New WordPress plugin and theme vulnerabilities were disclosed during the first half of October. In this post, we cover recent WordPress plugin, theme, and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.
The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.
WordPress Core Vulnerabilities
There have not been any WordPress core vulnerabilities disclosed in the second half of July.
WordPress Plugin Vulnerabilities
2. Ninja Forms Contact Form
5. WP Courses LMS
6. Slider by 10Web
7. WordPress + Microsoft Office 365 / Azure AD
8. Team Showcase
9. Post Grid
10. WPBakery Page Builder
12. Dynamic Content for Elementor
13. PowerPress Podcasting
WordPress Theme Vulnerabilities
6. Newspaper X
7. Pixova Lite
9. MedZone Lite
10. Regina Lite
16. NatureMag Lite
October Security Tip: Why You Should Use Two-Factor Authentication
Using two-factor authentication for your WordPress website user logins can help keep your website secure even if you use one of the plugins in this edition of the vulnerability roundup with an authentication bypass vulnerability.Using two-factor authentication for your WordPress website user logins can help keep your website secure even if you are using a plugin with an authentication bypass vulnerability.
Why? Two-factor authentication makes it nearly impossible for an unauthenticated user to login to your website.
What is two-factor authentication? Two-factor authentication is a process of verifying a person’s identity by requiring two separate methods of verification. Two-factor authentication adds an extra layer of WordPress security to verify it’s actually you logging in and not someone who gained access (or even guessed) your password.
Here are a few more reasons to use two-factor authentication to add another layer of protection to your WordPress login.
- Reused passwords are weak passwords. According to the Verizon Data Breach Investigations Report, over 70% of employees reuse passwords at work. But the most important stat from the report is that “81% of hacking-related breaches leveraged either stolen or weak passwords.”
- Even though 91% of people know reusing passwords is poor practice, a staggering 59% of people still reuse their passwords everywhere!
- Many people are still using passwords that have appeared in a database dump. A database dump occurs when a hacker successfully gains access to a user database and then dumps the contents somewhere online. Unfortunately for us, these dumps contain a ton of sensitive login and account information.
- The “Collection #1″ Data Breach that was hosted on MEGA hosted included 1,160,253,228 unique combinations of email addresses and passwords. This kind of score will provide a malicious bot with over a billion sets of credentials to use in brute force attacks. A brute force attacks refer to a trial and error method used to discover username and password combinations to hack into a website.
- Even if you have a strong password, you’re only as secure as every other admin user on your site. Okay, so you are the type of person that uses a password manager like LastPass to create strong and unique passwords for each of your accounts. But what about the other administrator and editor users on your site? If an attacker was able to compromise one of their accounts, they could still do a ton of damage to your website.
- Google has said two-factor authentication is effective against 100% of automated bot attacks. That alone is a pretty good reason.
How to Add Two-Factor Authentication to Secure Your WordPress Login with iThemes Security Pro
The iThemes Security Pro plugin makes it easy to add two-factor authentication to your WordPress websites. With iThemes Security Pro’s WordPress two-factor authentication, users are required to enter both a password AND a secondary code sent to a mobile device such as a smartphone or tablet. Both the password and the code are required to successfully log in to a user account.
To start using Two-Factor Authentication on your website, enable the feature on the main page of the iThemes Security Pro settings.
In this post, we unpack all the steps of how to add two-factor authentication to your site with iThemes Security Pro, including how to use a third-party app like Google Authenticator or Authy.
A WordPress Security Plugin Can Help Secure Your Website
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.