5 Hidden Google Analytics Reporting Features You Should be Using

5 Hidden Google Analytics Reporting Features You Should be Using

I will cover 5 potentially unknown features in Google Analytics, how to use them, examples, and my personal opinion on their limitations. This won’t be a completely comprehensive post but is meant to open the door for discussion or potential use cases.

Powered by WPeMatico

Arbitrary File Viewing Vulnerability in Candidate Application Form

https://www.pluginvulnerabilities.com/2017/10/19/arbitrary-file-viewing-vulnerability-in-candidate-application-form/

Recently in our monitoring of the WordPress Support Forum we ran across a thread about claiming a vulnerability being exploited in a plugin Candidate Application. The vulnerability being referred to there was actually in another plugin. The slug of the plugin being discussed is wp-candidate-application-form and the vulnerability was for a plugin with the slug candidate-application-form. The vulnerability mentioned in thread was

Powered by WPeMatico

This Might Be Why Note Press Was Removed From the WordPress Plugin Directory

https://www.pluginvulnerabilities.com/2017/10/19/this-might-be-why-note-press-was-removed-from-the-wordpress-plugin-directory/

When it comes to improving the security of WordPress one the easiest things to do would be to start alerting when websites are using plugins that have been removed from the Plugin Directory for security issues. We have been trying to get that to happen for over five years, but the WordPress team has continued to refuse to do that,

Powered by WPeMatico

Introducing iThemes Sales Accelerator for WooCommerce

If you’re running an e-commerce store with WooCommerce, one of the key things you need for success is good, accurate data about how your store is performing.

After nearly 10 years of selling products online at iThemes.com, I can tell you I obsess over our sales data daily …. refreshing our sales report dashboard to see what’s selling and how sales are going this month. You can’t be in the dark about your sales … and you need accurate information at your fingertips.

That’s why I’m excited to finally share the launch of iThemes Sales Accelerator, and how it will solve the problem of WooCommerce reporting for you.

iThemes Sales Accelerator is an entirely new breed of product for us, and it’s the next big thing from iThemes. iThemes Sales Accelerator is both a WordPress plugin AND an iOS app designed JUST for WooCommerce store owners.

Not only will you get better sales and e-commerce analytics reporting with this plugin … but with the companion iPhone app, you can take your store everywhere, so you can know what’s happening with your store when you’re on the go.

Check out all the features

AND … we’re not stopping at providing better, accurate sales reporting. We have a ton more planned for iThemes Sales Accelerator in the coming months, like:

  • Marketing Automation — Grow and optimize your sales while you sleep with features like cart abandonment and more.
  • Custom Email Templates — Easily customize the emails that are sent to your customers from your store.
  • Warehouse Management — Manage the stock of your products with multiple warehouses.

All of this work has one simple goal: to help you make MORE money with your WooCommerce store … from the trusted, veteran WordPress team at iThemes.

To celebrate the launch of iThemes Sales Accelerator, we’re offering a special, limited-time introductory discount:

We hope this pricing makes iThemes Sales Accelerator an easy investment decision for anyone running a WooCommerce store …. and as our experienced WooCommerce development team adds more and more features in the coming months, you get value today and more as we ship new features for you in the future.

Additionally, I would be remiss if I didn’t share that the ultimate way to get iThemes Sales Accelerator PLUS all our other tools is in our two best-value product bundles:

  • The Plugin Suite (Includes all of our pro WordPress plugins, including unlimited site licenses of iThemes Sales Accelerator, BackupBuddy (our WordPress backup plugin), iThemes Security Pro (our WordPress security plugin) and more)
  • The iThemes Toolkit (Get everything we offer at iThemes, including the Plugin Suite and Sync Pro to manage your sites remotely, our 200+ theme library and 900+ hour WordPress training library).

iThemes Sales Accelerator fits into our ultimate goal to Make People’s Lives Awesome by providing the best WordPress tools. We are constantly trying to push the innovation bar and do more for you.

The post Introducing iThemes Sales Accelerator for WooCommerce appeared first on iThemes.

Powered by WPeMatico

How to Win SERP Features with SEMrush

How to Win SERP Features with SEMrush

SERP features, especially Featured Snippets are the focal point of many SEOs. Let’s look at how the SEMrush toolkit can assist you on the path to achieving SERP features, and how you can keep an eye on your competitors.

Powered by WPeMatico

WordPress 4.9 Beta 3

WordPress 4.9 Beta 3 is now available!

This software is still in development, so we don’t recommend you run it on a production site. Consider setting up a test site just to play with the new version. To test WordPress 4.9, try the WordPress Beta Tester plugin (you’ll want “bleeding edge nightlies”). Or you can download the beta here (zip).

For more information on what’s new in 4.9, check out the Beta 1 blog post. Since the Beta 1 release, we’ve made 70 changes in Beta 2 and 92 changes in Beta 3. A few of these newest changes to take note of in particular:

  • The plugin/theme editors now show files in a scrollable expandable tree list. See #24048.
  • Backwards compatibility has been improved for MediaElement.js, which is upgraded from 2.2 to 4.2. See #42189.
  • When you create post stubs in the Customizer (such as for nav menu items, for the homepage or the posts page), if you then schedule your customized changes or save them as a draft, then these Customizer-created posts will appear in the admin as “Customization Drafts”; these drafts can be edited before your customized changes are published, at which time these posts (or pages) will also be automatically published. See #42220.
  • Theme browsing and installation experience in the Customizer has seen some bugfixes (e.g. #42215 and #42212), with some known remaining issues outstanding in Safari.
  • There is now a callout on the dashboard to install and activate Gutenberg. See #41316.
  • Menus in the Customizer have seen additional usability improvements. See #36279 and #42114.

Do you speak a language other than English? Help us translate WordPress into more than 100 languages!

If you think you’ve found a bug, you can post to the Alpha/Beta area in the support forums. We’d love to hear from you! If you’re comfortable writing a reproducible bug report, file one on WordPress Trac, where you can also find a list of known bugs.

Many refinements
Exist within this release;
Can you find them all?

Powered by WPeMatico

How to Address Object Injection Vulnerabilities in PHP

https://pagely.com/blog/2017/10/object-injection-vulnerabilities-in-php/

How to Address Object Injection Vulnerabilities in PHP


I have been discussing the risks related to PHP Object Injection or insecure usage of unserialize() and how this insecure coding practice is unfortunately very prevalent in the WordPress plugin ecosystem. This post is for plugin (and really any PHP) developers for the purpose to share why you shouldn’t unseralize() data sent from untrusted sources, and how one easy code change can save you from writing vulnerable code.

Why not?

Many people have discussed the risks of PHP Object Injection (OWASP, FoxGlove), but for a TL;DR: Bad things happen when you unserialize() data received from a browser (e.g.. Cookies, POST/GET values, etc..)

What’s the fix?

The most common fix is to replace the usage of serialize and unserialize with json_encode and json_decode. This works perfectly for instances where an array or associative array was previously being used.

Example:

$array = ["one", "two", "three"];
# Our test array
print_r($array);
# Array
# (
# [0] => one
# [1] => two
# [2] => three
# )

Now, Let us create a serialize() copy of the same array and show how unserialize() handles the data:

$serialized_array = serialize($array);
# A serialized copy
echo $serialized_array;
# a:3:{i:0;s:3:"one";i:1;s:3:"two";i:2;s:5:"three";}
print_r(unserialize($serialized_array));
# print_r unserialize() of the variable gives the same output as above!
# Array
# (
# [0] => one
# [1] => two
# [2] => three
# )

serialize() works as expected above, but it is insecure. So, let us use json_encode() and json_decode() instead and verify they also give the same outputs.

$json_array = json_encode($array);
# A JSON copy
echo $json_array;
# ["one","two","three"]
print_r(json_decode($json_array));
# print_r json_decode() of the variable also gives the same output as unserialize!
# Array
# (
# [0] => one
# [1] => two
# [2] => three
# )

Does the same apply for tables or associative arrays? Yes!

$table = ["one" => "foo", "two" => "bar", "three" => "baz"];
# let's try an associative array
print_r($table);
# Array
# (
# [one] => foo
# [two] => bar
# [three] => baz
# )
$serialized_table = serialize($table);
# A serialized copy
echo $serialized_table;
# a:3:{s:3:"one";s:3:"foo";s:3:"two";s:3:"bar";s:5:"three";s:3:"baz";}
print_r(unserialize($serialized_table));
# print_r unserialize() of the variable gives the same output as above!
# Array
# (
# [one] => foo
# [two] => bar
# [three] => baz
# )
$json_table = json_encode($table);
# A JSON copy
echo $json_table;
# {"one":"foo","two":"bar","three":"baz"}
print_r(json_decode($json_table, TRUE));
# print_r json_decode() of the variable also gives unserialize!
# (note the TRUE argument to ensure the returned value is an Array)
# Array
# (
# [one] => foo
# [two] => bar
# [three] => baz
# )

I hope the above walk through helps clarify that just dropping in and replacing serialize/unserialize with json_encode/json_decode may be an extremely simply and effective fix.

If you have a custom object you’ve been storing in user controlled input, then this may require some extra work and possible refactoring but it’s not impossible, you have two options:

  1. Refactor your code so the data which represents that Object class can be exported to an associative array or table, which can safely be encoded and decoded over the wire using json to safely re-create the Object class later.
  2. Store your serialized objects in your database and pass a unique identifier to the browser. Later you can retrieve the serialized data from the database (using the unique ID provided by the browser) to re-create that object safely.

Not a direct fix as shown above, and implementation will differ for every situation but it will be worth it to prevent opening up your site to object injection vulnerabilities.

Note: PHP 7 and higher support an option for “allowed_classes” in unserialize(), this is a good way to prevent people from injecting unexpected objects, however may still leave the site vulnerable from attacks where attackers abuse access to the object’s data structure, as well as not prevent an attack which may target PHP itself and simply over-flow or cause memory corruption by injecting unexpected data into an Object structure.

I hope the above quick tutorial is helpful. We are still finding many PHP Object Injection vulnerabilities in WordPress plugins and have been working with the developers to address them. We hope that sooner than later the word gets out and more people take the time to clean up this insecure coding practice.

Powered by WPeMatico

This Might Be Why Starbox Was Removed From the WordPress Plugin Directory

https://www.pluginvulnerabilities.com/2017/10/18/this-might-be-why-starbox-was-removed-from-the-wordpress-plugin-directory/

When it comes to improving the security of WordPress one the easiest things to do would be to start alerting when websites are using plugins that have been removed from the Plugin Directory for security issues. We have been trying to get that happen for over five years, but the WordPress team has continued to refuse to do that, while

Powered by WPeMatico

Divi Feature Update! Huge Font Options Overhaul, Better Heading Controls and Countless More Text Options

Our Biggest Font Options Upgrade Ever

This is a huge update with so many new font options. You wont believe how much more you can do, and have much easier those things are to achieve.

We have an amazing Divi update for you today, filled with so many of the features you have been requesting, and so much more too. Today we are launching our brand new font options interface, filled with 600 new fonts, improved font management, custom font uploading, new font styles, better font weight controls, fine tuned heading style management, heading level selection and dozens of new design options for the text module.

Check Out The New Font Options In Action

The Brand New Font Options Interface

Today we are introducing a brand new interface for managing fonts in the Divi Builder. This UI is packed with new fonts, new features and an improved user experience.

600 New Fonts To Choose From

We are quadrupling the available fonts in Divi from 200 to 800! In addition to this static list of 800 fonts, you can also add your Google API key to the Divi Theme Options which will keep your fonts list updated daily. Every time a new Google font is added, it will show up in the Divi Builder automatically! These new fonts open up so many new opportunities to design stunning, unique pages.

Easily Search The Font List

This new list of fonts is huge, but finding your desired font is easier than ever thanks to Divi’s new font search feature. When you open the new font selection menu, you can simply start typing the name of your desired font and the list will be filtered accordingly.

Quickly Access Recently Used Fonts

Whenever you use a font in the Divi Builder, that font gets added to your “Recent Fonts” list, which is quickly accessible at the top of the font selection menu. When you are designing a page with custom fonts, your desired font will always be right where you want it at the top of the font list! No need to remember the name of the font or to hunt through the menu. This saves so much time.

Live Preview Fonts On Hover

Finding the perfect font is a lot easier now thanks to our new font preview system. As you scroll through the font list in the new font selection menu, fonts are loaded in automatically on hover to give you a live preview of the font before you select it.

Upload And Manage Custom Fonts

In addition to the 800 fonts that come with Divi, you can also upload your own custom font files right from inside the builder. Simply select your .eot, .woff2, .woff, .ttf, or .otf files, give your font a name and you’re done! Your new custom font will show up in the font selection menu near the top of the list. You can upload, delete and manage your custom fonts without leaving the builder or refreshing the page.

New Font Style Options

New font styling options have been added to all modules, including small caps, strike-through, underline and double underline. These new styles also come with additional options that allow you to customize the added line elements.

Better Font Weight Choices

All of Divi’s 800 fonts are equipped with dynamic font weight choices. When you select a font, all of the available font weights will be loaded into the new font weight option allowing you to select anything from Ultra Thin to Ultra Bold. This gives you so much more control than before (Divi previously only supported two font weights: Normal and Bold).

Fine-Tuned Heading Controls
For All Modules

Now you can control heading levels for all modules and applying custom styles to H1-H6 headings.

Customize Each Heading Level Individually

You can now create custom design styles for each heading level in the Divi Builder, assigning custom fonts, text sizes and font styles to H1, H2, H3, H4, H5 and H6 independently. This makes custom headings so much more useful and practical when used inside of the Divi text module.

Choose Heading Levels For Each Module

You can also adjust the heading level used in each Divi module. Change the default heading of your blurb module from H4 to H2, or change the default heading of your Slider module from H2 to H1, allowing you to better control the hierarchy of your page for search engines.

Countless New Design Options
For Text Modules

Dozens of new design options have been added to the text module giving our more control over standard text elements.

The New Text Design Interface

The Divi text module has a brand new tabbed interface for managing custom text styles, including controls for standard paragraphs, blockquote, lists and anchor links. Now you can control styles without having to apply custom HTML or inline CSS using the text editor.

Customize Your Lists

You can now customize your list styles in the Divi text module. Change the font, font style, text size and color. Customize the list style type, position and indentation.

Customize Your Links

You can now customize your anchor link styles in the Divi text module. Change the font, font style, text size, color and more. No need to use inline CSS or apply custom colors to each link in the TinyMCE text editor.

Customize Your Block Quotes

You can now customize your blockquote styles in the Divi text module. Change the font, font style, text size, color and more. You can even adjust the blockquote’s default border weight and color.

Join, Renew & Upgrade Today For 10% Off!

Join the most enthusiastic and loving WordPress theme community on the web and download Divi 3.0 today. Using the new Visual Builder, you can build websites faster than ever before with its incredibly fast and intuitive visual interface. You have to see it to believe it!

Join Today For 10% OFF!
Renew Your Account Today For 10% OFF!
Upgrade Your Account Today For 10% OFF!

The post Divi Feature Update! Huge Font Options Overhaul, Better Heading Controls and Countless More Text Options appeared first on Elegant Themes Blog.

Powered by WPeMatico

New Attacker Scanning for SSH Private Keys on Websites

https://www.wordfence.com/blog/2017/10/ssh-key-website-scans/

This entry was posted in General Security, WordPress Security on October 18, 2017 by Mark Maunder   3 Replies

Wordfence is seeing a significant spike in SSH private key scanning activity. We are releasing this advisory to ensure that our customers and the broader WordPress community are aware of this new activity and of the risk of making private SSH

Powered by WPeMatico