Keeping your WordPress Blogs Speedy & Secure

Archives for : Security

WordPress 4.7.3 Security Release – Important

WordPress 4.7.3 is now available. This is a security release for all previous versions and we at BlogSec strongly encourage you to update your sites immediately.

Security issues fixed:

    Cross-site scripting (XSS) via media file metadata.
    Control characters can trick redirect URL validation.
    Unintended files can be deleted by administrators using the plugin deletion functionality.
    Cross-site scripting (XSS) via video URL in YouTube embeds.
    Cross-site scripting (XSS) via taxonomy term names.
    Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.

In addition to the security issues above, WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.

Please contact BlogSec if you’d like assistance in keeping your sites secure!

Sloppy patching, insecure plug-ins made Panama Papers leak possible

WordPress Attacks: Time To Wake Up

High-profile WP sites hacked: MIT, NEA and Penn State servers.

PCI DSS & WordPress

I gave a presentation last night on the PCI DSS Credit-Card security standards and how they apply to WordPress eCommerce users.

The slides can be downloaded here.

Please contact us if you need help securing your eCom sites.


General PCI DSS information & resources: (SAQs are here)

CheckMarx reports on insecurity in top plugins

CheckMarx reports they have analyzed the 50 most popular WordPress plugins and found:

  • 20% of the most popular plugins are vulnerable to common Web attacks
  • 7 of the 10 most popular eCommerce plugins are vulnerable to common Web attacks

One might guess that less popular plugins are often worse, on average.


  1. Only download plugins from
  2. Keep your plugins up-to-date
  3. Uninstall unused plugins
  4. Especially for e-Commerce sites, limit the number of plugins
  5. Avoid plugins which appear to be long out-of-date or abandoned

BotNet attacking WordPress hosts with brute-force password attempts

Ars Technica reports a BotNet with 90,000 IP addresses is trying to brute-force WordPress installs via password guessing. recommends performing the following steps immediately to protect your sites from getting hacked:

  1. disable or rename default admin accounts (replace them with different name-based accounts with strong passwords)
  2. limit the number of admin / network admin accounts
  3. install a plugin such as Limit Login Attempts

Pass-Phrase advice cartoon

WordPress Cache plugins vulnerable, actively exploited

Vulnerabilities have been found in 2 caching plugins: W3 Total Cache and WP Super Cache… be sure you update your plugins!