LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

Your Wordpress Has Been Scanned. Hope You Weren't Hacked.

Wordpress WhoopsieWordfence reports that hackers are widely attempting to exploit a vulnerability that they reported over three months ago.  According to The Register:

Wordfence disclosed the flaw almost three months ago, and in a new advisory this week warned that criminals are increasing attacks — the WordPress security shop claims it blocked an average of 443,868 attack attempts per day on its customers’ sites.

The vulnerability is around  “Modern WPBakery Page Builder Addon” which was formerly sold on the Envato marketplace.  Its history is instructive.  Someone made something and published it, then walked away.  Some time later, a vulnerability was found.  Then some time after that, Wordfence published an alert.  There will never be a fix because the developer has abandoned the code.  Hence there are all these zombie sites ripe for attack.

WordPress is the most over-criticized and under-criticized platform.  Over-criticized because some people think that every WordPress installation can be trivially exploited, which isn’t true.  Under-criticized because if you treat WP like a plugin smorgasbord, it’s easy to employ crappy third-party code that leaves you wide open.  That’s what happened here.

The lesson is obvious: since you’re not going to do a line-by-line security analysis of your WP plugins, you should stick to plugins which are widely-used.  Of course, the more popular a plugin is, the more it is targeted, so maybe what you really need is a security plugin…sigh.

Wordfence Attacks Report

 

 

No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published.