All articles tagged with #website security
Originally Published 2 months ago — by Roche
The website www.roche.com has restricted access for certain IP addresses using Cloudflare, resulting in an error message (Error 1005) that blocks access based on the user's autonomous system number (ASN).
Originally Published 6 months ago — by The New York Times
Cloudflare has introduced a default setting that blocks AI companies from scraping website data, requiring explicit permission for access, as part of its efforts to protect original content and address concerns about data exploitation by AI entities.
Originally Published 1 year ago — by The Hacker News
A critical vulnerability in the WordPress Hunk Companion plugin, tracked as CVE-2024-11972, is being exploited by attackers to install other vulnerable plugins, leading to potential Remote Code Execution (RCE) and other attacks. The flaw affects all versions before 1.9.0 and allows unauthorized plugin installations, posing significant security risks. This vulnerability is a patch bypass for a similar flaw, CVE-2024-9707, and highlights the importance of securing WordPress components. Additionally, a high-severity flaw in the WPForms plugin has been disclosed, affecting millions of sites.
Originally Published 2 years ago — by The Hacker News
WordPress has released version 6.4.2 to address a critical security flaw that could allow threat actors to execute arbitrary PHP code on vulnerable sites. The vulnerability, which is not directly exploitable in core, can be combined with another bug to potentially achieve high severity, especially in multisite installations. The issue is rooted in the WP_HTML_Token class introduced in version 6.4. Users are advised to update their sites and developers are recommended to replace function calls to the unserialize function with alternatives like JSON encoding/decoding.
Originally Published 2 years ago — by The Hacker News
Researchers have discovered a sophisticated strain of malware that disguises itself as a WordPress caching plugin, allowing it to create administrator accounts and gain remote control over compromised websites. The malware includes various functions such as pinging to check if it is still operational, file modification capabilities, and the ability to activate and deactivate plugins remotely. It can also create rogue admin accounts and alter posts and page content, injecting spam links or buttons. The malware aims to monetize victim sites while compromising SEO rankings and user privacy. The exact scale of the attacks and the initial intrusion vector are currently unknown.
Originally Published 2 years ago — by Search Engine Roundtable
Google's John Mueller warns website owners to close any vulnerabilities on their sites, as link spammers may share these vulnerabilities with their networks. Mueller advises 404ing or 410ing pages that receive spammy links to neutralize their effect, even though Google mostly ignores such links. He emphasizes the importance of making websites for real users, not spammers, and suggests increasing the quality threshold for new users to prevent low-effort link-builders from indexing their pages.
Originally Published 2 years ago — by Ars Technica
Brave browser will automatically block websites from scanning visitors' open Internet ports or accessing other network resources that can expose personal information. This new feature aims to curb the practice of port scanning and fingerprinting visitors without their consent. Users can add specific sites to an allow list if they want them to have access to local resources. Brave is the only browser that blocks requests to localhost resources from both secure and insecure public sites while maintaining compatibility for trusted sites.
Originally Published 2 years ago — by The Verge
Google is retiring the lock icon in Chrome and replacing it with a new "tune" icon as part of a Material You-themed redesign of the browser. The lock icon will be replaced in September 2023, as Google claims that only 11% of users understood its intended purpose. The new tune icon will encourage users to click through and access more information about their security and connection settings. The page controls under the tune icon will remain unchanged, and plaintext HTTP will still be marked as insecure. The lock icon will also be removed entirely from Chrome on iOS.
Originally Published 2 years ago — by BleepingComputer
Google will replace the lock icon, which has long been associated with website security and trustworthiness, with a new icon that doesn't imply that a site is secure or should be trusted. The lock icon will be replaced with a "variant of the tune icon" in Chrome 117, which releases in early September 2023, as part of a general design refresh for desktop platforms. The lock icon will also be replaced in Google Chrome for Android in September, but it will be removed from iOS.
Originally Published 2 years ago — by The Hacker News
Over one million WordPress websites have been infected by the Balada Injector malware campaign since 2017, which exploits known and recently discovered theme and plugin vulnerabilities. The malware allows for the generation of fake WordPress admin users, harvests data stored in the underlying hosts, and leaves backdoors for persistent access. The attacks are engineered to read or download arbitrary site files and search for tools like adminer and phpmyadmin. WordPress users are recommended to keep their website software up-to-date, remove unused plugins and themes, and use strong WordPress admin passwords.
Originally Published 2 years ago — by Ars Technica
Hackers are exploiting a critical vulnerability in the Elementor Pro WordPress plugin, which is running on over 12 million sites, to take complete control of websites. The vulnerability allows anyone with an account on the site to create new accounts with full administrator privileges. The flaw was discovered by a security researcher and patched by Elementor last week, but researchers at PatchStack report that the vulnerability is under active exploitation. Users of Elementor Pro should ensure they are running version 3.11.7 or later and check their sites for signs of infection.