Archive for the ‘Security’ Category

PayPal customer feedback email – can we trust to it?

Thursday, June 26th, 2014

PayPal customer feedback email

PayPal customer feedback email

PayPal customer feedback email came today to my mailbox. First, I think that it is one of regular fake emails declared that it was sent by PayPal, but really sent from the address with the different (not paypal.com) domain – cs_surveys@paypal-customerfeedback.com in this case. I almost decided to delete this message as the tens of others similar sort of scam-fraud-etc. stuff, but after looking on the message text I got a thought that it could be a wrong decision. Let’s see, why I was thinking that way.

All we know (if you don’t, please read the text below and remember) that PayPal always:
- sends its emails from the domain paypal.com;
- sends them directly to your primary email registered at PayPal;
- starts email message from your full name;
- does not ask to input login information in any form;
- does not mask links in the message with URLs different from the URLs shown at the text.

Read the rest of this entry

WordPress 3.7 Beta – Automatic updates are coming

Sunday, October 6th, 2013

WordPress 3.7 Beta

WordPress 3.7 Beta

WordPress 3.7 Beta 1 is available for testing. Just few days ago we got WordPress 3.6.1 maintenance and security update. Did you update your WordPress site to version 3.6.1? No? This update is available from September, 16th. So it’s time to install it, sure. The list of fixes is available here.
Less than after a month of 3.6.1 release, WordPress developers team announced WordPress version 3.7 availability – October, 2013. Good speed.

The most impressive new feature included into version 3.7 is the automatic background update of WordPress core. That’s cool. You may sleep, have a good vacations, but your lovely WordPress will be always up-to-date, and all security vulnerabilities found will be fixed automatically. Fantastics which becomes the reality! But this is the one side of the coin only.

Read the rest of this entry

User Role Editor v. 3.12 is available

Wednesday, May 1st, 2013

User Role Editor

User Role Editor

User Role Editor version 3.12 is available for download. It is security and vulnerability fix release generally:

  • Critical update: persistent cross-site scripting vulnerability is fixed.
  • WordPress built-in constants, like WP_PLUGIN_URL are not used in order to provide compatibility with sites which use SSL. plugin_dir_url(), plugin_dir_path() functions are used to define paths to the plugin’s files instead.
  • “Greetings” section is removed from the plugin’s main page. All that content is still available at plugin page.

Read the rest of this entry

WordPress User last login date

Sunday, April 14th, 2013

WordPress user last login

WP Last Login

WordPress user last login date is important attribute, useful for the health of your site. Why it could be necessary? Did you configure your WordPress site opened to new user registration? If “Yes”, then you know definitely about spam user registrations. Yes, there are special plugins to fight with this serious problem. But even excellent automatic defence can be overcome somehow, and except of tens of thousands spam registrations you will have 5-10 registrations a day, 300 – a month, 3600 a year… Is there a need to continue? Thus, in order to cleanup your site database, remove such overload it is needed to analyse your site users, at least from time to time.
Read the rest of this entry

WordPress Security Release – version 3.5.1

Friday, January 25th, 2013

WordPress security release

WordPress Security

WordPress security release is available for download. If we may to wait some time and delay the update to the latest version with ordinal new-featured and even bug-fixes versions, security update is not a thing we can ignore. We are too busy some time and don’t visit WordPress dashboard to see the latest news from WordPress. So, let me spread the word of WordPress team and encourage you – update your WordPress as soon as possible (ASAP).
Just look on the list of security issues which WordPress 3.5.1. release addresses:
- A server-side request forgery vulnerability and remote port scanning using pingbacks. This vulnerability, which could potentially be used to expose information and compromise a site, affects all previous WordPress versions.
- Two instances of cross-site scripting via shortcodes and post content.
- A cross-site scripting vulnerability in the external library Plupload.
Are you still waiting? Go-go-go! Go to your WordPress update center, and press update button. Do not forget to make files and database backup before update, of course.
Detailed information is available at WordPress News page.

WordPress read capability in depth

Saturday, December 1st, 2012

WordPress read capability

read user capability

Did you ever ask yourself, what WordPress read capability really allows to read? Any unregistered visitor of your blog can see and read any public post without limitations? What the purpose of ‘read’ user capability? After making little investigation I don’t sure that WordPress read capability should be called ‘read’ but not ‘user_profile’ for example. Why I got such conclusion? Because of WordPress read capability is responsible for these WordPress admin back-end menu items only:
“Dashboard”-”Home”, “Dashboard”-”My Sites” (for multisite WP installation) and “Profile”-”Your Profile”.
Thus if you revoke ‘read’ capability from some user, she could not access to her profile then. Such user will get error message from WordPress just after login: “You do not have sufficient permissions to access this page”.
Read the rest of this entry

Hide Login WordPress plugin review

Saturday, October 20th, 2012

Hide Login WordPress plugin

Hide Login

Hide Login is the direct ancestor of the Stealth Login WordPress plugin. Mohammad Hossein Aghanabi (parswp) tries to give it new life after Stealth Login was removed from WordPress repository as updated last time too long ago. In respect to author of original plugin Mohammad left the comment at the begin of hide-login.php file: “This is a new version of Stealth Login plugin by skullbit”. Features list is the same. Short description is available here – Stealth Login WordPress Plugin Review.
I tested new 2.1 version of Stealth Login, Ups!, excuse me, Hide Login plugin under WordPress 3.4.2. It was a pretty fresh WordPress installation. And I can say that Hide Login WordPress plugin worked well for me, but not too long. I discovered that ‘logout’ slug doesn’t lead to the real logout, just redirects to the home page, while you are still left logged in.
Read the rest of this entry