Hackers have exploited three zero-days to install backdoors on WordPress sites, according to a security alert published minutes ago by WordPress security firm Wordfence.
A cyber-criminal has hidden the code for a PHP backdoor inside the source code of a WordPress plugin masquerading as a security tool named "X-WP-SPAM-SHIELD-PRO."
For the past two and a half months, a WordPress plugin named Display Widgets has been used to install a backdoor on WordPress sites across the Internet.
Experts from security firm Wordfence say they have observed a wave of web attacks that took aim at unfinished WordPress installations.
Security researchers from Sucuri have found hacked WordPress sites that were altered to secretly siphon off cookies for user and admin accounts to a rogue domain imitating the WordPress API.
Polish security expert Dawid Golunski has discovered a zero-day in the WordPress password reset mechanism that would allow an attacker to obtain the password reset link, under certain circumstances.
Security researchers from ESET have discovered a new malware called Sathurbot that relies on malicious torrent files to spread to new victims and carries out coordinated brute-force attacks on WordPress sites.
A WordPress plugin installed on over one million sites has just fixed a severe SQL injection vulnerability that can allow attackers to steal data from a website's database.
The PHP team has unanimously voted to integrate the Libsodium library in the PHP core, and by doing so, becoming the first programming language to support a modern cryptography library by default.
Attacks on WordPress sites using a vulnerability in the REST API, patched in WordPress version 4.7.2, have intensified over the past two days, as attackers have now defaced over 1.5 million pages, spread across 39,000 unique domains.
For the past few days, Google has been making a lot of webmasters very nervous, as its Google Search Console service, formerly known as Google Webmaster, has been sending out security alerts to people it shouldn't.
WordPress sites that haven't been updated to the most recent version, v4.7.2, released last week, are under attack as four hacking groups are conducting mass defacement campaigns.
The WordPress security team revealed yesterday they've secretly fixed a zero-day vulnerability in the WordPress CMS, which wasn't initially included in the official announcement.
The world of web technology changes at a rapid pace. New projects appear daily, and old tools retire to make room for new arrivals. During 2016, the web technology landscape has changed dramatically, with the arrival of AngularJS 2.0, the proliferation of React.js and maturation of several open-source CMS projects.
More details have surfaced regarding a recent wave of brute-force attacks (dictionary attacks to be more accurate) that have targeted WordPress sites over the past few weeks.
Over the past three weeks, the number of brute-force attacks against WordPress sites has almost doubled, according to WordPress security firm WordFence.
WordPress creator and Automattic founder Matt Mullenweg announced today that upcoming versions of the WordPress CMS would include features that would require hosts to support HTTPS.