Connect with us

WORDPRESS

WordPress Security Plugin Exposes +1 Million Websites

Published

on

Main Article Image - WordPress Security Plugin Exposes +1 Million Websites

The WPS Hide Login WordPress plugin recently patched a vulnerability that exposes users secret login page. The vulnerability allows a malicious hacker to defeat the purpose of the plugin (of hiding the login page), which can exposes the site to an attack for unlocking the password and login.

Essentially, the vulnerability completely defeats the intended purpose of the plugin itself, which is to hide the WordPress login page.

WPS Hide Login

The WPS Hide Login security plugin defeats hacker attempts to gain access to a WordPress site by hiding the administrator login page and making the wp-admin directory inaccessible.

WPS Hide Login is used by over one million websites to add a deeper layer of security.

Defeating hackers and hacker bots that attack the default login page of a WordPress site doesn’t actually need a plugin. An easier way to accomplish the same thing is to install WordPress into a directory folder with a random name.

What happens is that the login page hacker bots will seek out the normal login page but it doesn’t exist at the expected URL location.

Instead of existing at /wp-login.php the login page is effectively hidden at /random-file-name/wp-login.php.

Login bots always assume that the WordPress login page is at the default location, so they never go looking for it at a different location.

Advertisement

The WPS Hide Login WordPress plugin is useful for sites that have already installed WordPress in the root, i.e. example.com/.

Report of Vulnerability

The vulnerability was publicly reported on the plugin’s support page.

A user of the plugin reported that if the main home page was redirected then adding a specific file name to the URL that redirects will expose the URL of the hidden login page.

This is how they explained it:

“For example with the following domain: sub.domain.com if domain.com redirects to sub.domain.com there is the following bypass:

Entering the URL domain.com and add /wp-admin/options.php then it redirects to sub.domain.com/changedloginurl and you see the login-url and could log in.”

Security Site Published a Proof of Concept

WPScan, a WordPress security organization published a proof of concept. A proof of concept is an explanation that shows that a vulnerability is real.

The security researchers published:

“The plugin has a bug which allows to get the secret login page by setting a random referer string and making a request to /wp-admin/options.php as an unauthenticated user.
Proof of Concept

Advertisement

curl –referer “something” -sIXGET https://example.com/wp-admin/options.php
HTTP/2 302 ”

The United States government National Vulnerability Database rated the vulnerability as a high level exploit, giving it a score of 7.5 on a scale of 1 to 10, with a score of 10 representing the highest threat level.

WPS Hide Login Vulnerability Patched

The publishers of the WPS Hide Login plugin updated the plugin by patching the vulnerability.

The patch is contained in version 1.9.1.

According to the WPS Login Changelog:

“1.9.1
Fix : by-pass security issue allowing an unauthenticated user to get login page by setting a random referer string via curl request.

page by setting a random referer string via curl request.”

Users of the affected plugin may wish to consider updating to the latest version, 1.9.1, in order to effectively hide their login page.

Citations

US Government National Vulnerability Database

CVE-2021-24917 Detail

Advertisement

WPScan Report of WPS Hide Login Vulnerability

WPS Hide Login < 1.9.1 – Protection Bypass with Referer-Header

Plugin Report of Vulnerability

Bypass-SECURITY ISSUE!!!

Official Plugin Changelog

WPS Hide Login Changelog

Searchenginejournal.com

WORDPRESS

Customize Your Entire Site With New Block Themes – WordPress.com News

Published

on

Customize Your Entire Site With New Block Themes – WordPress.com News

Customize Your Entire Site With New Block Themes

Experiment with a new look for your site with themes created to take advantage of Full Site Editing.

In case you missed it, we’ve been rolling out a new set of powerful site design tools called Full Site Editing (or “FSE”) and it’s now available for all WordPress.com users!

Don’t worry if you’re just hearing about Full Site Editing for the first time. We’ve been releasing these new tools in a way that doesn’t actually require you to do anything with your existing site(s). If you are up for a change though, we’re happy to announce the launch of a brand new family of themes made specifically with Full Site Editing features in mind. As of this writing we have over two dozen themes available that support Full Site Editing.

These new themes have been designed with a wide variety of sites cases in mind. But their potential stretches well beyond their screenshots and demo sites. Because each theme is fully editable in the Site Editor, every one of these themes can be heavily customized to fit your site’s needs. You can start with theme that features single minimalist homepage, and then add as many menus and sidebars as you wish. Or, you can start with a complex business theme and strip it down to something minimal to suit your vision.

The Site Editor also includes a new feature called “Global Styles,” which allows you to edit site-wide settings for color, typography, and more. You’re free to change your theme’s default color scheme to whatever fits your mood, or even make all site text larger or smaller in a couple of clicks. To kick off this new feature, we’re also providing a few pre-built variations on some of these new themes.

All the new themes and variations can be found in the Theme Showcase. Or, if you’re starting a fresh site, they’ll be offered to you automatically in the site creation flow. This collection of themes is just the beginning, and we’re excited to continue launching a variety of diverse theme options for you. What would you like to see in the next set of themes on WordPress.com?

Source link

Advertisement
Continue Reading

DON'T MISS ANY IMPORTANT NEWS!
Subscribe To our Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

Trending

en_USEnglish