The Most Active and Friendliest
Affiliate Marketing Community Online!

“AdsEmpire”/  Direct Affiliate

30 plugin exploits to backdoor WordPress sites

Graybeard

Well-Known Member
The main functionality of the trojan is to hack WordPress sites using a set of hardcoded exploits that are run successively, until one of them works.

The targeted plugins and themes are the following:

 
The main functionality of the trojan is to hack WordPress sites using a set of hardcoded exploits that are run successively, until one of them works.

The targeted plugins and themes are the following:


This has been going on for many years. As soon as WP was launched, these practices began.
 
This is just one of the many reasons not to use WP for affiliate marketing (et al). In the long run, a properly coded site with the appropriate addons on the server is cheaper to manage and protect, albeit a little more money at the onset.

I like the idea of WP for various projects, and used it on some from 2004 until 2012, but in the end I had to stop using it due to the constant attacks, platform/plugin conflicts, and the various frontend and backend restrictions.

I really think that in the end, as we see, read, and hear from here and elsewhere, that the majority of the users are looking for something quick and easy. In the end they learn it was never that, can't be that, and they need somone to come in and do the work they either don't have the skills to do, don't want to learn those skills, or need the platform to do more than it was intended for.
 
quick and easy
At first glance WP seems to be the ticket.
WP is really very high maintenance
  • Daily backups and you need to prune it to the past few days.
  • Frequent or auto-updates of the core.
  • Open FTP ports and vulnerabilities.
  • Serious limitations in back-end code --all CMS platforms really --they are convenient until they are not.
  • Plug-in hell
 
At first glance WP seems to be the ticket.
WP is really very high maintenance
  • Daily backups and you need to prune it to the past few days.
  • Frequent or auto-updates of the core.
  • Open FTP ports and vulnerabilities.
  • Serious limitations in back-end code --all CMS platforms really --they are convenient until they are not.
  • Plug-in hell

Great shortlist.

We see this with so many other "ready made" stuff. Great ideas, wonderful prospects, but just to many vulnerabilities, limitations, and excessive maintenance. The classic love/hate relationship.

For now, I'll stick with my dev guys and "from scratch" developed sites. It's cheaper, more secure, and profitable long term for me, and I always believe for others as well.
 
Last edited:
Here's a new one
All In One SEO (AIOSEO) plugin, which has over three million active installations, is vulnerable to two Cross-site scripting (XSS) attacks.
 
I remember when that plugin came out. I tested it and did a comparison with Yoast. I found Yoast more in line with my needs at the time. I'm sure that many of these plugins have security issues that either go unnoticed or unreported.
 
Is there any reliable way to defend against such attacks other than not using them?

Hire a security professional on FIVVR or Freelancer and have them check your site for vulnerabilities a few times a year. Once you have a well established business model you'll likely have a few different part time developers for various needs.

There are some free tools out there to get you started and to help you understand the risks out there and some of the solutions. Just search for Free Site Security Scan.
 
87% of Container Images in Production Have Critical or High-Severity Vulnerabilities
Docker etc ...

Looking for an easy solution?
rolls-eyes-emoji80.gif
 
87% of Container Images in Production Have Critical or High-Severity Vulnerabilities
Docker etc ...

Looking for an easy solution?
View attachment 29308

That is mostly due to placing the applications and image containers in the cloud. Most of those vulnerabilities reported are cloud vulnerabilities that can be mitigated with proper updates in a timely manner. Most of the updates available for cloud vulnerabilities are scheduled quarterly rather than immediate. This has long been an issue in companies going back many decades.
 
You ever run a docker image and looked at what is inside? The images include the dependencies used.

npm still has images that the install shows as with critical vulnerabilities.


You 'should ' be able to update the applications' dependencies independently.
 
Updates are dependent on the maintainer of the container you install. If you do not build your own container.

The container updates the whole container to the current one when it is loaded or reloaded.
So, if the maintainer (read:distributor) of that container does not update it you can be running software that is not secure)

Same problem with WordPress plugins. They need to be maintained and updated.

PDO is the only secure way to use PHP with MySQL Hard to work with though ...

PHP:
//boards/aff_fix/AIOSEO/wordpress/wp-includes/class-wpdb.php
        // Use the `mysqli` extension if it exists unless `WP_USE_EXT_MYSQL` is defined as true.
        if ( function_exists( 'mysqli_connect' ) ) {
            $this->use_mysqli = true;

            if ( defined( 'WP_USE_EXT_MYSQL' ) ) {
                $this->use_mysqli = ! WP_USE_EXT_MYSQL;
            }
        }

mysqli is not that secure
 
banners
Back