Tales from the (not so) secure web: GDPiRony edition

Static and headless WordPress. In one click.

Oh Alanis, if only you had written your song in 2018 about WordPress GDPR plugins (see below).

Here is a roundup of notable website security incidents from around the web in the last few weeks. Apologies in advance for all the #doomandgloom.

Are you or aren’t you ready for December 31?

On Dec. 31, 2018, around 62 percent of all websites still running a PHP 5.x version will stop receiving security updates, exposing hundreds of millions of websites, if not more, to serious security risks.

Update, people, update! Or go static

 

Share gone wrong

If you ever used a script called “New Share Counts” to show a tweet counter on your site, remove it now! Over 800 sites have been compromised. There’s a link in that post that will show you the affected websites.

 

Attack of the Chacha

Hosting control panel solution VestaCP was compromised in an attack that installed malware used to carry out DDoS attacks.“The attacker tried launching Linux/ChachaDDoS via SSH”.

 

Hadooped

For nearly a month, a new botnet has been targeting unsecured Apache Hadoop servers, and planting bots on vulnerable servers to be used for future DDoS attacks.

 

They told me I was gullible… and I believed them

Don’t fall for these email scams – PayPal, Amazon, Facebook, banks, and and oldie but a goodie…Nigeria. Think you’d never fall for a phishing scheme? Just remember, 91% of all cyber attacks start with a phishing email.

 

Worst-kept Secret

Zero-day (a vulnerability that has been disclosed but not yet patched) in the popular jQuery File Upload plugin has been actively exploited for at least three years. Yikes! A fix is out but the plugin is used in so many projects that patching will take ages! There are even YouTube video tutorials on how to exploit the vulnerability to take over servers.

 

Shopping for vulnerabilities

New WooCommerce vulnerability fixed in latest version. The user role “Shop Manager” had the capability to edit the Admin user, which can lead to a site takeover and file deletion. WooCommerce has over 55 million downloads. Update, update, update!

 

Clicking all the storefronts

There’s a new version of reCAPTCHA being released, so no more “how many storefronts do you see?” validation. Phew.

 

GDPiRony

Perfect irony when the WP GDPR Compliance plugin has a zero-day vulnerability that allows hackers to install backdoors and take over sites, gaining access to private data and more. The vulnerable plugin means that hackers can create admin-level accounts and wreak havoc, or inject malicious scheduled actions to be executed by WP-Cron. If you’re one of the 100,000 people using the WP GDPR Compliance Plugin, update now!

 

High Time for Data Security

Canada Post leaked personal data and orders of thousands of cannabis smokers. Marijuana is legal in Canada, but it doesn’t mean people want their usage known.

 

Swindler Up Ahead

Google is introducing a small but important update to its Chrome browser, to prevent consumers from being swindled by underhanded or unclear mobile subscription services. Chrome will display a “The page ahead may try to charge you money” warning.

 

Strattic is a solution that was created to optimize WordPress websites for speed and security by making them static and serving them on serverless architecture.

Feel free to contact us at info@strattic.com or sign up for our newsletter below.