News
Introducing Wordfence CLI 3.0.1: Now With Automatic Remediation!
Note: This post refers to Wordfence CLI, the command line tool for operations teams to rapidly scan large numbers of WordPress websites for vulnerabilities and malware, not the Wordfence plugin which is deeply integrated into WordPress and provides additional functionality, like a firewall, two-factor authentication and more. We’re excited today to announce Wordfence CLI 3.0.1, […]
Read More
6 Best WordPress Activity Log Plugins Reviewed
As a WordPress site owner, you need to know what is happening on your site all the time: who has made what change when. An activity log plugin, as the name suggests, captures every action and event that occurs on your site. It is a great way to keep accountability, and can be an early […]
Read More
The Dangers of Lateral Movement & Website Cross Contamination
One of the most frequent problems that we observe in website hosting environments is “cross contamination” — the lateral movement of an attacker between websites. Cross-site contamination occurs when a site is infected by neighboring sites within the same hosting environment due to poor isolation on the server or account configuration. In this post we […]
Read More
Wordfence Intelligence Weekly WordPress Vulnerability Report (January 8, 2024 to January 14, 2024)
Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 67 vulnerabilities disclosed in 60 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 […]
Read More
How to Recover Your WordPress Account
Recovering access to a WordPress account can be incredibly frustrating. Perhaps you’ve changed developers and the new one can’t access wp-admin. Or someone has been careless and lost their credentials, the password reset link isn’t working, and you can’t log in, no matter what you have tried. The good thing is, it’s possible. We’ve tried […]
Read More
Ultimate Guide To WordPress User Enumeration
As a developer setting up security measures or a new WordPress site owner learning about various ways to secure your site, you likely have concerns about user enumeration. It’s a vector through which attackers can glean usernames—a first step towards unauthorized access. The stakes are high, as a compromised username list can lead to targeted […]
Read More
Website Takeover Campaign Takes Advantage of Unauthenticated Stored Cross-Site Scripting Vulnerability in Popup Builder Plugin
On December 11, 2023, we added an Unauthenticated Stored XSS vulnerability in the Popup Builder WordPress plugin to our Wordfence Intelligence Vulnerability Database. This vulnerability, which was originally reported by WPScan, allows an unauthenticated attacker to inject arbitrary JavaScript that will be executed whenever a user accesses an injected page. Later on January 10th, 2024 […]
Read More
Wordfence Intelligence Weekly WordPress Vulnerability Report (January 1, 2023 to January 7, 2023)
Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 85 vulnerabilities disclosed in 74 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 […]
Read More
Thousands of Sites with Popup Builder Compromised by Balada Injector
On December 11, 2023 WPScan published Marc Montpas’ research on the stored XSS vulnerability in the popular Popup Builder plugin (200,000+ active installation) that was fixed in version 4.2.3. A couple of days later, on December 13th, the Balada Injector campaign started infecting websites with older versions of the Popup Builder. The attack used a […]
Read More