A new phishing technique that affects GMail and other services and how to protect yourself.

Note: This article has been updated to reflect that the hosting provider “Njalla”, which routed the malicious traffic involved in this attack, is based in Sweden, not in Finland, although IP geoloc...

Chloe Chamberland - @infosecchloe - was doing a hacking demo at Wordfence office hours on Tuesday June 2nd, trying to hack Scott's blog, when she got a littl...

There is an update available here: GoDaddy Breach Widens to tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe This morning, GoDaddy disclosed that an unknown attacker had...

48 hours ago we deployed our commercial real-time threat intelligence automatically, and for free, to all Ukrainian websites with the .UA top-level domain. That has made over 8,000 sites in Ukraine...

The WordPress repository recently removed the plugin Captcha over what initially appeared to be a trademark issue with the current author using “WordPress” [Editors note: the original page has been...

On July 27th, our Threat Intelligence team discovered a vulnerability in WPBakery, a WordPress plugin installed on over 4.3 million sites. This flaw made it possible for authenticated attackers with...

This is a public service announcement (PSA) from the Wordfence team regarding a security issue which may impact some of our customers. On May 4, 2020, GoDaddy, one of the world’s largest website...

Today, we are excited to announce that Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA, or CVE Numbering Authority. As a CNA, Wordfence can now assign CVE...

Yesterday GoDaddy disclosed a massive data breach impacting over 1.2 Million customers. Today, we received confirmation from GoDaddy that multiple brands that resell GoDaddy Managed WordPress were...

A 0-day file upload vulnerability in a premium add-on for WooCommerce allowed Remote Code Execution and site takeover.

Any user able to access the Elementor page builder could inject malicious JavaScript, potentially leading to site takeover.

The WordPress core team has released an emergency release of WordPress 5.5.3, just one day after the release of version 5.5.2. This emergency release was done to remedy an issue introduced in...

On January 20, 2021, our Threat Intelligence team responsibly disclosed four vulnerabilities in Ninja Forms, a WordPress plugin used by over one million sites. One of these flaws made it possible for...

On July 23, 2020, our Threat Intelligence team discovered a vulnerability present in two themes by Elegant Themes, Divi and Extra, as well as Divi Builder, a WordPress plugin. Combined, these...

This week, our team was notified of suspicious code present in a plugin offered alongside themes sold by Pipdig, a UK-based web development team. The user, who wishes to remain anonymous, reached out...

Update at 1am Pacific Time, Monday morning Jan 2nd: Please note that we have published a FAQ that accompanies this report. It contains a summary of our findings and answers several other questions...

A new feature that will allow automatic updating of plugins and themes will be available in WordPress version 5.5, which is scheduled to be released on August 11, 2020. In this core release of the...

We found similar vulnerabilities in more than 15 of the most popular addons for Elementor, collectively impacting over 3.5 Million Sites

Defiant, the company behind Wordfence, has updated its terms of use, privacy policies and software, as well as made available standard contractual clauses to meet GDPR compliance. Customers must...

Over the weekend, a vulnerability was disclosed and patched in the popular WordPress plugin Easy WP SMTP. The plugin allows users to configure SMTP connections for outgoing email, and has a userbase...

File Upload vulnerability in Contact Form 7 may be difficult to exploit, but you should still update as soon as possible.

In last week’s post, we reported on some concerning code identified in the Pipdig Power Pack (P3) plugin. The plugin, which is installed alongside WordPress themes sold by Pipdig, was found to...

  The Stable channel has been updated to 100.0.4896.127 for Windows, Mac and Linux which will roll out over the coming days/weeks. A full li...

On August 3, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities that were discovered in Ninja Forms, a WordPress plugin installed on over...

The Wordfence Threat Intelligence team is seeing a dramatic increase in attacks targeting the recent 0-day in the WordPress File Manager plugin. This plugin is installed on over 700,000 WordPress...

Description: Unauthenticated Arbitrary File Download Affected Plugin: Duplicator Affected Versions: <= 1.3.26 CVE ID: CVE-2020-11738 CVSS Score: 7.5 (High) CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N...

On December 9, 2020, the Wordfence Threat Intelligence team discovered a Cross-Site Request Forgery (CSRF) to Stored Cross Site Scripting (XSS) vulnerability in Contact Form 7 Style, a WordPress...

Wordfence has collaborated with WPScan to conduct a 2021 mid-year review on the state of WordPress security. Using attack data from Wordfence’s internal threat intelligence platform, and vulnerabil...

This morning the Wordfence team is launching Wordfence Intelligence live at Black Hat 2022 in Las Vegas. Our entire team is here in Las Vegas, including our international team members. I’d like to...

On January 6, 2022, the WordPress core team released WordPress version 5.8.3, which contains security patches for 4 high-severity vulnerabilities. These patches were backported to every version of...

The WooCommerce vulnerability allowed attackers to access sensitive data. WordPress has used automatic updates to patch impacted sites.

At WordCamp US in Saint Louis, Mark sat down with Yoast CEO Marieke van de Rakt and COO Michiel Heijmans in the Wordfence booth to talk about not only how Yoast began, but also how they’ve grown to...

Today, January 30, 2024, WordPress released version 6.4.3, which contains two security patches for longstanding, albeit minor, security concerns in WordPress Core. The first patch addresses an issue...

On June 26, 2020, our Threat Intelligence team discovered a vulnerability in The Official Facebook Chat Plugin, a WordPress plugin installed on over 80,000 sites. This flaw made it possible for...

Early yesterday, the Flexible Checkout Fields for WooCommerce plugin received a critical update to patch a zero-day vulnerability which allowed attackers to modify the plugin’s settings. As our...

On July 10, 2020, our Threat Intelligence team discovered a vulnerability in All In One SEO Pack, a WordPress plugin installed on over 2 million sites. This flaw allowed authenticated users with...

The vulnerability in PHPMailer, while critical, is unlikely to be exploitable on most WordPress installations

At Defiant Inc and Wordfence, our mission is to Secure the Web. A critical component of creating and maintaining a secure online community is the research that reveals vulnerabilities in software....

In the last few months, we have discovered a number of supply chain attacks targeting WordPress plugins. In this post, we explain what a supply chain attack is, why WordPress is an attractive target...

PHP 8.0 is set to be released on November 26, 2020, and WordPress site owners and developers may be in for a rough ride

 As of WordCamp Boston 2019, Sandy Edwards has organized 26 KidsCamps across the US. We talk about what kids do at a WordPress KidsCamp, the success these kids have had publishing with WordPress,...

On August 3, 2021, the Wordfence Threat Intelligence team initiated the disclosure process for two vulnerabilities we discovered in the Gutenberg Template Library & Redux Framework plugin, which is...

Update: Wordfence is now GDPR compliant. Click here to learn more. We want to send out an update on the new data protection law, the General Data Protection Regulation (GDPR), going into effect soon...

On Wednesday, March 4, 2020, 3 million Transport Layer Security (TLS) certificates issued by Let’s Encrypt will be revoked because of a Certificate Authority Authorization (CAA) bug. This is 2.6% of...

On July 29, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in SEOPress, a WordPress plugin installed on over 100,000...

Today, on December 9, 2021, our Threat Intelligence team noticed a drastic uptick in attacks targeting vulnerabilities that make it possible for attackers to update arbitrary options on vulnerable...

On December 22, 2020, our Threat Intelligence team responsibly disclosed a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin installed on over...