Connect with us

WORDPRESS

Critical Vulnerabilities in All in One SEO Plugin Affects Millions of WordPress Websites …

Published

on

critical-vulnerabilities-in-all-in-one-seo-plugin-affects-millions-of-wordpress-websites-…
Security Risk: High

Exploitation Level: Easy

CVSS Score: 9.9 / 7.7

Vulnerability: Privilege Escalation, SQL Injection

Patched Version: 4.1.5.3

Last week, security researcher at Automattic Marc Montpas recently discovered two severe security vulnerabilities within one of the most popular SEO plugins used by WordPress website owners: All in One SEO. The plugin is used by more than three million websites and if left unpatched could cause some serious headaches for WordPress users.

The Details

Both vulnerabilities require that the attacker have an account on the website, but the account could be as low-level as a subscriber. WordPress websites by default allow any user on the web to create an account. By default new accounts are ranked as subscriber and do not have any privileges other than writing comments. However, certain vulnerabilities, such as the ones just discovered, allow these subscriber users to have vastly more privileges than they were intended to have. When exploited in tandem, these two security holes allow an attacker to take over an unpatched WordPress website.

Authenticated Privilege Escalation

The first issue found with this plugin is interesting, and can be exploited by simply changing a single character of a request to uppercase. It affects versions 4.0.0 and 4.1.5.2 of All in One SEO. This plugin has access to a number of REST API endpoints, but performs a permission check before executing any commands sent. This ensures that the user has proper permissions to instruct the plugin to execute commands. However, All in One SEO did not account for the subtle fact that WordPress treats these REST API routes as case-insensitive strings. Changing a single character to uppercase would bypass the authentication checks altogether.

See also  Best WordPress Themes for Blogs

When exploited, this vulnerability has the capability to overwrite certain files within the WordPress file structure, effectively giving backdoor access to any attacker. This would allow a takeover of the website, and could elevate the privileges of subscriber accounts into admins.

Vulnerable code in All-In-One-SEO WordPress plugin allowing for privilege escalation

Authenticated SQL Injection

The second vulnerability discovered is present in versions 4.1.3.1 and 4.1.5.2 of this plugin. There is a particular endpoint located here:

/wp-json/aioseo/v1/objects

This endpoint isn’t intended to be accessible by low-level accounts. However, since the previous vulnerability described allowed for privilege escalation, the attackers could first elevate their privileges and then execute SQL commands to leak sensitive data from the database, including user credentials and admin information.

Vulnerable code in All-In-One-SEO WordPress plugin allowing for SQL injection

In Conclusion

If your website is using All in One SEO be sure to update to the most recent version as soon as possible! You will also want to review the administrator users present on your website. Remove any suspect users that you do not recognise, and for good measure change all administrator account passwords. It’s also prudent to add some additional hardening to your administrator panel.

Users of our firewall are protected against these vulnerabilities. Although we always recommend updating out of date plugins to the most recent version, particularly in cases such as these where security issues are present!

*** This is a Security Bloggers Network syndicated blog from Sucuri Blog authored by Ben Martin. Read the original post at: https://blog.sucuri.net/2021/12/critical-vulnerabilities-in-all-in-one-seo-plugin-affects-millions-of-wordpress-websites.html

See also  How to Expire Posts in WordPress

WORDPRESS

Removing Malware from Your WordPress Website

Published

on

What is the best way to get rid of malware from your WordPress website? Trust me you are not the only one in search of an answer to this question. Because of the prominence of WordPress, site owners all around the world are concerned about malware attacks. Consider that for a moment. When a platform becomes so popular that it is the indisputable CMS industry leader, you can bet that hackers are looking at it as well.

How to Know If Your Site is Malware Infected?

Before anything else, let’s have a look at how to identify if your site is infected in the first place.

Some of the obvious indicators of a malware infestation are as follows:

●       Your website’s traffic has suddenly changed.

●       Your website has been suspended by your web server or Google, preventing visitors from accessing it.

●       Customers are unable to access your website or their accounts.

●       “Your site is hacked” message appears.

●       Pop-up adverts that are not approved display on your website.

●       You or your customers begin to receive a large number of spam emails.

These are just a few signs that your WordPress site may have been compromised with malware. It can harm your business’s reputation, SEO rankings, traffic, and bottom line. For SEO rankings, you should consider hiring a good SEO Agency Sydney and it will be a cherry on the cake if you also outsource WordPress development services to a professional.

Removing Malwares From A WordPress Site

It’s time to get rid of the virus from your WordPress site now that you’ve found it. This must be done in a way that the malware is completely removed from your site.

See also  Original Gallery or a Plugin: What's Better for a Website?

There are two methods for removing WordPress malware –

1. Remove malware manually

Manual cleanup is a time-consuming and technical method that requires two steps:

●       Getting rid of infected WordPress files and folders

●       Cleaning the tables in the compromised WordPress database

Manual cleanups can backfire badly and damage your website due to their intricacy. Manual scanning and cleaning may not be successful against every sort of malware threat, especially as hackers devise new ways to compromise websites. Since it’s tricky, it’s advisable to hire a WordPress Developer Brisbane who will know it all about this complicated technical process.

 2. Use a malware plugin

All you have to do is download a security plugin on your site and they’ll take care of the rest.

Malware attempts and attacks do not occur infrequently, they will happen again. Hackers will try to infiltrate your website once more. You must ensure that your website is secure in the future. And what’s the ideal approach to do this? Outsource services to a professional wordpress developer Brisbane like WP Creative, who will make all the tedious tasks easier for you.

Author: Amelia Thompson is an experienced content writer who has written various useful articles on SEO Agency Sydney, WordPress Developer Brisbane and many more. To read all such articles you can visit: https://wpcreative.weebly.com/seo-services-sydney.html

Continue Reading

WORDPRESS

WordPress 5.9 to Introduce Language Switcher on Login Screen

Published

on

wordpress-5.9-to-introduce-language-switcher-on-login-screen-–-wp-tavern

More than half of all WordPress sites (50.5%) are using translations for non-English speaking locales. It’s only natural that these users would want the ability to register, log in, and reset their passwords in their own languages. A new language switcher on the login screen has finally made its way into core, four years after the ticket was opened.

WordPress 5.9 will introduce a new dropdown on the login screen that will display all the languages that are currently installed. (New languages can be added under the Settings > General screen in the admin.)

In a dev note for the new features, WordPress Core Committer Jb Audras demonstrated how developers can filter the default arguments for the languages dropdown. This might be useful for sites that have dozens of languages installed where administrators only wish to display a handful in the dropdown.

WordPress 5.9 beta 3 was released last week. In addition to the new language switcher, the latest beta also includes the following:

  • Editor: Add FSE infrastructure from Gutenberg plugin into Core (#54335).
  • Formatting: Allow PDFs to embedded as objects (#54261)
  • REST API: Add navigation areas REST API endpoint from Gutenberg plugin (#54393)
  • Themes: A fix for the Live Preview button bug (#54578)

RC1 is expected January 4, 2022, which will bring a code freeze for both Gutenberg and core and a hard string freeze. Contributors are also aiming to have the field guide with dev notes published at this time.

If you have time to contribute during the upcoming holiday weeks, the 5.9 release team welcomes more testing for bugs. Anne McCarthy has published a detailed guide to testing the full-site editing features that are anticipated in 5.9. Testers should check against the list of known issues before reporting bugs on Trac or in the Alpha/Beta forums.

See also  Best WordPress Themes for Blogs
Continue Reading

WORDPRESS

WordPress SEO: More Success in Google Marketing

Published

on

wordpress-seo:-more-success-in-google-marketing-–-broadway

WordPress is the most popular content management system, but many websites do not take full advantage of its SEO capabilities.

Why CMS was originally designed as a pure blogging software urdPress It has thrived to become number one in the world over the years, not just because of its simple and largely coding-free handling. WordPress is also ideal for many of the typical SEO tasks that need to be done to get a good ranking on Google & Co.

So if you rely on a CMS with an attractive graphical user interface, you are killing two birds with one stone: with WordPress, not only can a new website be created in a visually appealing way, but the content can also be relatively easily optimized for a good standing in search engines. This does not even require in-depth programming knowledge.

Of course it also causes WordPress No wonder: The top three positions in Google and other search engine results cannot be reached overnight. But there are ways to boost luck a bit. With the following 3 SEO tools, you can set your WordPress site to achieve sustainable SERP success (SERP = Search Engine Ranking Position). Ideally, this can be done at the planning stage of a new web project.

Anyone who plans the best possible technical and basic foundation for a new WordPress installation right from the start will also later be on top in the search results. As everywhere, the same is true in the digital world: a good foundation pays off. Even if the €1 super bargaining web space offers may sound tempting – if you’re in full swing here, you’ll at least run into trouble when the load gets too high. And it often happens faster than you might imagine when building a great new WordPress website.

See also  300,00+ Installations of Catch Themes WordPress Plugins Vulnerable via @sejournal, @martinibuster

The reason: Most WordPress sites buy a wide range of functionality through the use of various plug-ins, so-called plugins. This is practical because you can save planning and programming efforts with add-ons. But add-ons are sensitive to pressure on the growing number Site performance ratings.

If your web project is also located with several third-party websites in a small shared web space on a crowded cheap server, this quickly becomes noticeable with long loading times, choppy transitions, and poor Google rankings. Last but not least, Google rates websites based on load times: they largely want to spare searchers a bad user experience on poor websites.

So your work does not depend on an ultra-cheap display of web space, but on a display of appropriate dimensions Offer WordPress Hosting Ideally with the following features which are essential for good web performance:

  • Fast PHP version, better PHP 7.3 or higher,
  • Server-side caching, for example with OPcacheAnd
  • Server-side compression with eg gZIP or shrink And
  • the talk HTTP/2.

If there is one point missing from this list of minimum requirements, you should look for a different basis for your new WordPress project right away. The features listed together ensure a comprehensive basic performance configuration of the web server.

Do you know the greatest performance that can be found on almost all WordPress sites? It’s the pictures. This is where even experienced web designers, web developers, and content managers find a really practical WordPress function to be a killer when it comes to performance: Autofocus! This ensures that graphic and image elements that are too large also fit into the template being used as if by magic. But this only happens visually – the actual file size remains unchanged. This costs valuable computing power – with every page view.

See also  Google Web Stories Plugin for WordPress Gets First Big Update

The good news: What used to be very difficult to deal with is now implemented with specially designed accessories such as EWWW Photo Enhancer. Once installed and configured, the powerful plugin automatically ensures that even large image and graphics files no longer turn into a dreaded PageSpeed ​​killer on your WordPress site.

Also called logical lazy loading, which is an optimization technique by which content is loaded only when it comes to your website’s visitors – not, as is usually the case, when the page is initially loaded. This delays downloading and serving content that is not currently needed. Technology becomes especially interesting when a website has many embedded videos and high-resolution images. It’s easy to find lazy loading using keyword research in the WordPress plugin library. Anyone who uses it will quickly find that the dreaded Google SpeedTest just got a whole lot better.

with Performance – Optimierungs – Plugins how automatic optimization or W3 Total Cache Source code components such as CSS, HTML, and JavaScript can also be highly compressed. They usually also offer the option to activate additional browser caching options. A little tip: anyone who has already paid attention to the most important performance features when choosing a server can forget this point. In this case, optimal caching is already provided from the start, leaving nothing undesirable – and usually greatly bypassing any CMS-indexed option.

Powerful, perfect also pre-installed Netzwerk Content Delivery (CDN) It is another important CMS-level improvement key. Because whenever the distance between your server location and where the user wants to access your WordPress website is too large, valuable milliseconds are wasted in response times. Due to its network structure, a CDN significantly reduces these response times, thus contributing to a fast user experience, which is ultimately reflected in search engine optimization (SEO) results.

See also  WordPress Now Offers Website Development

Even if the above technical settings at the server and WordPress level form the basis for successful WordPress SEO, it often ends up being the last optimization step: the best possible content for site visitors (and thus also for search engines).

Fortunately, there are a number of useful plugins for this task that make life easier for webmasters. The plugin is one of the most popular software for WordPress SEO in recent years Yoast Seo Created, which can be found and installed using keyword search in the included plug-in library.

When creating new articles, it is useful to hit the front in terms of content, keyword technique, and text length. Importance descriptive information Such as title, description and so-called open graph data can be stored quickly and easily using the handy plugin. (hv)

Continue Reading

DON'T MISS ANY IMPORTANT NEWS!
Subscribe To our Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

Trending