.9.19
- Exploit type: Incorrect Access Control
- Reported Date: 2020-Jun-02
- Fixed Date: 2020-July-14
- CVE Number: CVE-2020-15697
Description
Internal read-only fields in the User table class could be modified by users.
Affected Installs
Joomla! CMS versions 3.9.0 – 3.9.19
Solution
Upgrade to version 3.9.20
Contact
The JSST at the Joomla! Security Centre.
Reported By: Phil Taylor
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.9.0-3.9.19
- Exploit type: CSRF
- Reported Date: 2020-May-07
- Fixed Date: 2020-July-14
- CVE Number: CVE-2020-15695
Description
A missing token check in the remove request section of com_privacy causes a CSRF vulnerability.
Affected Installs
Joomla! CMS versions 3.9.0 – 3.9.19
Solution
Upgrade to version 3.9.20
Contact
The JSST at the Joomla! Security Centre.
Reported By: Bui Duc Anh Khoa from Viettel Cyber Security
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 2.5.0-3.9.19
- Exploit type: Incorrect Access Control
- Reported Date: 2020-April-04
- Fixed Date: 2020-July-14
- CVE Number: CVE-2020-15699
Description
Missing validation checks at the usergroups table object can result into an broken site configuration.
Affected Installs
Joomla! CMS versions 2.5.0 – 3.9.19
Solution
Upgrade to version 3.9.20
Contact
The JSST at the Joomla! Security Centre.
Reported By: Hoang Kien from VSEC
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.7.0-3.9.19
- Exploit type: CSRF
- Reported Date: 2020-May-07
- Fixed Date: 2020-July-14
- CVE Number: CVE-2020-XXXXX
Description
A missing token check in the ajax_install endpoint com_installer causes a CSRF vulnerability.
Affected Installs
Joomla! CMS versions 3.7.0 – 3.9.19
Solution
Upgrade to version 3.9.20
Contact
The JSST at the Joomla! Security Centre.
Reported By: Bui Duc Anh Khoa from Viettel Cyber Security
More than two thousand sites using Extended Validation certificates stopped working this weekend and remain inaccessible today (Monday), including those run by banks, governments, and online shops. The EV certificates used by these sites were revoked on Saturday, and have yet to be replaced. Most visitors using modern web browsers are completely locked out: this certificate error cannot be bypassed in Chrome, Firefox, Safari, or Microsoft Edge.
Chrome’s unbypassable revoked certificate interstitial on online.anz.com. ANZ is one of the"big four" Australian banks.
Last week, DigiCert disclosed a reporting discrepancy in its audit for EV certificates. As part of its response, DigiCert committed to revoking the certificates, which it intends to complete over the coming weeks. Only a subset of DigiCert’s EV certificates are affected: in the July SSL Server Survey, Netcraft found 17,200 EV certificates in active use on port 443 that are due to be revoked.
The first batch of revocations happened this weekend. While most of the certificates revoked on Saturday 11th July have been correctly replaced and reinstalled, many have not.
On Monday morning, Netcraft found 3,800 sites still using EV certificates issued by the affected sub-CAs. Of these 3,800, more than 2,300 were still using a revoked EV certificate, completely disabling the sites for users in modern browsers, which handle EV revocation more robustly than other types of certificate. The remainder are yet to be revoked.
Many organisations appear to have been caught unawares, continuing to use revoked EV certificates, including The State Bank of India, Rackspace, Authorize.net, ANZ Bank, and Telegram.
Authorize.net using a revoked EV certificate
The New Zealand government using a revoked EV certificate
Wirecard, the beleaguered German payment processor, briefly had its main site, www.wirecard.com, displaying a certificate warning early on Monday, but the certificate has since been replaced with a working non-EV certificate. There are still a number of Wirecard domains with revoked certificate warnings.
The current coronavirus pandemic has resulted in the closure of many pubs, restaurants, and brick-and-mortar retail stores. Many purchases that would previously have been made in person now take place online. In research commissioned by Visa
, 89% of Britons have shopped online since the UK’s lockdown restrictions began, with 31% buying items online for the first time during this period. This increase in online shopping activity benefits criminal groups in that: smaller businesses newly reliant on online transactions provide attackers with a stream of inadequately-defended shopping sites to exploit, and buyers are far more likely to be driven to these compromised shops or to fake shops compared to before the pandemic.
JavaScript skimmers run on compromised shopping sites. When shoppers enter their payment details, the skimmer secretly sends a copy to the attacker – potentially even if the customer does not complete the transaction. Even the most careful of users can be victims of these attacks, as they appear on compromised but otherwise well-intentioned shops with no visual indication of their presence.
Fake shops are another threat. Shoppers seeking bargains may unknowingly find themselves on a fake shop which claims to offers the products they want at a highly discounted price, but the victim will subsequently only receive counterfeit goods, no goods at all, or have the transaction aborted after entering credentials which is equivalent to a phishing attack.
Fake shops also take advantage of the pandemic by offering goods in high demand due to coronavirus, such as N95 masks. The FBI has released a Public Service Announcement about an increase in online shopping scams involving the sale of counterfeit healthcare products such as Personal Protective Equipment (PPE). To date, Netcraft has blocked over a thousand such coronavirus-themed fake shops, 80,000 other fake shops selling all sorts of counterfeit goods, and around 3,500 compromised shops hosting JavaScript skimmers.
The Netcraft browser extension and mobile apps provide protection against fake shops as well as legitimate shopping sites that have been compromised with JavaScript skimmers. When an extension or app user visits one of these dangerous shops, Netcraft will block access to the shop and alert them:
Visiting a fake shop without the Netcraft extension
Visiting a fake shop with the Netcraft extension
Choosing a hosting platform in 2020 is more like navigating a labyrinth, and with so many options, it can seem like a daunting task. Over the past decade, the web hosting market has grown over 100%, currently valued at $62 billion in 2020. As with much of technology in the past decade, web hosting is in constant flux. From new technologies to consolation and acquisitions, the competition in the industry has never been so fierce. Aspects to consider …
The “Error establishing a database connection” message strikes fear in a WordPress users heart, prompting many a panicked support request. You try to load a page, but all you see is a white box with a mysterious error message. WordPress is down and the “helpful” suggestions beneath the error are more confusing than useful. How can you fix a database error when you can’t even open the admin dashboard to see what’s wrong? Fortunately, “Error …
The post How to Integrate Plesk Premium Email with Plesk Email Security appeared first on Plesk.
WordPress 5.5 Beta 1
Jul07
WordPress 5.5 Beta 1 is now available for testing! This software is still in development, so it’s not recommended to run this version on a production site. Consider setting up a test site to play with the new version. You can test the WordPress 5.5 beta in two ways: Try the WordPress Beta Tester plugin (choose the “bleeding […]
The web is awash with malware, and, as anyone who administers websites knows, web servers are a prime target. Malware criminals absolutely love web hosting servers because they have exploitable network resources, they attract lots of visitors, and they are a rich source of data for identity theft and credit card fraud. Servers are also targets because they host software managed by non-technical publishers and retailers that don’t prioritize security. Ignoring software updates or dealing …
June was an exciting month for WordPress! Major changes are coming to the Gutenberg plugin, and WordCamp Europe brought the WordPress community closer together. Read on to learn more and to get all the latest updates. WordPress 5.4.2 released We said hello to WordPress 5.4.2 on June 10. This security and maintenance release features 17 […]
How Open Source Software is changing the world: In the past decade, Open Source Software has become a legitimized business model and has taken the world by storm. What started back in the 1980s as a free software initiative has grown into massive volunteer communities and industry-leading software platforms. A recent CB Insights report estimates that the Open Source service industry will reach nearly $33 billion by 2022. The History of Open Source Software: Open Source Software has its roots …
Online shopping has surged since lockdown started in March. Many of us, looking to be healthier, have headed online for sports equipment and a number of sportswear retailers have reported booming online sales. John Lewis recorded a 72% increase in total sports shoe sales, while Adidas and Puma have both seen an increase in ecommerce revenue.
Shoppers browsing online for the best deals, however, need to take care, as many people would be surprised at the scale of fake shops. Each day we find new fake shops designed to entice shoppers away from bona fide outlets, as many brands have yet to find effective countermeasures.
Counterfeit shoes, clothing and other accessories are estimated to lose the industry more than €26 billion each year in the EU alone, while the loss due to all online counterfeiting is estimated at $323 billion a year. The OECD estimated that over 3% of all imports worldwide are counterfeit.
Traditionally fake shops claim to sell luxury consumer goods at highly discounted prices. We have seen fake shops using at least three different models:
- Payment is accepted, but no goods are delivered.
- At the end of the checkout process, an error message is displayed such as “Out of Stock” and no transaction occurs. This is equivalent to a phishing attack, as the fake shop has the consumer’s credentials.
- Payment is accepted, and goods are delivered. The quality of goods varies between junk and identical to the bona fide item.
Trainers are the most counterfeited goods
We are currently block around 75,000 fake shops in our extension and apps. Of these, roughly half target a specific brand, such as Nike or Adidas. About 70% of the fake shops selling branded goods sell shoes, predominantly trainers.
Corroborating this, European customs authorities handle more cases of counterfeit sports shoes than any other type of product.
Fake shops by type of goods sold
The future of brick and mortar shops has been changing into a hybrid of traditional and digital, and the current health crisis is fast-tracking the digital experience. As the stay-home orders came in, and only essential business could remain open with some others slowly opening with restrictions, the e-commerce industry and digital brands went into overdrive. Brick-and-Mortar retailers traditionally offer products and services to their customers face-to-face in a storefront that gives them a unique advantage over …
Although Apache and NGINX are both web servers, they approach the task of serving web pages differently. Each has advantages and trade-offs, which prompts the question: can I use NGINX with cPanel? The short answer is yes, you can use NGINX with cPanel; however, its integration is a little tricky. Let’s explore the ways cPanel users can take advantage of NGINX’s strengths, and look at how we are working to make NGINX a viable alternative …
While the asphalt highways were silent and working from home became the norm, the internet superhighway expanded. In the first half of 2020, everything quickly ground to a halt worldwide, and the internet became our lifeline to the outside world. Throughout the past 20 years, we have seen the internet grow in times of crisis, but never in history have we as a planet used the internet as much for our day to day lives. …
We have released cPanel & WHM® Version 88 and it’s packed with some exciting long-awaited updates. These include MySQL® 8 support, upgrading to Roundcube 1.4 webmail with responsive mobile themes and Calendar and Contacts Support (CCS) and the inclusion of free ImunifyAV protection for your server. We’re going to take a deeper dive into some of the other useful updates included in Version 88 in this article. Here’s a list of other improvements in Version …
The post Enable Security for Your Business and Teams Even When Remote appeared first on Plesk.
It’s happened to most of us, you just launched a marketing campaign and went to check your sales and your website is a blank white screen! If it hasn’t happened to you yet, read on. Hosting outages can send you into panic mode, especially if you run an e-commerce website. The loss of potential income can send you into a frenzy and keep you on hold with your hosting company for hours at a time – to quote …