Elegant Themes Divi Theme Code Injection Vulnerability Overall rating: ★★★★★ 5 based on 23 reviews
5 1

BlogSimplio Labs Blog

“Once we accept our limits, we go beyond them.”

Albert Einstein

Elegant Themes Divi Theme Code Injection Vulnerability

Wordpress No Comment

Elegant Themes Divi Theme Code Injection VulnerabilityIf you are someone who is using the WordPress Divi Themes, you might want to update it right away. Just last week, Elegant Themes announced that several of their products contained a code injection vulnerability, their team discovered this during a routine code audit.

What is the vulnerability?

Code Injection, also called Remote Code Execution (RCE), is a general term for attacks that exploit poor handling of untrusted data. The code injection vulnerability can allow an attacker to install malware on a website. The Divi vulnerability allows users who are logged in to execute a small set of PHP functions. 

Who is affected?

WordPress Websites who are using Divi version 3.23 and above, Extra 2.23 and above or Divi Builder version 2.23 and above, are affected.

What is the fix?

Updating your themes and plugins will fix this problem. You can update your themes and plugins from within your WordPress dashboard, or you can download the latest versions from the members area and update them manually. 

Millions of Sites Exposed by Flaw in Jetpack WordPress Plugin

Wordpress No Comment

Admins and owners of WordPress websites are urged to immediately apply the Jetpack 7.9.1 critical security update to prevent potential attacks that could abuse a vulnerability that has existed since Jetpack 5.1.

You can update your installation to the 7.9.1 version through your dashboard, or manually download the Jetpack 7.9.1 release here.

Jetpack is an extremely popular WordPress plugin that provides free security, performance, and site management features including site backups, secure logins, malware scanning, and brute-force attack protection.

The plugin has over 5 million active installations, and it was developed and it is currently maintained by Automattic, the company behind WordPress.

Not yet exploited in the wild

The vulnerability was found in the way Jetpack processed embed code and Adham Sadaqah was the one credited for responsibly disclosing the security issue.

While not a lot of details were disclosed regarding the security flaw to protect the sites that haven’t yet updated, the announcement made by Jetpack says that the bug impacts all versions starting with the 5.1 release and going back as far as July 2017.

The Jetpack developers state that no evidence was discovered until the release of the critical Jetpack 7.9.1 security update that the vulnerability has been exploited in the wild.

Active Jetpack versions
Active Jetpack versions

“However, now that the update has been released, it is only a matter of time before someone tries to take advantage of this vulnerability,” the developers warn.

The development team also says that they worked with the WordPress.org Security Team to release patches for every version of Jetpack since 5.1 and that “most websites have been or will soon be automatically updated to a secured version.”

Millions already patched

At the moment over four million out of the more than five million WordPress websites that use Jetpack have already been updated according to its entry on the WordPress Plugins site.

“Versions released today include 5.1.1, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2, 5.7.2, 5.8.1, 5.9.1, 6.0.1, 6.1.2, 6.2.2, 6.3.4, 6.4.3, 6.5.1, 6.6.2, 6.7.1, 6.8.2, 6.9.1, 7.0.2, 7.1.2, 7.2.2, 7.3.2, 7.4.2, 7.5.4, 7.6.1, 7.7.3, 7.8.1, 7.9.1,” the Jetpack dev team says.
Jetpack downloads history
Jetpack downloads history

Jetpack received another security update to address an issue found during an internal audit of the Contact Form block in December 2018, and a critical security update patching a vulnerability in the way some Jetpack shortcodes were processed in May 2016.

Last year, hackers also found a method of installing backdoored plugins on WordPress websites using weakly protected WordPress.com accounts and the Jetpack plugin’s remote management feature.

 

Source: www.bleepingcomputer.com

Credit Skimmers Vulnerability

Developers, E-Commerce, What's New, Wordpress No Comment

We often write about malware that steal payment information from sites built with Magento and other types of e-commerce CMS.

When discussing credit card skimmers like Magecart, it’s sometimes overlooked that WordPress also has a decent share in the ecommerce segment. There are numerous popular plugins that can easily turn a WordPress site into a full-featured online store. In fact, Woocommerce alone has over 5 million installations.

Credit Card Skimmer Injected in WordPress Core

Our friend Salvador Aguilar over at Kinsta recently shared a few samples of malware found in the WordPress core files wp-includes/js/wp-util.min.js and wp-includes/js/admin-bar.min.js.

These Javascript files both contained the following injected code, found at the very top.

Magento WordPress Skimmer atob
Injected malware found in wp-includes/js/wp-util.min.js and wp-includes/js/admin-bar.min.js

This injected code is a typical credit card skimmer, with “e.src=atob” containing the encoded URL of the external script. In this case, it is decoded to “hxxps://zendesk-chart[.]com/top/aco.js”.

Common Skimmer Variants Found on Magento

We regularly find these types of injected scripts on Magento sites. They use variations of atob (base64) obfuscation, along with hundreds of different domains and customised URLs.

For example, on one Magento site we found a nearly identical copy of the skimmer script (referenced above), with only a slight variation. This variant loads the skimmer from hxxps://zendesk-chart[.]com/uk/google.js (instead of /top/aco.js), which works with the checkout form for that particular site.

Domains Used by This Malware Campaign

Zendesk-chart[.]com was created on September 13, 2019, and it is now hosted on 185.254.121.64.

A quick lookup shows that the same server in Russia hosts the following domains:

jquery-web[.]com – Creation Date: 2019-01-21
jquery-stats[.]com – Creation Date: 2019-03-30
tracker-visitors[.]com – Creation Date: 2019-04-19
jquerycodemagento[.]com – Creation Date: 2019-08-11
gooqleadvstat[.]com – Creation Date: 2019-09-13
gooqlemgrteg[.]com – Creation Date: 2019-09-13
zendesk-chart[.]com – Created on 2019-09-13
jquerystatic[.]com – Creation Date: 2019-09-13

All of these domains serve multiple versions of credit card stealers that can be found in the wild  injected into various e-commerce sites.

hxxps://jquerycodemagento[.]com/my/jd.js
hxxps://jquery-stats[.]com/u/redacted.js
hxxp:// jquery-web[.]com/wp/redacted.js
hxxps://tracker-visitors[.]com/my/jun.js
hxxps://gooqlemgrteg[.]com/ajax/jquery.js
hxxps://gooqleadvstat[.]com/ajax/maria.js
hxxps://jquerystatic[.]com/good/hard.js
…etc…

Mitigation Steps

What is evident is that this is definitely not a fully automated mass infection, where hackers have a unified solution (list of vulnerabilities and the payload) that fits all scenarios. Each script has been customized—both name and content—for each specific compromised site.

In this malware campaign, the checkout page URLs are detects for each target. From there, custom code works to collect sensitive credit card information from the victim’s checkout form.

The malware itself is CMS agnostic—it doesn’t matter whether the site is using Magento, WordPress, or any other type of e-commerce CMS. If there is a form that accepts payment details and it can be hacked, nothing prevents the bad actor from installing a skimmer there.

E-commerce website owners should take the security of their websites very seriously, since they are ultimately responsible for any customer data breaches resulting from transactions on their online stores. Extra attention should be paid to the hardening and monitoring of web pages and server resources. Perform regular security scans on your web assets to detect malware and other indicators of compromise.

Protect Your Website ASAP!

It is estimated that about a third of all websites are outdated and seriously vulnerable to hacks. What are the chances that one of those sites could be yours? Don’t wait until it’s too late, get in touch with professionals and start protecting yourself today. Consultation is always FREE.

 

OR CALL NOW
(888) 766-3315

WordPress Rank Math SEO Plugin Gets an Update

Wordpress No Comment

SEO is one the most important parts in making your website visible to the search engines. Over the years it has played a very important role in marketing and lead generation.

Most people who owns small businesses or startups often opt to install an SEO plugin in their WordPress rather than hire SEO professionals.

These plugins often do the job of improving the website’s SEO as well as attracting more visitors to the website.

 

Rank Math Dashboard (Source: Rankmath.com)

 

One of the most popular WordPress SEO plugin is Rank Math. Just recently, the developer has updated and fixed several vulnerabilities of this plugin which include allowing users to reset settings of the plugin, cross site scripting vulnerability and a security update.

1. Authenticated Settings Reset – Allows any authenticated user (with a role as low as subscriber) to reset Settings of the plugin. (Source: WPVULNDB)

2. Cross Site Scripting vulnerability

According to Post Wigger, a cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. This update was publicly published a week ago.

3. Improved sanitization throughout the plugin

According to Search Engine Journal, sanitization means an extra layer of coding that will stop an unexpected input from breaking a script and allowing an exploit.

4. Fixed an error in the contact Shortcode when the time was added in a string format

5. Fixed ‘500 error’ appearing on some installations after updating the plugin settings

More of the most recent Rank Math updates can be seen on Rank Math’s changelog.

A changelog is a record of all notable changes made to a project. Whenever there’s changes to the plugin, the Rank Math changelog will be updated as well. This is a great way to inform users of the plugin’s vulnerabilities and this promotes transparency which is very rare nowadays. Some developers just tend to hide their product’s vulnerabilities.

Why is it important to update your WordPress plugin?

Updates can seen as intimidating or like a waste of time for some people. However, it is very important to get all your plugins updated in order to get access to new features and security and bug fixes that are very important in this time where hackers and cyber criminals are more active than ever.

By not updating your plugin, it could mean a security loophole for a cyber criminal to access.

New updates can also mean increase of speed for some plug-ins and maintaining backward compatibility.

 

Best WordPress Plugins for 2017

Wordpress No Comment

WordPress plugins are used to increase the functioning of your website without knowing a single line of code. A plugin is a software with a multiplicity of features which when added to your WordPress website can increase its functionality. The WordPress plugins are usually written in PHP language which is integrated easily with WordPress. There are many plugins available on the web that can be downloaded free of cost. Here are the best WordPress plugins for 2017:

  1. WordPress SEO by Yoast

Yoast SEO plugin is an all-in-one plugin that helps you with your website optimization. It is available in the premium as well as free version. It has a meta box for setting the focus keyword, the keyword you’d like your post or page to rank for in the search results.. It enables to set the right keywords at the right places. You don’t have to set Meta description for each of your post, Yoast SEO does it for you automatically.

Yoast SEO Premium plugin has many additional benefits. Some of them are being able to pick 5 focus keywords, internal linking suggestions and many more!

  1. Backup Buddy

Backup Buddy is known to be the best, easiest and so far the most reliable WordPress plugin for data backup. It has a feature of automatic scheduling of data backup of your site. It provides cloud backup, so you need not worry about losing your website content at any point of time. Having a up-to-date backup of your WordPress websites is critical for protecting your website.

  1. W3 total cache

This WordPress plugin is meant to improve your website’s speed performance and search engine rankings. It optimizes the user’s experience and boosts the loading speed of the page. It has a feature to setup browser, content delivery system, compresses page and page caching. This enables the downloading of the page fast and improves user’s browsing experience.

  1. Gravity Forms

If you are a beginner at handling a WordPress website, then Gravity Forms is all you need. It is the easiest way to set up any online form to your WordPress site virtually. With Gravity Forms, you can instantly create and publish forms. It is the best user-friendly WordPress form plugin.

  1. Thrive Leads

Using Thrive Leads provides four major benefits. It designs and deploys every type of opt-in form you need into one plugin. It boosts the page optimization by advanced targeting. It has A/B testing engine to increase conversion rate. It also provides insight of the performance through its actionable reporting.

  1. Edit Flow

Edit Flow WordPress Plugin provides the editorial workforce structure for the sites. It features includes, custom status, editorial metadata, editorial comment, calendar, notifications etc.

  1. SumoMe

Image: Winningwp.com

SumoMe is a WordPress plugin used for growing your email list. Through this plugin, you will make it easier for your readers to join your email list and share your articles.

You will also have various options on how you choose to have the email address of your visitors, be it through a fancy lightbox pop up to build email subscriptions, a scroll box that is triggered by how far your reader makes it down the screen or a Smart Bar which is a Floating Bar that can appear at the top or bottom of your website.

  1. Google Analytics WD

This plugin enables to view the Google Analytics report within your WordPress site. It lets you schedule your email reports, handles Goals and Custom Dimensions from your site itself.

  1. WP Smush

It is a plugin which lets you optimize your images without losing their quality. It is easy to use and enables to load your website faster.  WP Smush cuts all the unnecessary data without slowing down your site.

Top WordPress Plugins of All Time

Wordpress No Comment

wordpress-plug-in

Plugins are the only way to get your WordPress more functional and appealing. Though the core components of WordPress are suited for all kinds of needs, it takes a special and extra effort to perfect the contents on the WordPress. With plugins, you can assure that your stuff looks better and is more functional than otherwise. Let us have a review on the top plugins that are available for WordPress.

Jetpack by WordPress.com

Jetpack is a complete plugin solution that gets your self-hosted WordPress site with the reserves of Cloud utilities associated with the WordPress.com options. The features are easy and comfortable to handle and do not contribute to that extra load on your server. Some of the other options and features included are Email subscriptions for the posts and comments on the blog, interlink to the social networks, forms, URL shortener, links to embed YouTube, Vimeo, Dig etc. There are featured aspects that make the experience easy and faster with effortless choices. The options are also linked to the likes of services from Google, Facebook, Twitter and more of the likes with instant access options.

Backup WordPress

One of the most resourceful plugin you cannot do without, Backup Plugin gets you the safer options all the way to update, improve or retrieve your files with ease and comfort. The plugin has been carefully designed to be used with simple options and works pretty even if you have little memory out. The additional features included in the plugin are the special inclusion for multiple schedules, email notification on your backup, Support on Linux and Windows and Language options. One of the best features of the plugin is the extensive support and service with accuracy and most of the services are spot on.

MailPoet Newsletters for WordPress

This plugin provides you an easy option to send newsletters, notifications or enable auto responders. With this plugin, you can drop your posts, social icons and picked images in your newsletter. Also, it allows you to change fonts and colors, use custom themes within an instant. The plugin also has the support subscribers. The editors included are easy to access and operate with drag and drop options. Also, the mail looks exactly the way you wanted in any of the Email clients, be it outlook or Gmail. On an overall a good tool, if you need to increase the visibility of your site!

WordPress SEO Plugin by Yoast

Yoast is one of the better SEO plugins you could have on WordPress. In fact, Yoast is far better than most of the plugins available. The free version offers keyword-based analysis that includes the options for editing titles and meta-descriptions. Also featured for editing are the canonical tagging and robots meta configuration. Yoast comes with all featured utilities that mean you do not need to search one after the other for most of the need on WordPress. The plugin is easy to access and implement with most of the options and features easily operated through the basic operation. However, there is a reasonable class in updates that gets you more options for your WordPress and hence, forms one complete pack for SEO tools perfected for WordPress.

Faster WordPress Site With Cloudways and WPMU DEV Plugins

SEO Tips, Wordpress No Comment

wordpress-pluginsI Made My WordPress Site 1311% Faster With Cloudways and WPMU DEV Plugins..

I received a 1311% speed hike by installing on my server Cloudways controlled cloud hosting in association with Hummingbird & Smush Pro plugins. Ever since Hummingbird was introduced we have compiled so many new ideas. Take a peek at the project page to discover every latest feature. Look out for Hummingbird.

You were fed into thinking that optimizing your portal for speed is vital. Ultimately 40% of persons won’t spare 3 seconds for the loading of your front page, whereas Google sets a time of 2 seconds for loading of your site, but you should actually go for 500ms for the maximum SERP ranking.

However, really attaining quick page speeds is extremely deceptive and time taking. I ponder, what the thing a render blocking resource is? (Certainly, that’s a pompous question, but do you recollect the time when you first encountered it on Google PageSpeed Insights?)

Hence, on being asked to evaluate Cloudways’ administered hosting service, I was doubtful. The reality is, I dislike writing reviews on item I don’t prefer, I simply can’t perform such a task, therefore I informed Cloudways that  if anything didn’t convince me I would let it be known to them. However, they presented me with a test account somehow…. and to my surprise…and let truth prevail, I was unbelievably thrilled when I viewed the pace at which my demo website functioned speedily after adding our Hummingbird & Smush Pro plugins to the lot.

Hence, let’s take the challenge. This is how I kick started my portal 1311% quicker employing cloud hosting with Cloudways and also our Hummingbird and WP Smush Pro plugins,- and how my web pages loaded at the bat of an eyelid (within 300 to 400 milliseconds) Continue reading

Best Tips on Building a WordPress Website with SEO

SEO Tips, Wordpress No Comment

best-tips-on-building-a-wordpress-website-with-seo

In this post, we will be talking about the most efficient, easiest and the most useful tips in creating a WordPress website with SEO.

WordPress is a versatile and easy to use platform. It is already search engine enhanced, however, it is important to understand that there is no such thing as CMS or search engine friendly website.

Eventhough WordPress is a search engine optimized platform, the SEO or Search Engine Optimization work needs to be done to make it more efficient and obtain the best results. We can always choose to switch to WordPress, but this is not an automatic guarantee that our website will move to the top of the search engine results. We need to take help from the SEO guide to make our website’s position in the search engines better.

It sometimes becomes hard for the business owners and the entrepreneurs who have a very little technical knowledge or information about the SEO, to differentiate between ‘search engine friendly’ and search engine optimized’ process. The business also tends to spend a lot of money in the CMS as they believe it to be inclusive of all their SEO needs.

However, WordPress provides a practical platform to start your website. You can incorporate the most effective marketing materials in your website if you are using WordPress and that too with a very little expenditure of cash. This is possible only if you have the skills to manage and get to know the features of WordPress, however, you can learn all of these very easily by studying about it.

Installing an SEO Plug-in is merely the starting point, most of the time, you’ll still need help from a search engine optimization consultant or SEO consultant. To, be precise SEO is a procedure which remains constant, it will be your task to incorporate it with the materials you want to initiate in your promotion.

There is no such thing as a WordPress plug-in that includes all the SEO components.

Search comprehension, understanding of the procedures to enhance the SEO process step by step in your promotion should be the major concern. The SEO professional must be careful to save you from some costly errors which might occur during the process. The professional must be there for you for a long time, whether an employee or a consultant from an agency, he/she must be able to help you in executing the best strategies to get the best results.

You might feel the need of adding some fast- moving pictures in your website. However, flashing submissions are a big no as they can induce convulsions. But again, if you need to add something that quickly flashes on the screen, please make sure that you also give the reader an option to stop it and replay it as many times the user wants to.

These are some quick tips that would help you build a good WordPress website.

(Source)

WordPress BbPress Features

Wordpress No Comment

wordpress-bbpress-01

BbPress is a WordPress plugin that acts as a forum application. Forums allow focused discussions among users. A Forum application can be used to manage forums in blogs and CMS sites. BbPress is an easy to learn WordPress plugin that powers up forums. It was developed by WordPress developers.

BbPress helps you transform a CMS into an effective forum. It gives all the standard features of a forum. It is easy to configure and install. It has many features that make it the most popular forum application. It is also very easy to maintain the forums using bbPress.

Some of the main features of bbPress are explained below.

User permissions

User permissions are important for any forum. BbPress presents a solid permission system. It helps you limit the usage of your sites as per your wish. You can place restrictions on certain users and limit their usage.

BbPress makes use of WordPress’s default permissions system. The five roles predefined by bbPress are:

  • Keymaster – The admin role; has all rights.
  • Moderator – Moderator has all the rights of admin except the delete forum right.
  • Participant – The default user role.
  • Spectator- Read only rights
  • Blocked-Users who are blocked access to the forum.

Continue reading

How to Improve the Security of Your WordPress Blog

Wordpress No Comment

wordpress_security

WordPress is one of the famous blogging platforms. It is used by approximately 61% of the CMS systems worldwide. Securing it is a big challenge. There are hundreds of hackers every day trying to break into popular sites such as WordPress. Here in this article you will see a few tips to protect your WordPress blog.

Secure your login

secure-login

First and foremost, keep your credentials secure. Your login details should be complex to guess. They have to be protected. Do not use common words based on your usual routines or personal details. Choose complex passwords with combinations of special characters and numbers.  Weak passwords are an easy entry.

Host using secure protocols

ssl-security-art

Choose to host your site on a secure platform. This will need security protocols like HTTPS to be used to access your site. But this is more secure than normal hosting. A lot of hosting service providers offer this for an extra premium. But the cost is worth the damage. Secure hosting prevents malicious entries. It secures your site by allowing only credential users.

Kick out viruses and malware

Wordpress-Malware-remove-01

Get your systems free from malware. Malware or Spyware are malicious programs that peep into your system directories. They cause damage and are prone to viruses. Install your systems with proper anti-virus or malware programs to secure them. Eliminate the systems if they are virus prone. This avoids viruses being transmitted across your site.

Use your user name

The simplest way to secure your site is to have your user name to access. WordPress provides admin access. Admin access provides complete rights to the users. Have an email or a username to gain entry. This will prevent brute-force attacks. Have a quick check on the install scripts that use admin as username. Rewrite them to have your user name as an access name. And also remember to secure the access with a strong password.

Authenticate it 2 ways

Another way that web sites use is to provide a 2 way authentication mechanism. This means the access to the site is in two levels. First level involves an entry and the second level provides the access. Both the levels need to be authenticated. Even if one fails, the access will be denied. Adopt your WordPress site to have a 2 way security mechanism. This is very important if you access the site from multiple devices such as phones, tablets and computers. This may take a while to gain entry. But adding one more level to the security is safer.

Add a firewall

Make infra changes. This will include the addition of firewall or hosting your site on a secure VLAN, etc. These are specialized security mechanisms available to protect your WordPress site. A firewall will deny access when originated from unknown or untrusted IP addresses. The firewall also prevents certain malware programs to gain access.

Limit login attempts

Many users limit their login attempts to prevent denial of service attacks. Hackers generally try and login multiple times to bring down the system. When continuous login attempts are made, the system is busy entertaining the authentication and stops from responding to other requests. Thus, an easy way to secure is to limit the login attempts to your site. This will ensure that access is allowed with a certain number of retries. Also, it is good to limit the simultaneous logins for your site. This would mean limiting the number of devices you can login from at the same instant. These limits ensure that your WordPress site is accessed from a trusted device and by your trusted user.

Always update to latest version

upgrade-wordpress-01

WordPress updates multiple versions for their sites. Always ensure you are running your site on the latest version. This will secure the system with the latest security updates. The plugins that have been an integral part of the ecosystems also need updates. By updating to the latest versions, you will ensure your site is free from outdated plugins. This will make your site not vulnerable.

Plan backup for contents

wordpress-backup

Always plan a backup for your contents. With the latest trends in internet blogging, you may not predict the hacking patterns. It is a good practice to back up the contents. This will take care of any accidental damages to your site. Accidental damages would also include physical damages. Plan a periodic backup. So any loss due to damages will be a small delta. And that may not cause a big loss of your site. It also helps to get your site back up quickly after an attack.

Hide your user directory

Limit the users from browsing your user directories. This is one of the most powerful features of WordPress. So limit these features to show the users the directories they need. Do not provide universal access to the directories. Hide your name as part of the URL from the users. This puts your site to a major risk as the attackers can gain access to your user directory.

Keep it simple

Keep it simple. The simpler your site is, the easier it is to manage. Tracking and monitoring any accesses and attacks become easier. Also, it is easy to have a periodic snapshot of activities on your site. This dashboard will help you analyze the patterns of access and take actions accordingly.