WordPress 5.4.2 is now available! This security and maintenance release features 23 fixes and enhancements. Plus, it adds a number of security fixes—see the list below. These bugs affect WordPress versions 5.4.1 and earlier; version 5.4.2 fixes them, so you’ll want to upgrade. If you haven’t yet updated to 5.4, there are also updated versions […]
Archive for security
Your privacy is important, and securing your data is part of our mission here at cPanel. Because of this, we regularly review our privacy policy and privacy practices to refine them and to make sure that they accurately reflect how we collect, process, use, and store information. Based on our most recent review, we’ve made changes to our privacy policy. To help you understand these changes, you can follow this link to see a redline of our new privacy …
Over the past week, I’ve been thinking a lot about George Floyd, Breonna Taylor, and Ahmaud Arbery. I have been thinking about white supremacy, the injustice that Black women and men are standing up against across the world, and all the injustices I can’t know, and don’t see. The WordPress mission is to democratize publishing, […]
Next Level Ops Podcast: Must Haves for Managed WordPress Hosting with Andrey Kugaevskiy
The post Next Level Ops Podcast: Must Haves for Managed WordPress Hosting with Andrey Kugaevskiy appeared first on Plesk.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.7.0-3.9.18
- Exploit type: XSS
- Reported Date: 2020-May-08
- Fixed Date: 2020-June-02
- CVE Number: CVE-2020-13760
Description
Missing token checks in com_postinstall cause CSRF vulnerabilities.
Affected Installs
Joomla! CMS versions 3.7.0 – 3.9.18
Solution
Upgrade to version 3.9.19
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Moderate
- Versions: 3.0.0-3.9.18
- Exploit type: XSS
- Reported Date: 2020-April-10
- Fixed Date: 2020-June-02
- CVE Number: CVE-2020-11022 and CVE-2020-11023
Description
The jQuery project released version 3.5.0, and as part of that, disclosed two security vulnerabilities that affect all prior versions. As mentioned in the jQuery blog, both are “[…] security issues in jQuery’s DOM manipulation methods, as in .html(), .append(), and the others.”
The Drupal project has backported the relevant fixes back to jQuery 1.x and Joomla has adopted that patch.
Affected Installs
Joomla! CMS versions 3.0.0 – 3.9.18
Solution
Upgrade to version 3.9.19
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 3.0.0-3.9.18
- Exploit type: XSS
- Reported Date: 2020-May-06
- Fixed Date: 2020-June-02
- CVE Number: CVE-2020-XXX
Description
Incorrect input validation of the module tag option in com_modules allow XSS attacks.
Affected Installs
Joomla! CMS versions 3.0.0 – 3.9.18
Solution
Upgrade to version 3.9.19
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 2.5.0-3.9.18
- Exploit type: Insecure Permissions
- Reported Date: 2020-April-23
- Fixed Date: 2020-June-02
- CVE Number: CVE-2020-13763
Description
The default settings of the global “textfilter” configuration doesn’t block HTML inputs for ‘Guest’ users. With 3.9.19, the textfilter for new installations has been set to ‘No HTML’ for the groups ‘Public’, ‘Guest’ and ‘Registered’.
Affected Installs
Joomla! CMS versions 2.5.0 – 3.9.18
Solution
Upgrade to version 3.9.19
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 3.0.0-3.9.18
- Exploit type: XSS
- Reported Date: 2020-May-06
- Fixed Date: 2020-June-02
- CVE Number: CVE-2020-13761
Description
Lack of input validation in the heading tag option of the “Articles – Newsflash” and “Articles – Categories” modules allow XSS attacks.
Affected Installs
Joomla! CMS versions 3.0.0 – 3.9.18
Solution
Upgrade to version 3.9.19
Contact
The JSST at the Joomla! Security Centre.
May was an action-packed month for WordPress! WordPress organizers are increasingly moving WordCamps online, and contributors are taking big steps towards Full Site Editing with Gutenberg. To learn more and get all the latest updates, read on. Gutenberg 8.1 and 8.2 Gutenberg 8.1 was released on May 13, followed quickly by Gutenberg 8.2 on May […]
We’ve all had to ask for help at some point, usually when we are ready to have a moment like the crew in the movie “Office Space” going to town on that jammed printer. Then, when we have to submit a support ticket, it can be frustrating to explain everything and go back and forth with questions and answers before the support team is able to start problem solving and help you. Knowing what the …
Everyone gets excited when their favorite software gets an update! The Drupal Community is currently abuzz about the release of Drupal 9. Wondering what the big deal is? Let’s talk about Drupal and the new improvements. The Drupal project was started 20 years ago by Dries Buytaert in his college dorm room as one of the world’s first Open-Source Content Management Systems. Online years before WordPress or Joomla, …
Next Level Ops Podcast: Tips for Keeping Your Server Secure with Igor Antipkin
The post Next Level Ops Podcast: Tips for Keeping Your Server Secure with Igor Antipkin appeared first on Plesk.
Softaculous makes installing popular software on your web server a breeze! Click to learn how to use it with your cPanel & WHM server in this article.
Website security is one of the most important aspects of running an online presence. A hacked website can lead to countless hours of debugging and repair, loss of income, to loss of credibility and lawsuits. With over 30,000 new small business website hacks a day and numerous corporation breaches, not a day goes by without a compromised site showing up in the news. Over the past decade, hackers have targeted the top three open-source Content Management Systems:
Secure a Plesk Hosted Email Account using SpamAssassin, ClamAV and Amavis
Here’s a comparison of the latest Plesk security extensions we released this year, protecting your sites from threats and available for your Plesk platform.
The post Secure a Plesk Hosted Email Account using SpamAssassin, ClamAV and Amavis appeared first on Plesk.
If we have learned one thing from the 2020 COVID-19 situation, access to online resources and training is vital to keep businesses going. Online education has exploded due to school closures, and the learn-from-home approach has become the current standard. The hosting industry has also thrived in this arena, for example, Alibaba Cloud deployed more than 100,000 new cloud servers in two hours and set a new record for rapid capacity expansion. At cPanel, our work is a hybrid …
Whether you want to sell your idea to your leadership or want a more solidified project proposal backed by proof, we are going to equip you with the tools you need to improve your success. We’ll walk you through step by step what to do before you plan your proposal. You want to find the best way to devise a plan that will support your idea with hard data and approvals will be a breeze. …
April continued to be a challenging time for the WordPress community, with many under stay-at-home recommendations. However, it was also an exciting month in which we created new ways to connect with and inspire each other! This month, amazing contributors moved more WordCamps online and shipped new releases for WordPress and Gutenberg. For the latest, […]
The web hosting industry has made significant changes in the past decade, and customer expectations have moved far beyond storage to a services-driven market. In 2020 there are about 2 billion websites online, and a new domain is registered every 2 seconds. The growth of the internet continues to reach new highs and new markets. In the hosting sector, growth can come in many forms. How does a hosting company increase revenue and continue to …
If you have an email address with your own domain name, you need to be able to access those emails on the go. According to Statista.com, there are approximately more than 100 million iPhone users in the United States. In the past, if you had an email account set up with a personalized domain name, you would be required to either log into Webmail to check your email or connect your email to a 3rd …
WordPress 5.4.1
WordPress 5.4.1 is now available! This security and maintenance release features 17 bug fixes in addition to 7 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated. WordPress 5.4.1 is a short-cycle security and maintenance release. The next […]
As you learned in our Intro to Server Security, securing your server is one of the most important things you need to do when you’re setting up and maintaining your cPanel server. We’re building on the knowledge presented in the introduction to provide more advanced tips for server security. In this article, you’ll learn more in-depth techniques and best practices for safeguarding your site, server, and account from hackers. We’ll cover security topics like: Managing Shell Access Recommended Security Settings …
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 2.5.0 – 3.9.16
- Exploit type: Incorrect Access Control
- Reported Date: 2020-March-13
- Fixed Date: 2020-April-21
- CVE Number: CVE-2020-11889
Description
Incorrect ACL checks in the access level section of com_users allow the unauthorized deletion of usergroups.
Affected Installs
Joomla! CMS versions 2.5.0 – 3.9.16
Solution
Upgrade to version 3.9.17
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Moderate
- Severity: Low
- Versions: 2.5.0 – 3.9.16
- Exploit type: Incorrect Access Control
- Reported Date: 2020-February-27
- Fixed Date: 2020-April-21
- CVE Number: CVE-2020-11890
Description
Inproper input validations in the usergroup table class could lead to a broken ACL configuration.
Affected Installs
Joomla! CMS versions 2.5.0 – 3.9.16
Solution
Upgrade to version 3.9.17
Contact
The JSST at the Joomla! Security Centre.
- Project: Joomla!
- SubProject: CMS
- Impact: Low
- Severity: Low
- Versions: 3.8.8 – 3.9.16
- Exploit type: Incorrect Access Control
- Reported Date: 2020-March-13
- Fixed Date: 2020-April-21
- CVE Number: CVE-2020-11891
Description
Incorrect ACL checks in the access level section of com_users allow the unauthorized editing of usergroups.
Affected Installs
Joomla! CMS versions 3.8.8 – 3.9.16
Solution
Upgrade to version 3.9.17
Contact
The JSST at the Joomla! Security Centre.
Securing your server is one of the most important things you need to do when you’re setting up your cPanel for the first time. There are multiple steps you should take to be proactive about protecting your server. Most people understand the need to protect their website from vulnerabilities, but don’t realize their hosting server needs protection, too. When hackers discover they can’t get directly into your website, they’ll try to break in through your cPanel …
Governments and organisations globally have been making announcements that just
a few weeks prior would have been unprecedented. As more of our lives are moving
online in an attempt to adapt to changes brought about by the Coronavirus
pandemic, many are trying out services they were previously unfamiliar with, such
as video conferencing or online grocery shopping. While others are finding
themselves with more time to pursue online hobbies such as gaming.
The combined effect of information overload and a mass of people using
unfamiliar software and services has created an environment ripe for
exploitation by cybercriminals.
Netcraft has tracked Coronavirus-themed cybercrime since 16th March, shortly
after it was declared a pandemic by the World Health Organisation. While Netcraft continues to see
high volumes of Coronavirus-inspired fake shops, advanced fee fraud, phishing
and malware lures, this post covers some of the trends Netcraft has observed
since our previous posts on the topic.
Recently observed Coronavirus-themed threats
Fake Government information sites and mobile malware
Many governments have set up dedicated websites offering advice and services to
support their citizens through the pandemic. Cybercriminals are taking advantage
of this by providing copy-cat sites with a malicious twist.
In one recent campaign, the cybercriminals deployed a site that poses as the UK
Government and offers “credit card refunds” for “COVID-19 support”. The
fraudulent site uses UK Government branding and collects the victim’s personal
information – including their credit card number, date of birth and telephone
number.

Netcraft has added protection from Coronavirus-related cybercrime to its mobile apps for Android and iOS, and to its browser extensions for Chrome, Firefox, Opera, and Microsoft Edge. Websites containing these attacks will be blocked for those who have the app or extension installed. The iOS app — currently available in the UK and Canada — blocks Coronavirus-themed attacks impersonating Canadian and UK businesses as well as providing global coverage of fake shops purporting to sell Coronavirus-related goods.
Any Coronavirus-related cybercrime can easily be reported through the extension or app, by emailing scam@netcraft.com, or at report.netcraft.com, protecting other users from these attacks.

The Netcraft Browser Extension now blocks Coronavirus-related cybercrime
Since 16 March Netcraft has been monitoring and disrupting Coronavirus-themed cybercrime, which accounts for five percent of the attacks we perform countermeasures against and is becoming more prevalent on the internet.
The Netcraft App can be downloaded from any of the major three major app stores:
The Netcraft Extension can be downloaded for any of the four major browsers:
Starting your own web hosting business is much simpler now that technology and customer reach is improving, but the model is still changing all the time. During the “Wild West” era of the internet 20+ years ago, users were confined to a small number of web hosting providers. At that time, hard drive/storage space was quite limited, ranging from 35KB to 2MB, depending on the provider. For shared hosting, the average storage space was just 153MB. In …