Over the past few weeks we have been following a bad actor as they attack and takes control of a WordPress website we manage. In the process, we have seen them riddle the site with backdoors to ensure they are able to retain control and perform some rudimentary SPAM injections pointing to 17 domains with over 17,000 entries. This article […]
How the JSON API and XMLRPC are used for Brute Force Attacks Against WordPress
WordPress is the most popular Content Management System (CMS) – and because of its popularity, it is also the most attacked. One of the common attacks is brute forcing (i.e., trying to guess a users password), an attack that works to guess the password used by a user on the site (hopefully the administrator). Every […]
How to Improve the Largest Contentful Paint (LCP) – Web Core Vital Metrics
In May of 2020, Google announced that Core Web Vitals would become an official ranking measure in 2021. This introduced special focus on Page Experience, or the signals that measure how a user perceives the experience of interacting with your website. We don’t want to dive into what Core Web Vitals are, or the specifics […]
Open-Source CMS’ and Software Bill of Material (SBOM)
Software Bill of Materials (SBOM) have grown in popularity in the past year as a means to help curve the impact software vulnerabilities in open-source technologies have been having on organizations. The concept itself is not new, its foundation are found in other industries; most notably traditional supply chain management. The biggest difference being its […]
WordPress 5.8.3 Security Release
Some nice finds in today’s 5.8.3 release for WordPress. Be sure to update. Props to all the contributors for responsibly disclosing Security Updates Four security issues affect WordPress versions between 3.7 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 3.7 have also been updated to fix the following security issue (except […]
Cloud-based Web Application Firewalls (WAF) & The Log4J Vulnerability
Every CIO / CISO worth their weight has spent the better part of four days trying to under the Log4J Vulnerability and more importantly, their organizations unique exposure. This article won’t dive into the vulnerability, that is being covered at nauseum and some organizations are doing exceptionally well with their write-ups. Here are some notable […]
A Guide to DNSSEC and It’s Value
Slack recently shared a great AAR talking to their DNSSEC rollout, providing excruciating details on the various outages / issues they encountered. For those that live in this world, it’s enough to make you cringe and slowly die inside as you live through each issue with them. It also made us sit back and more […]