Coronavirus sees increase in hacking attempts

Security problems are still on the increase. Cloudflare recently revealed that hacking and phishing attempts have been up by 37%. On some days they are blocking four to six times the number of attacks they would usually see. This is all since the start of the COVID-19 pandemic.

See below for new WordPress plugin and theme vulnerabilities disclosed in April/May.

WordPress Core

WordPress versions below 5.4.1 have 7 new vulnerabilities uncovered, so get updated –

  • Password Reset Tokens Were Not Properly Invalidated
  • Unauthenticated Users Could View Private Posts
  • Cross-Site Scripting Vulnerability in Customizer
  • Cross-Site Scripting Vulnerability in Search Block
  • Cross-Site Scripting Vulnerability in wp-object-cache
  • Cross-Site Scripting Vulnerability in File Uploads
  • Stored Cross-Site Scripting Vulnerability in Customizer

WordPress Themes

OneTone Theme has an Unauthenticated Stored Cross-Site Scripting vulnerability. REMOVE the theme. The vulnerability has been reported without a response from the theme developer.

Avada Theme versions below 6.2.3 have Missing Permission Checks leading to Arbitrary Post Creation, Edition, Deletion and Stored XSS vulnerability. Patch this with an update to 6.2.3

WordPress Plugins

REMOVE the following unless and until an update is released –

  • Widget Settings Importer/Exporter
  • ThemRex Addons
  • Catch Breadcrumb
  • WP GDPR Core
  • WP Post Page Clone
  • WTI Like Post
  • Chopslider
  • Form Maker by 10Web
  • Official MailerLite Sign Up Forms

UPDATE these commonly used plugins –

  • Accordion version 2.2.8 and below
  • Media Library Assistant versions 2.81 and below
  • GTranslate versions 2.8.51 and below
  • MapPress Maps for WordPress version 2.53.8 and below
  • WP-Advanced-Search versions 3.3.6 and below
  • LearnPress below version
  • Ninja Forms versions and below
  • Elementor below version 2.9.8
  • Ultimate Addons for Elementor below version 1.24.2
  • Elementor Pro versions 2.9.3 and below
  • WooCommerce versions below 4.1.0
  • Add-on SweetAlert Contact Form 7 versions below 1.0.8
  • Paid Memberships Pro versions below 2.3.3
  • Visual Composer Website Builder versions below 27.0
  • Photo Gallery by 10Web versions below 1.5.55
  • Easy Testimonials versions below 3.6
  • Site Kit by Google versions below 1.8.0

Effective Measures to Minimise Risk

There are a number of measures you can take to minimise the risks to an acceptably low level –

  • Manage your web server carefully
    • control access
    • configure properly for security as well as performance
  • Update your WordPress software regularly
    • check for updates routinely (at least once a month), or use an updating service (like we provide at Skylime)
  • Backup your website files – this will enable a quick recovery when you get a problem
    • use at least 2 separate locations for your file storage, eg. on the cloud and offline (eg. your computer)
    • find a web host who provides automatic daily backups for you as part of their service
  • Change your passwords regularly
    • don’t re-use the same password
    • use capitals, small case, numbers and symbols
    • use a minimum of 8 digits
    • quickly change any shared logins and passwords when staff leave
    • remove access permissions if and when they are not needed
  • Run security software
    • choose and install a software firewall plugin for WordPress such as WordFence (and other CMSs)
    • subscribe to and set up a firewall service such as Sucuri
    • regularly run an anti-virus scanner designed for websites

* * TIP * * – a password manager will make the passwords aspect much easier

Pin It on Pinterest

Share This