Our WordPress Plugin Security Checker Identified a Fairly Serious Vulnerability in a Plugin by MailChimp

https://www.pluginvulnerabilities.com/2017/11/22/our-wordpress-plugin-security-checker-identified-a-fairly-serious-vulnerability-in-a-plugin-by-mailchimp/

Recently we introduced a tool to do limited automated security checks of WordPress plugins in the Plugin Directory (and more recently expanded it to check plugins not in the directory). As part of improving that we have been logging any issues identified by the tool in plugins in the Plugin Directory (we don’t log the results for other plugins) and

Powered by WPeMatico

Authenticated Local File Inclusion (LFI) Vulnerability in Vmax Project Manager

https://www.pluginvulnerabilities.com/2017/11/22/authenticated-local-file-inclusion-lfi-vulnerability-in-vmax-project-manager/

We recently noticed an authenticated arbitrary file upload vulnerability in the plugin Vmax Project Manager. While writing up the details of that we were tracing back the code that would be involved in that and at first we couldn’t figure out how part of it would work. Then we figured that out and noticed that there is also an authenticated local

Powered by WPeMatico

Authenticated Arbitrary File Upload Vulnerability in Vmax Project Manager

https://www.pluginvulnerabilities.com/2017/11/22/authenticated-arbitrary-file-upload-vulnerability-in-vmax-project-manager/

A month ago we wrote about how the security review of newly submitted plugins to the WordPress Plugin Directory needs improvement. One of the newly introduced plugins that lead to that was the plugin Vmax Project Manager. We came across the plugin through our proactive monitoring of changes made to plugins to try to catch serious vulnerabilities, due to the possibility of

Powered by WPeMatico

Arbitrary File Upload Vulnerability in Wallable

https://www.pluginvulnerabilities.com/2017/11/22/arbitrary-file-upload-vulnerability-in-wallable/

A month ago we wrote about how the security review of newly submitted plugins to the WordPress Plugin Directory needs improvement. One of the newly introduced plugins that lead to that post was the plugin Wallable. We came across the plugin through our proactive monitoring of changes made to plugins to try to catch serious vulnerabilities. The possible vulnerability that had been

Powered by WPeMatico

The 14-Step Apache Security Best Practices Checklist (PDF eBook included)

https://wpbuffs.com/apache-security-best-practices/

Apache currently remains the leading web server software in the world with a 45.8% market share. That ends up being about 80 million websites whose web servers are powered by Apache. Pretty impressive, right?

Apache is an open source web server software that has been around since 1995, so that alone speaks volumes to its reliability and longevity. Then there are the high-profile websites that run on Apache servers: Apple, Adobe, and Paypal are just a few of the major brands that entrust their websites to Apache.

Of course, that doesn’t make Apache 100% secure as no software will ever be 100% safe from hackers, especially when it’s such a well-known and trusted platform (much like WordPress). But if you’re looking for an apache security PDF eBook, module, guide, tutorial, framework or web server security checklist, you’ve come to the right place.

If you want to harden your Apache security or are having any apache security issues or trying to patch a vulnerability or two, the following checklist will provide you with 14 security best practices to add to your website’s security plan.


Content Upgrade

Free Apache Security Checklist

[4 Pages] The 21-Step Checklist to
Ensure a 99.9% Secure WordPress Website


The Ultimate Apache Security Best Practices Checklist

For those of you who want to truly fortify your WordPress website, securing Apache as you would any of the other software that hooks into and powers your website is essential. Failing to do so can even affect your site’s speed. So, here’s how you will do it:

1. Update Apache

You know how WordPress and any plugins and themes you’ve installed need to be updated regularly? So too does your web server.

If you’re nervous that your site isn’t running on the most current version of Apache, you can check it with an httpd -v command line. If the version outputted doesn’t match the current one from Apache, you can update it with the following:

# yum update httpd
# apt-get install [add Apache version here]c

2. Turn on Logs

If you’re working with a managed WordPress hosting provider, they’ll take care of monitoring your server and WordPress for vulnerabilities and other warning signs. That said, you should keep an eye on your server traffic as well.

With Apache, you can gain access to this activity log by updating your mod_log_config module. Basically, it will tell you what users do whenever they touch your server.

3. Get an SSL Certificate

Because your web server handles all browser/server requests to your website, it’s important to secure it with an SSL certificate. The good news is that you can now get an SSL certificate for free. This is more important now than ever, so if you don’t have the technical ability to install this yourself, any quality hosting provider will be able to do it for you.

4. Add a Firewall

In addition to the added protection of the SSL’s encryption, your web server should be fortified with a firewall. For Apache, this means turning on ModSecurity.

To install it on your server, you can execute the following:

# yum install mod_security
# /etc/init.d/httpd restart

Once the firewall is live, it will prevent a number of malicious activities from reaching your server, like SQL injection, session hijacking, and cross-site scripting.

5. Install mod_evasive

Mod_evasive is the module that will protect your Apache server from brute force and DDoS attacks, so make sure this is enabled as well. It will blacklist concurrent and failed login attempts as well as monitor for malicious IPs.

6. Set HTTP Limits

Distributed denial of service (DDoS) attacks are pretty simple to block if you know what sort of actions to watch for. Since DDoS tend to happen by repeatedly hitting your server with large requests, your goal should be to set limits that prevent this from happening.

Here are some of the limits you’ll want to establish:

  • KeepAlive=on
  • KeepAliveTimeout
  • LimitRequestBody
  • LimitRequestFields
  • LimitRequestFieldSize
  • LimitRequestLine
  • LimitXMLRequestBody
  • MaxClients
  • MaxKeepAliveRequests
  • MaxRequestWorkers
  • RequestReadTimeout
  • TimeOut

7. Delete Unused Modules

By leaving unused, unmaintained, or expired modules on your Apache server, you’re leaving your site open to hackers through a point of entry that doesn’t even need to be there.

The first thing you should do is find out which modules are actually active. You can do this by using a LoadModule command. Once you’ve sifted through the list and identified which modules you don’t need, simply add the “#” symbol before each module you want to deactivate and then restart.

8. Change Default User and Group

Default settings and users left on any software, in general, is a bad security practice. The reason for this is simple: if you’re using the Apache default user or group name, you can bet hackers are aware of what those default names are as well.

Rather than leave the defaults in place, you should create a new non-privileged account to run your Apache processes through. Using # groupadd and # useradd commands, you can set the new entities. Just remember to update your httpd.conf with the new user and group names you’ve created.

9. Block Directory Access

Here is another example of default settings that need to be changed. In this case, it’s the access granted to your directory’s files which allows anyone to explore wherever they’d like.

To put a total block in place, use the following command:


Require all denied

If you want to enable access to certain users, you can do so with this:


Require all granted

If you want to enable access to certain folders within the directory, you can do so with this:


Require all granted

You may also want to peruse the Apache module repository for further tweaking of user access rights.

10. Don’t Publish the Directory

Did you know that if your server doesn’t have an index file that users will be able to see all the content you have stored in your root directory? That’s obviously not good, so you’ll need to disable this default setting with the following:


Options -Indexes

11. Hide Server Details

Because Apache is an open source software, details about the version used are readily available if these settings are not disabled server-side. Since hackers can use that sensitive information to figure out how to break into your server, you’ll want to block this information out.

There are two things you’ll want to disable:

  • ServerSignature – which is the version of Apache
  • ServerTokens – which includes the OS version, among other sensitive server details

This information can be found by other users simply by viewing an error page on your website, so it’s pretty important to block this from being shown. To do this, update the httpd.conf with the following:

ServerSignature Off
ServerTokens Prod

12. Hide the ETag

The ETag header in Apache, unfortunately, includes a number of sensitive details about your server. Obviously, anything that shares that sort of information with the outside world should be hidden. Additionally, if you’re running an e-commerce website, you’ll need to hide this in order to be PCI compliant.

To do this, add the following directive to your httpd.conf:

FileETag None

13. Disable .htaccess Override

The .htaccess is an important file for any WordPress website. This is why you need to lock it down and ensure that no one else can override your configuration settings.

To disable this, add the following to your httpd.conf at the root:


Options -Indexes
AllowOverride None

14. Disable SSI and CGI

Server Side Includes (SSI)-enabled files can open your site up to a number of security problems if left unchecked. Same goes for CGI scripts. In order to prevent either of these from empowering hackers to overload your server or inject malicious scripts into your code, remember to turn them off or restrict what they do through the Options directive.

Here are some Options values you can use:

  • Options All
  • Options IncludesNOEXEC
  • Options -Includes
  • Options -ExecCGI
  • Options -Includes -ExecCGI
  • Options MultiViews

Content Upgrade

Free Apache Security Checklist

[4 Pages] The 21-Step Checklist to
Ensure a 99.9% Secure WordPress Website


Taking Care of Your Apache Server

In an effort to harden your website’s security, pay special attention to your Apache server. Issues like server misconfiguration and leaving default settings in place can put your site at risk just as much as an un-updated core or unsafe PHP coding practices can.

Want to give your feedback or join the conversation? Add your comments 🐦 on Twitter.

The post The 14-Step Apache Security Best Practices Checklist (PDF eBook included) appeared first on WP Buffs.

Powered by WPeMatico

10 Cool Themes to Check Out Before Creating Your Next WordPress Website

Whatever kind of niche or style you can think of; there’s a WordPress theme for it. People have been using WordPress to build all kinds of websites which makes it no surprise that all sorts of themes are keep being developed, improved and purchased by web enthusiasts all over the world. In this post, we’ll specifically be sharing some cool themes that are made with WordPress. Make sure you also check out the following post containing cool websites that are made with WordPress.

1. Flow

cool themes

The first theme we want to start our list of cool themes with, is Flow. This great WordPress theme speaks to your imagination. Flow is a perfect fit if you’re planning on starting your blog, or if you’re about to create one for a client. It offers three different ways of approaching your website with the original, creative and waterfall layouts. Each one of them looks stunning and unique in its own way. With one click, you’ll be able to import the demo layout and get started right away.

Price: $49 | More information

2. Minimum

cool themes

The next theme we’d like to share is Minimum. This cool theme is nothing you have seen before; it’s clean yet mysterious in a very attractive way. It offers you, among other things, AJAX animations, bonus parallax pages, two drop-down menus and a stunning catalog page. There are also over 500 Google fonts present and there are four integrated colors that allow you to do quick and easy customizations.

Price: $59 | More information

3. Heli

cool themes

Moving on, we’re going to take a look at the multi-purpose Heli theme. This theme is all about knowing how to balance the white and black color to make your website look bold and cool. This theme has, among other things, advanced portfolio and blog layouts, menu variants, one-click demo site imports and WooCommerce integration. On top of that, you have tons of layouts that’ll make your next website look professional, neat and artistic.

Price: $59| More information

4. Rife

cool themes

The third cool theme in the row is Rife. The Rife theme can definitely help you take your website to the next level. It’s responsive, it includes premium plugins that’ll help you reach specific results, it has over 600 Google Fonts installed and is SEO proof. With more than 16 designs and more than 15 pages at your disposal; this theme will help you bring style and beauty to your next WordPress website in an effortless way.

Price: $9/month | More information

5. Milano

cool themes

Another excellent theme in our list of cool themes is Milano. What is there not to love about multi-purpose WordPress themes? This theme offers you, among other things, more than 6 monochrome demos, more than 30 stunning slider effects, 5 menu styles and beautiful hover effects that’ll help you personalize your website as much as you prefer. One the best things about this theme is how clean and user-friendly it is for both the website builder and the visitors.

Price: $38 | More information

6. Bateaux

cool themes

Next, we have the Bateaux WordPress theme. What’s not cool about having over 25 unique homepages at your disposal? This theme also offers the drag and drop and live preview options. On top of that, the smart interface and the inline text editor will give you a great experience while creating your new website. This theme is absolutely worth checking out before building your next site.

Price: $59 | More information

7. Air.

cool themes

Or what about the Air. WordPress theme? It’s probably one of the cleanest themes in this list and it’s mainly used for portfolio websites that want all the attention to go to the previous work that is shared with the visitors. With its well-thought-out layouts, different menu possibilities and customizable footer, this theme allows you to focus on the cool stuff you want to share with your visitors in an environment that screams professionalism and dedication.

Price: $55 | More information

8. The Agency

cool themes

Another theme that belongs on this list of cool themes is The Agency. This theme offers you all kinds of good stuff. It includes a child theme, it’s ready to be used in multiple languages and it has unlimited color schemes at your disposal so you can make your website look exactly how you want it to. And oh; one of the really cool things about this site is the endless scrolling through different sections on the homepage.

Price: $99 | More information

For Elegant Themes Members

For the Elegant Themes members out there, the following two go-to themes we’ll mention in this post are included in your membership. And if you’re not an Elegant Themes member yet, you won’t only get the next two themes by becoming a member; you will also enjoy all the regular updates that’ll make designing any type of website easier.

9. Divi

cool themes

Being the most installed theme on WordPress, Divi is the must-have (and only) theme that’ll allow you to create all kinds of websites without having to get to know a new theme everytime you design a different website. Divi provides tons of different modules, rows and sections that will help you add all sorts of content to your website and modify them to your needs. And with the Visual Builder within reach, you can see changes happen in real time. All of the built-in design options that Divi offers will make using code a nice-to-have instead of a necessity.

Price: $89/year | More information

10. Extra

cool themes

Are you specifically looking for a theme that offers you the power of a multi-functional theme such as Divi, but allows you to focus on blogging and online-publications at the same time? The Extra theme is the way to go. While being specifically focused on creating a magazine-friendly layout and supporting the content you provide to your audience, the Extra theme is also focused on making it easier for you to create the exact design you imagined. With multiple category modules, tons of pre-made layouts and countless design possibilities, Extra makes the experience for both you and your visitors a real pleasure.

Price: $89/year | More information

Final Thoughts

In this post, we’ve shared some cool themes you should definitely check out before creating your next websites. Each one of them has a creative and cool side that you might have been looking for. If you have any questions or suggestions; make sure you leave a comment in the comment section below!

Be sure to subscribe to our email newsletter and YouTube channel so that you never miss a big announcement, useful tip, or Divi freebie!

Featured Image by diGraphy / shutterstock.com

The post 10 Cool Themes to Check Out Before Creating Your Next WordPress Website appeared first on Elegant Themes Blog.

Powered by WPeMatico