It’s been a tough week for the WP Statistics plugin. Last Friday, Sucuri (now owned by GoDaddy) discovered a SQL injection vulnerability in the WP Statistics plugin version 12.0.7 and older. To exploit the vulnerability, an attacker needs to register an account (or use a compromised account) with subscriber-level access. They can then exploit a weakness in a WP Statistics shortcode to launch a SQL injection attack. This allows them to, for example, create an admin-level user and sign in to your website as an admin.
Updated 3:19PM Pacific Time: A method to ‘vaccinate’ yourself against this ransomware variant has been found. I have posted details towards the end of the post along with a batch file you can run. It is as simple as creating the file C:\Windows\perfc and marking it read-only.
Update 2 at 7pm PST on Tuesday: It appears that the initial infection many have come from a company called MeDoc that was breached. Their systems were infected and they then pushed out an update, spreading the infection. MeDoc are disputing the allegation. Sources: Talos quoted on ZDNet, Forbes and FireEye.
2017 has been a remarkable year so far for Wordfence and our customers. We are about halfway through the year at this point, so I’d like to give you an update on some of the incredible innovation and progress at Wordfence in 2017.
Our company’s top priority is to secure our customers’ websites from attackers. Our goals are to prevent an attack before it can occur, and to provide the best detection capability available to help you find and fix security problems and malware on your website. To fulfill this objective, we need to innovate constantly on several fronts. This year, we have improved the performance of our security products, improved detection capability, introduced a completely new service that expands beyond the WordPress universe, and published continual cutting-edge research to help you better understand the threats you are facing.
Imagine that one day you discover that a burglar has broken into your home and attempted to make off with your big-screen TV. Fearing for your safety, you immediately contact local law enforcement, and they promptly apprehend the criminal. But to your horror, as they drag the burglar away in handcuffs, they have an additional shocking revelation: the burglar has not only been living in the basement of your home for months, entirely undetected by you, but he’s also converted your basement into an elaborate base for all of his criminal operations.
On Thursday of last week, we released Wordfence 6.3.11 which included a really exciting new feature: we are now alerting you if you are running a plugin that either appears to be abandoned or has been removed from the WordPress.org plugin directory. In this post, we explain how each of these new alerts work and why they’re so important to the security of your website.
At Wordfence, we define a potential abandoned plugin as one that has not been updated by its developers in at least 2 years. In May, we analyzed the plugins in the WordPress.org repo and found that almost half of them hadn’t been updated in over 2 years. Over a third of them had a compatibility tag for a WordPress version dating back to 2014 or earlier.