Tag Archives: Website Security

Fake UpdraftPlus Plugins

We often find various fake WordPress plugins installed by hackers during website cleanups. Recently, we’ve noticed a new wave of infections that install fake plugins with backdoor functionality. Malicious Plugins Sourced from UpdraftPlus Attackers have been using different names for these fake plugins, including initiatorseo or updrat123—but any title can be used. While their code More Info »

Cryptominers & Backdoors Found in Fake Plugins

When cleaning websites, we regularly find phishing pages, malicious code injected into files, and SEO spam. However, over the past couple of months we’ve also noticed a considerable increase in the number of malicious plugins which have been added to compromised websites as well. These plugins appear to be legitimate, but inspecting the code reveals More Info »

Top 10 Website Hardening Tips

Website hardening means adding layers of protection to reduce the risk of website attacks, a process known as “defense in depth.” Here are our top 10 virtual hardening principles: 1 – Keep your website updated Every single piece of software required to run your application needs to be kept up to date with the latest More Info »

What Are Ethical Hackers?

There’s an issue with how some people define the word “hacker.” For some, it’s a word synonymous with “cybercriminal,” but not in the infosec community. White hat hackers (the good guys) are the ones who find security issues so they can be fixed. The world is a lot better off because of them. Every day More Info »

An Indirect Way to Change cPanel Passwords

There’s no doubt that the ubiquitous “forgot your password?” feature has helped many users who’ve misplaced their password or otherwise forgotten it, however—the tradeoff is that it can result in bugs that help bad actors. As demonstrated in this article, an attacker can use cPanel’s “forgot your password?” feature to reset a user password and More Info »

Down the Malware Rabbit Hole – Part 1

It’s common for malware to be encoded to hide itself—or its true intentions—but have you ever given thought to what lengths attackers will go to hide their malicious code? In our first post in this series, we’ll describe how bad actors hide their malicious code and the steps taken to reveal its true form. Malware More Info »

A New Wave of Buggy WordPress Infections

We’ve been following an ongoing malware campaign for the past couple of years now. This campaign is renowned for its prompt addition of exploits for newly discovered WordPress theme and plugin vulnerabilities. Every other week, the attackers introduce new domain names and slightly change the obfuscation of their scripts to prevent detection. For example, last More Info »

National Cybersecurity Awareness Month

Since 2003, October has been recognized as National Cybersecurity Awareness Month. It is an annual campaign to raise awareness about the importance of cybersecurity and being a better digital citizen. October has just started and a majority of security companies are promoting internet security. With the holidays fast approaching, it is a crucial time for More Info »

Zero-Day RCE in vBulletin v5.0.0-v5.5.4

A new remote code execution (RCE) zero-day vulnerability has been disclosed by an anonymous researcher on the Full Disclosure mailing list this past Monday. This vulnerability is extremely severe. It allows any website visitors to run PHP code and shell commands on the site’s underlying server. Am I At Risk? At the time of writing this, More Info »