April was a heavy month full of surprises. Two high profile caching plugins, W3 Total Cache and WP Super Cache were both exploited and require immediate updates if you have them activated.
Additionally, there were widespread botnet attacks, brute-forcing password attempts and much more. Take a look below at what Sucuri wrote throughout April.
- Update WP Super Cache and W3TC Immediately – Remote Code Execution Vulnerability Disclosed
- The WordPress Brute Force Attack Timeline
- WordPress Malicious Plugin – WPPPM – Abusing 404 Redirects with SEO Poisoning
- Brute Force Attacks and Their Consequences
- Mass WordPress Brute Force Attacks? – Myth or Reality
- Protecting Against WordPress Brute-Force Attacks
- WordPress Plugin Social Media Widget Hiding Spam – Remove it now
- WordPress Security Presentation by Tony Perez
Packet Storm Coverage
- WordPress W3 Total Cache PHP Code Execution
- WordPress Colormix XSS / Content Spoofing / Path Disclosure
- WordPress Spider Video Player 2.1 SQL Injection
- WordPress Spiffy XSPF Player 0.1 SQL Injection
- ZeroClipbord.swf Cross Site Scripting / Path Disclosure
- WordPress Traffic Analyzer Cross Site Scripting
- WordPress FuneralPress 1.1.6 Cross Site Scripting
In addition, I covered LiquidWeb sending out notifications to its customers about WordPress security.
It was certainly an active month for Sucuri’s reporting on WordPress hacks, threats, exploits, and vulnerabilities, but fairly quiet on Packtstorm’s site.
As always, try to stay up to date with WordPress security and keep your plugins updated, WordPress core too.