Articles

security Article

Another day, another episode of the cybersecurity blues. And once again, WordPress has a starring role.
According to <a href="https://www.bleepingcomputer.com/news/security/new-linux-malware-uses-30-plugin-exploits-to-backdoor-wordpress-sites/" target="_blank">Bleeping Computer</a>, a previously unknown Linux malware is exploiting over 30 vulnerabilities in outdated WordPress plugins and themes to inject malicious JavaScript.
The malware targets both 32-bit and 64-bit Linux systems. The trojan’s main functionality is to hack WordPress sites using a set of hardcoded exploits until one is successful. The operator would then have remote command capabilities.
WordPress <a href="https://www.searchenginejournal.com/cms-market-share-june-2022/455912/#close" target="_blank">holds the largest share</a> of the global CMS market, with an estimated 43% of all websites powered by the open source platform. This makes it a big target for hackers, bad actors, and cybersecurity threats – and this is only the latest in a string of complex and nefarious attacks.
<h2>Using plugins and themes to control WordPress websites</h2>
There’s always a risk that any WordPress widget could be a ticking timebomb.
In 2022 alone, researchers <a href="https://siliconangle.com/2022/08/29/researchers-find-malicious-plugins-25000-wordpress-sites/" target="_blank">found malicious plugins</a> installed on over 25,000 WordPress websites. In most cases, the plugins were procured through legitimate marketplaces. Once added to a website, malware was injected by exploiting a vulnerability – much like this new Linux threat.
Thousands of WordPress websites may be affected by this threat. According to <a href="https://www.scmagazine.com/brief/vulnerability-management/many-wordpress-plugin-flaws-leveraged-by-novel-linux-malware" target="_blank">SC Media</a>, once attacked, an infected site may be used for phishing and <a href="https://www.imperva.com/learn/application-security/malvertising/" target="_blank">malvertising</a> campaigns, as well as malware distribution initiatives.
It’s worth checking your WordPress instances to see if any of these affected plugins are in use:
<ul>
<li>WP Live Chat Support Plugin</li>
<li>WordPress – Yuzo Related Posts</li>
<li>Yellow Pencil Visual Theme Customizer Plugin</li>
<li>Easysmtp</li>
<li>WP GDPR Compliance Plugin</li>
<li>Newspaper Theme on WordPress Access Control (CVE-2016-10972)</li>
<li>Thim Core</li>
<li>Google Code Inserter</li>
<li>Total Donations Plugin</li>
<li>Post Custom Templates Lite</li>
<li>WP Quick Booking Manager</li>
<li>Facebook Live Chat by Zotabox</li>
<li>Blog Designer WordPress Plugin</li>
<li>WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)</li>
<li>WP-Matomo Integration (WP-Piwik)</li>
<li>WordPress ND Shortcodes For Visual Composer</li>
<li>WP Live Chat</li>
<li>Coming Soon Page and Maintenance Mode</li>
<li>Hybrid</li>
</ul>
<h2>Combatting an evolving landscape of security threats</h2>
With hundreds of millions of active websites across the globe, hackers are having a field day.
According to <a href="https://www.securitymagazine.com/articles/98695-leading-cyber-risks-and-trends-in-2022" target="_blank">Security Magazine</a>, cyberattacks are on the rise and becoming more sophisticated by the day. Among the top threats in 2022, malware led the pack, representing the highest cost of damage to organizations.  
WordPress, as mentioned, continues to be a growing vector. Case in point: <a href="https://thehackernews.com/2022/12/new-gotrim-botnet-attempting-to-break.html" target="_blank">The Hacker News recently reported</a> on another <a href="https://www.fortinet.com/blog/threat-research/gotrim-go-based-botnet-actively-brute-forces-wordpress-websites" target="_blank">Go Trim botnet attack</a> that targeted WordPress website administrator accounts. Botnet malware has the capability to bypass traditional anti-bot protections, making sites even more vulnerable to the standard bot-evasion techniques.
But all is not lost. WordPress CMS administrators can fight back by adopting solid policies around their security practices. By vetting all plugin source code via an experienced DevSecOps team, many vulnerabilities can be uncovered before a plugin is pushed to production. This can augment strong password policies and the use of multi-factor authentication to reduce the surface area for would-be attackers.
WordPress websites can also be hosted in more secure environments like <a href="https://www.cmscritic.com/wp-engine-releases-worlds-first-study-of-the-wordpress-economy-cites-awe-inspiring-numbers/">WP Engine</a>, which disallow certain plugins and themes due to security or performance issues.

New Linux Malware Targets Plugins to Backdoor WordPress CMS Websites

mk-patterson

Hackers love websites. Maybe that's overstating the obvious, but in today's hyperconnected digital world, it can't be understated. <a target="_blank" href="https://www.webarxsecurity.com/website-hacking-statistics-2018-february/">According to McAfee</a>, hackers produce 300,000 new pieces of malware daily – and on average, 30,000 new websites are hacked every single day.The fact is, websites are easy targets. Not only are they abundant, but they're frequently built using open source technologies – meaning they're littered with holes that can be easily exploited.Most website owners have no idea how vulnerable they are until they've been hit. And with hackers sinking their teeth into financial data, patient records, IP, and more, a single breach can significantly damage a brand or even sink a business.While <a target="_blank" href="https://www.cmscritic.com/gutenberg-2-years-later-is-wordpress-better-off/">WordPress</a>, Joomla, and <a target="_blank" href="https://www.cmscritic.com/drupal-8-8-0-released/">Drupal</a> continue to own the open-source content management (CMS) market, they also represent the largest collection of security vulnerabilities. In fact, according to the 2020 <a target="_blank" href="https://www.dimensiondata.com/en-gb/insights/global-threat-intelligence-report-2020">Global Threat Intelligence Report</a> from Dimension Data, almost 20% of all website attacks targeted these platforms – with WordPress owning the lion's share.Regardless of what software you're using, web security can feel like a never-ending game of "hide and seek." Hackers find holes in both modern and legacy web applications, and developers scramble to patch them as soon as possible – and the cycle repeats. But the biggest vulnerabilities often exist in layers that website owners take for granted like HTML5, Single Page Applications (SPA), and even password-protected web assets.The sharks are always circling. That's why security has become an essential part of any serious website or web application strategy. Historically, this required an expensive, multi-layered approach, combining both hardware and professional services. But now, you can automate your security processes with Netsparker: a powerful yet easy-to-use solution that's purpose-built for websites and web applications.In this review, we'll take a deeper look at Netsparker and how it can help website admins identify weak spots in their service. We'll tour its crawling and scanning tools and how it's designed to help maintain governance with domains, certificates, compliance, and more – so you can stay one step ahead of the threats.<h3>What is Netsparker?</h3>Netsparker is an automated yet fully configurable Enterprise DAST (Dynamic Application Security Testing) utility that enables you to scan websites, web applications, and web services to identify security flaws. Netsparker can scan all types of web apps – regardless of the platform or language they're built with – making it incredibly extensible.Netsparker operates on what they call "Proof-Based Scanning," which automatically verifies detected vulnerabilities and confirms whether they're false positives by exploiting them in a safe, read-only manner. Here's a video overview of how it works:<figure class="media"><div data-oembed-url="https://www.youtube.com/watch?v=uF9eGAfBh8A"><div style="position:relative;padding-bottom:100%;height:0;padding-bottom:56.2493%"><iframe src="https://www.youtube.com/embed/uF9eGAfBh8A" style="position:absolute;width:100%;height:100%;top:0;left:0" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe></div></div></figure>With Netsparker's scanning technology and automatic verification, you don't have to be a seasoned security professional to conduct thorough scans. You always know which results are actionable issues and not false positives, so you can prioritize your response.Netsparker is designed with productivity in mind. For example, you can send notifications and automatically assign vulnerabilities to developers, allowing you to patch web applications in real-time to maintain security. Bypassing expensive SecOps staff also means you save time and money on conducting regular scans, letting the cybersecurity pros focus on more complex issues.<img src="https://cmscritic.com/ms-content/uploads/2023/08/eliminate-the-uncertainty-of-false-positives.png" /><h3>Features</h3>There are a lot of security utilities on the market, but few that make vulnerability scanning at the web layer as streamlined as Netsparker. Not only is it easy to navigate and manage, but it gives both an individual user and an enterprise team access to integrated data and insights. We'll talk more about that when we cover Netsparker's product editions, but their central repository is one of the features that sets it apart within the cybersecurity landscape.First, let's cover some of the core capabilities that really stand out.Dashboard Security data can get complex – and fast. But this is where Netsparker really shines. With their visual dashboard, you get a holistic snapshot of your websites, scans, and active vulnerabilities in a single window. Intuitive graphs allow your team to track the severity of threats, assess your overall threat level, and automatically categorize the nature of your vulnerabilities from low to critical.<img src="https://cmscritic.com/ms-content/uploads/2023/08/netsparker-featured-image.png" />From the dashboard, you can also manage permissions for your users and groups, as well as assign team members to specific security tasks or establish security policies for your organization.Proof-Based Scanning™ As previously mentioned, Netsparker’s "Proof-Based Scanning" safely exploits any found vulnerabilities and automatically creates a proof-of-exploit or proof-of-concept to validate that it's real – and not a false positive. The process is further streamlined with automated notifications that assign vulnerabilities to developers, and patch web application firewalls in real-time to help maintain security.Vulnerability Scanning Identifying vulnerabilities is the most important mission for any web vulnerability scanner. Netsparker can spot all types of web application vulnerabilities, including multiple variants of the most common weaknesses such as <a target="_blank" href="https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/">SQL injection</a> and <a target="_blank" href="https://www.netsparker.com/blog/web-security/cross-site-scripting-xss/">cross-site scripting (XSS)</a>. Most direct-impact vulnerabilities are also automatically confirmed, so you can be confident that these results are not false positives.Vulnerability Details and Reporting<img src="https://cmscritic.com/ms-content/uploads/2023/08/blind_sql_injection.png" />Every vulnerability uncovered by Netsparker is accompanied by detailed reporting that helps security teams and developers to not only fix issues but understand them. Vulnerabilities are also automatically tagged with a security severity level, denoting the potential damage they can do – and the urgency required to fix them.While Netsparker offers a number of out-of-the-box reports with different visualization options, you can also render your own custom report templates. Additionally, you can generate compliance reports that cover ISO27001, HIPAA, and other critical regulatory benchmarks – and you can have your PCI DSS reports <a target="_blank" href="https://www.netsparker.com/pci-vulnerability-scan/">validated by third-party entities</a> to ensure governance requirements.Armed with rich, in-depth information and remediation guidance, your experts can eliminate the root causes of vulnerabilities, write more secure code in the future, and meet fierce compliance with dynamic reporting.Built-In Assessment Tools<img src="https://cmscritic.com/ms-content/uploads/2023/08/http_request_builder.png" />To help teams optimize scanning and manual testing, Netsparker features a number of advanced web security tools that work with modern and legacy web languages and technologies.<ul><li>HTTP Request Builder: You can use the <a target="_blank" href="https://www.netsparker.com/blog/docs-and-faqs/http-request-builder-penetration-testing-tool/">HTTP Request Builder</a> to create your own HTTP requests and modify imported requests. This is extremely useful for performing manual vulnerability assessments and troubleshooting complex issues like identifying logical vulnerabilities.</li><li>Encoding and Decoding Tools: Text encoding and decoding is a vital feature when manually crafting and modifying test payloads. To save precious time during manual vulnerability assessments, Netsparker includes a text encoder and decoder that supports multiple encoding schemes, including URL, HTML, Base64, UTF7, MD5, SHA1, SHA256, SHA512, and others.</li><li>ViewState Viewer: When security scanning ASP.NET and modern .NET web applications, Netsparker extracts ViewState data from HTTP requests and responses generated during scanning. The ViewState data is displayed in a separate preview tab for easier troubleshooting.</li><li>Asset Discovery: Another proactive security measure, Netsparker's Asset Discovery service continuously scans the Internet to discover your assets based on numerous variables – including IP addresses, top-level and second-level domains, and even SSL certificate information.</li></ul><h3>Plans</h3>Netsparker offers a few different plans based on your needs: Standard, Team, and Enterprise. The naming is fairly intuitive – and so is the pricing – but we'll explore each tier in more detail below.One quick note worth mentioning: Netsparker Standard and Netsparker Enterprise are actually designed to <a target="_blank" href="https://www.netsparker.com/support/integrating-netsparker-standard-with-netsparker-enterprise/">integrate with each other</a>. This basically means that Enterprise includes Standard, and can synchronize and share data using a central repository. Use whichever edition best suits your needs – from one desktop scanner for a single site to hundreds via API – and share the results with your entire team.And one more thing: Netsparker provides 24-hour email, phone, and remote screen support Monday through Friday. They boast a 98% customer satisfaction rating on their website FAQ, and their product reviews seem to reflect that.Netsparker Standard Netsparker Standard is perfect for small and medium-sized businesses. The on-premises desktop scanner helps protect commercial and open-source web products, websites made by third parties, and custom web applications. If you have websites built on a popular CMS, an eCommerce shop on a platform solution, or a home-grown web application, Netsparker Standard is an ideal choice for up to 20 websites.Netsparker Standard is available as a Windows application with built-in penetration testing and reporting tools, many of which allow for fully automated security testing. You also get access to their crawling and scanning features, reporting, policy tools and more.Netsparker Team Netsparker Team is made for larger organizations seeking a complete vulnerability assessment and management solution with collaboration in mind. Netsparker Team helps streamline workflows for up to 50 websites, and unlike Standard, it's all accessed via Netsparker's REST API.Netsparker Team includes all of the essentials from Standard, like crawling, reporting, and tools – but also provides a multi-user platform with native CI/CD, messaging, and business workflow systems. It also features Netsparker's PCI Compliance Scanner, which brings greater value to websites with significant paycard data transactions.Netsparker Enterprise Netsparker Enterprise is a comprehensive security platform designed for large organizations with significant web properties and assets. Like Team, it is an API-driven, multi-user scanning solution with dynamic built-in workflow tools. The big difference is scalability: if you have over 50 websites you're managing, Enterprise brings hosted account options to the table that empower your teams with dedicated support and resources. You also get access to custom authentication for OAuth2, Single Sign-On (SSO), client-side certificates, and more.Netsparker Enterprise is really designed to <a target="_blank" href="https://www.netsparker.com/online-web-application-security-scanner/sdlc-integration/">integrate seamlessly into the software development lifecycle</a>, allowing DevOps and SecOps teams to scan thousands of web applications and services as they are being developed, tested, or running in production. This makes Enterprise an ideal tool for software teams as they push new products and features to market, ensuring that they meet security and compliance requirements from end to end.<h3>Pricing</h3>Netsparker is an incredibly well-reviewed product, and based on our own experience, it delivers both the functionality and simplicity it claims. They also get points for a cool slider on their <a target="_blank" href="https://www.netsparker.com/plans/">Product &amp; Plans</a> page, which helps recommend a tier based on the number of websites you're scanning. This makes it easy (and maybe even a little fun) to determine which product is right for your needs.Here's how the tiers break down:<ul><li>1-20 websites: Standard plan</li><li>21-49 websites: Team Plan</li><li>50 + websites: Enterprise Plan</li></ul>Unfortunately, that's all you get: a recommendation. They don't provide a price, but it's reasonably clear that it's based in part on the tier itself and the number of websites you'll be scanning. Each plan progressively builds on the previous, allowing you to scale seamlessly. And as mentioned, the Enterprise edition includes the Standard edition desktop scanner as part of the suite.OK, so no price transparency. That requires a demo and a phone call for a custom quote. But the good news is that you can try Netsparker for free today with just a few basic steps. And once you're using it, you'll worry less about price – and wonder how you ever got by without it.<h3>About Netsparker</h3><a target="_blank" href="https://www.netsparker.com/">Netsparker</a> is the leading Enterprise DAST (Dynamic Application Security Testing) solution and the only product that delivers automatic verification of vulnerabilities with exclusive pre-scan automation and Proof-Based Scanning™ technology. Netsparker scans any type of web application, provides actionable results, and integrates with company workflow tools to close the loop between IT and developers. It identifies vulnerabilities from the early stages of application development through production. With global headquarters in London and North American headquarters in Austin, Texas, Netsparker serves customers worldwide in the technology, professional services, banking, and government markets, including many Fortune 500 companies. Netsparker is part of <a target="_blank" href="https://c212.net/c/link/?t=0&amp;l=en&amp;o=2947090-1&amp;h=30600359&amp;u=https%3A%2F%2Fwww.invicti.com%2F&amp;a=Invicti+Security">Invicti Security</a>, the leading global provider of dynamic application security testing products.

Netsparker Review: Web Application Security and Vulnerability Scanner

paris-tuzun

The sad truth of the matter is that there are plenty of ways for intruders (and those with bad intentions) to cause website owners a ton of grief. This can range from attacking your website for the purpose of simply taking it down to attempting to hack it to spread malware. To combat this, it's important to be prepared. In this article, we'll share with you how to secure a website in 5 steps.
In fact, a <a href="http://www.wpwhitesecurity.com/wordpress-news/statistics-70-percent-wordpress-installations-vulnerable/">study conducted by WP White Security</a> found that 73% of all WordPress installations contained known vulnerabilities that would have quickly and easily been found through the utilization of automated tools.
It’s these types of security holes that have resulted in cyber criminals hacking into over 170,000 back in 2012 alone – a number that is probably even higher by now.
<img src="https://cmscritic.com/ms-content/uploads/2023/08/how-to-secure-your-cms.jpeg" alt="how-to-secure-your-cms" />
<h2>What makes websites vulnerable to hacking?</h2>
Websites are appealing targets to hackers for a wide variety of reasons, mainly the number of weak entry points – such as the numerous plugins available for CMS like WordPress.
Many people assume that, because CMS like WordPress and Drupal are highly popular and recognized names, there must be some form of protection. They can’t just leave all of their users vulnerable, right?
Think again.
CMS are inherently open to attack because of the fact their foundation is an open source framework. These types of shared development environments have myriad benefits, but they also come with just as many issues.
Because of the popularity of the top CMS available out there, the security holes within these systems are actively being identified and targeted, both by the good guys (security research teams) and the bad guys (cyber criminals).
Once these holes have been found, they turn that particular CMS into treasure troves of data for cyber criminals, even to the point of creating an entry point for automated attacks on a massive scale.
To add salt to the wound, there are users who use the same passwords for all of their accounts, or even just use weak passwords. These leave their admin accounts open to attacks, even if they aren’t aware of it. This can result in their websites being injected with all sorts of malware and escalating the issue beyond the point of control.
These issues can even result in the websites becoming blacklisted by Google and other search engines, which adversely affects their business or brand as a whole.
<h2>How to get started securing a website</h2>
There are numerous things users can do to secure a website against vulnerabilities and fortify their systems from attack.
These include:
<h3>Using a strong password</h3>
To begin with, if your website is powered by a popular CMS such as WordPress, you want to makes sure that you secure it with a very strong password. Hackers and anyone using a WordPress website themselves are very familiar with how to access the administration interface and begin attempting to login.
Even if you are not using WordPress, it doesn't take much effort to scan a website for a login / admin interface so be sure that if someone DOES find this interface, they have no chance of logging in and taking over your website.
<h4>How to set up a strong password to secure a website</h4>
Always secure with a strong password to make this process harder for hackers and other cyber criminals. Additionally, you’re going to want to hash the password(s) you use by implementing a <a href="https://auth0.com/blog/hashing-passwords-one-way-road-to-security/">slow hashing algorithm</a>.
BONUS: Block the IP for at least one minute after x amount of password authentication failures. Three is the recommended amount of attempts before IP blocking.
Use a secure password generator to create something that is next to impossible to guess: <a href="https://www.lastpass.com/password-generator">LastPass Secure Password Generator</a>
<h3>Having a firewall in place is another important way to secure a website</h3>
Setting up a firewall will not only further secure your website / CMS, but it will also help you keep an eye on suspicious activity and track them by providing a related IP address for the source of that activity.
Once you’ve detected and found suspicious activity, you can then blacklist the IP the firewall provided.
Having said that, if you are not the type who wants to have to do these things manually, then it's a good idea to put in place a security service to do so for you. Most of the offerings out there are relatively reasonable in price and will save you a lot of headaches.
<h4>Our recommended website security company:</h4>
SiteGuarding.com
I recommend putting in place a website security service such as <a href="http://bit.ly/cc-siteguarding">SiteGuarding.com</a> to keep your website safe from hacking attempts. SiteGuarding is a security service that protects your website against malware and hacker exploits.
<h3>3 . ALWAYS Backup your CMS</h3>
This is one of the most essential aspects of CMS and website security and is actually just an overall good habit to have.
Have a backup system in place that will make it possible to recover your website in the event something happens. Always make sure your backups are updated as much as possible to avoid any security vulnerabilities or further problems down the road.
BONUS: Make sure your CMS and any extensions it may have are updated. These upgrades should be double-checked to ensure they are fully compatible with your system before you allow or make them. Of course, you’re always going to want to backup your CMS before conducting these updates.
If you currently don't have a means of backing up your website, we recommend going with a solid hosting company that offers this service for free.
Here are a few we recommend that have daily backups:
<ul>
<li><a href="http://www.anrdoezrs.net/click-7040701-10833186">GoDaddy</a></li>
<li><a href="https://kinsta.com?kaid=QQMMZOGRMCQE">Kinsta – If you run WordPress</a></li>
<li><a href="https://www.bluehost.com/">BlueHost</a></li>
</ul>
<h3>4 . Protect against SQL-injections</h3>
An SQL-injection is a cyber attack that embeds malicious code within your CMS and its backend database. Once it’s in there, that malicious code then creates database query results and / or actions that you definitely do not want executed.
There are several types of SQL-injections and they enable the cyber criminal to do a whole variety of things. These include:
<ul>
<li>Editing, deleting, reading, or adding to the content of your CMS</li>
<li>Accessing and reading source code from the files on the CMS server</li>
<li>Write files to the server</li>
</ul>
While it is true that any one of those things relies heavily upon the capabilities of the cyber criminal, any SQL-injection can still lead to you losing control of your database and web server.
In order to prevent this from happening, <a href="https://www.netsparker.com/blog/web-security/understanding-sql-injection-protection/">use prepared statements</a>, as these separate the structure and data. This allows the SQL server to interpret them without being open and vulnerable to a hacker that is trying to alter the structure of the SQL query for their own malicious purposes.
The best way to protect against these is to implement a website security service that will keep your site protected against attacks. Here's an example of an excellent one: <a href="http://bit.ly/cc-siteguarding">Site Guarding</a>
<h3>5 . Get an SSL Certificate</h3>
An SSL certificate (secure sockets layer) is the standard security technology that is used to produce an encrypted link that goes between the web server and the browser. It is this link that will ensure that the data that goes between the server and the browser will stay private and secure.
Adding an SSL certificate to your domain will not only add an additional layer of security to your CMS, but will also help with SEO because it tends to get your website ranked higher in search engines.
If you don't yet have an SSL certificate, <a href="https://shareasale.com/r.cfm?b=1188781&amp;u=407830&amp;m=46483&amp;urllink=&amp;afftrack=">get one here</a>.
<img src="https://cmscritic.com/ms-content/uploads/2023/08/how-to-secure-your-cms-1.jpeg" alt="how-to-secure-your-cms-1" />
<h2>Final Thoughts</h2>
Website security is one of those things that can truly be considered a “Catch-22” type of situation.
The more cyber criminals are out there trying to gain access into people’s CMS, the more security researchers crack down on it and come with new methods of protection. The greater the security becomes, the harder the cyber criminals will work to gain access – and they do like challenges.
It’s really an ongoing battle that is seemingly without end.
But, where does that leave you and your CMS?
It’s hard to say for sure where your CMS lies within the cyber criminal-infested waters, but there are things you can do to ensure your CMS is as secure as you can possibly make it. These five methods of security will help reduce threats to your CMS and help keep your data out of jeopardy.

How to Secure a Website in 5 Steps

mike-johnston

Explore a wide range of informative articles on security, insights, and industry updates. Stay informed and ahead of the curve with our diverse collection of news and posts covering the latest trends and developments in the industry