In our last article, How WordPress Gets Hacked in 2022 – Initial Reconnaissance, we analyzed the behaviors (TTPs) of bad actors trying to hack a vanilla WordPress deployment. Confirming our suspicions, attacks targeting access controls continues to be the #1 preferred vector by bad actors. Analysis showed that attackers were especially interested in abusing WP-JSON and XMLRPC. […]
A Website Security Framework Intro
A framework should provide the underlying structure from which we built our security governance program. Consider a home. Regardless of the type of home, they all have a similar framework. The framework keeps the house together and defines the basic structure, it starts with the foundation on which the house will sit. From there, the […]
Hijacking a Websites SERP Results with SEO SPAM
Over the past few weeks we have been following a bad actor as they attack and takes control of a WordPress website we manage. In the process, we have seen them riddle the site with backdoors to ensure they are able to retain control and perform some rudimentary SPAM injections pointing to 17 domains with over 17,000 entries. This article […]
How the JSON API and XMLRPC are used for Brute Force Attacks Against WordPress
WordPress is the most popular Content Management System (CMS) – and because of its popularity, it is also the most attacked. One of the common attacks is brute forcing (i.e., trying to guess a users password), an attack that works to guess the password used by a user on the site (hopefully the administrator). Every […]
How to Improve the Largest Contentful Paint (LCP) – Web Core Vital Metrics
In May of 2020, Google announced that Core Web Vitals would become an official ranking measure in 2021. This introduced special focus on Page Experience, or the signals that measure how a user perceives the experience of interacting with your website. We don’t want to dive into what Core Web Vitals are, or the specifics […]
Open-Source CMS’ and Software Bill of Material (SBOM)
Software Bill of Materials (SBOM) have grown in popularity in the past year as a means to help curve the impact software vulnerabilities in open-source technologies have been having on organizations. The concept itself is not new, its foundation are found in other industries; most notably traditional supply chain management. The biggest difference being its […]
WordPress 5.8.3 Security Release
Some nice finds in today’s 5.8.3 release for WordPress. Be sure to update. Props to all the contributors for responsibly disclosing Security Updates Four security issues affect WordPress versions between 3.7 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 3.7 have also been updated to fix the following security issue (except […]