News
Type Juggling Leads to Two Vulnerabilities in POST SMTP Mailer WordPress Plugin
On December 14th, 2023, during our Bug Bounty Program Holiday Bug Extravaganza, we received a submission for an Authorization Bypass vulnerability in POST SMTP Mailer, a WordPress plugin with over 300,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to reset the API key used to authenticate to the mailer and view […]
Read More
What is the Principle of Least Privilege?
If you own a website and collaborate with other people, the Principle of Least Privilege (PoLP) is a crucial security concept which has applications and benefits to strengthen your website security posture. Let’s dive in! Contents: Definition PoLP & Website Security Example of Principle of Least Privilege Default WordPress User Roles How PoLP Affects Websites […]
Read More
Wordfence Intelligence Weekly WordPress Vulnerability Report (December 18, 2023 to December 31, 2023)
Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Over the last two weeks, there were 263 vulnerabilities disclosed in 217 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and […]
Read More
Top 5 WordPress Referral Spam Plugins
Seeing unusually large traffic numbers in Google Analytics can be both confusing and concerning. Unfamiliar website referrals can redirect you to unwanted destinations and distort the true performance metrics of your site. Unfortunately, there is no way to remove spam in your traffic analytics. You can only prevent future spam attacks from here on out. […]
Read More
How to Stop a DDoS Attack in 5 Steps
As a webmaster, keeping your site online during large traffic spikes is what you strive for. But how can you be sure traffic spikes are legitimate? And more importantly, how do you react when they aren’t? The unfortunate reality is DDoS attacks can be a threat for websites big and small. In this post, we’ll […]
Read More
A Tale of Two Vulnerabilities
When you see news of a 9.9 (or in some cases 8.8) vulnerability in Elementor, that is a cue to panic. When you see news of a 7.2 one in the tagDiv Composer plugin, with 140,000-odd installs? Concern, maybe. Panic, definitely not. Yet, here at MalCare, we barely saw any attacks trying to exploit the […]
Read More
How to Configure the Content Security Policy Header in WordPress
The Content-Security-Policy (CSP) HTTP header is a powerful tool in any WordPress site administrator’s arsenal. It aims to provide an extra layer of security for websites by preventing the loading of malicious scripts or content. Implementing the CSP header in WordPress may seem daunting. However, our experience of over 10 years in the WordPress ecosystem […]
Read More
How to Configure the X-XSS Security Header in WordPress
Are you concerned about protecting your WordPress site from Cross-Site Scripting (XSS) attacks? Wondering how to leverage browser capabilities to prevent malicious script injections? Do the varying levels of browser security among your users concern you? This is where setting up proper HTTP headers plays a pivotal role. And among these headers, the X-XSS security […]
Read More
WordPress Vulnerability & Patch Roundup December 2023
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this […]
Read More