Wordpress – Paul Hayes https://paul-hayes.org Fri, 10 Mar 2017 16:23:45 +0000 en-US hourly 1 https://wordpress.org/?v=6.5.2 That theme you just bought may not be safe https://paul-hayes.org/2017/03/10/that-theme-you-just-bought-may-not-be-safe/ Fri, 10 Mar 2017 16:23:45 +0000 https://www.paul-hayes.org/?p=69 We’ve all been there. You create a new site and don’t have time to design your own theme for it. You go to either Google or one of the many available theme purchasing sites and buy a theme for your site and voila, all done. But not all themes are safe, even the ones from reputable theme selling sites. Before you put that next theme on your site do the following.

Check the demo

If the theme on a theme selling site doesn’t have a demo, don’t trust it. If it does, still don’t trust it. Make sure your computer has a good antivirus / malware software on your machine. Oddly enough, my mac has Norton and when I tested a theme, nothing was detected. I used my PC and right away one of the images on the demo was linked to different site that was flagged for malware. I switched my AV over to Avast and Avast caught the same issue as my PC.

Set up the new theme on a LOCAL vanilla install of WordPress with your browser’s developer tools

Set up a local server using MAMP/WAMP/XAMPP or Vagrant and install WordPress. Then install your theme. If your theme has a demo importer and you use it, check the site source and files using your browsers developer tools (Firebug, etc). The theme’s images and links to the admin should all reference the local url on your local server. If there are any login.php links that go to an external site, don’t trust the theme. While it could just be a beginner’s mistake, that external page could be set up to get the log in info for your site. Using the referral url and your login info would be all it takes to get into your site. There are many, many,many ways to harden security in WordPress.

 

Tell the author and the theme selling company about the issue

Contact the author and the theme selling company if you find anything suspicious in a theme. Explain in great detail what was found. If you can, provide a dump of the query used to find the issue in the database or screenshots presenting the error. The author should be able to solve the issue.

]]> All Your Contact Forms Are Belong to Us: Critical Vulnerability Found in PHPMailer https://paul-hayes.org/2017/01/04/all-your-contact-forms-are-belong-to-us-critical-vulnerability-found-in-phpmailer/ Wed, 04 Jan 2017 18:19:15 +0000 https://www.paul-hayes.org/?p=54 David Golunski found a big vulnerability in PHPMailer. Essentially the sender data isn’t sanitized in PHPMailer versions less than 5.2.18. More details at Wordfence. The 4.7 version of WordPress has PHPMailer in it’s core in /wp-includes/class-smtp.php.

]]> Good Bootstrap to WordPress Tutorial https://paul-hayes.org/2016/11/25/good-bootstrap-to-wordpress-tutorial/ Fri, 25 Nov 2016 23:56:38 +0000 http://www.paul-hayes.org/?p=37 So, I had to pick back up my wordpress theming skills for a job I’m starting, and found a good tutorial that shows you how to convert a bootstrap site to a wordpress theme. (Kill two birds with one stone).

Check out Building WordPress Themes with Bootstrap over at EnvatoTuts+ by Adi Purdilla

]]> Hacking 27% of the Web via WordPress Auto-Update https://paul-hayes.org/2016/11/23/hacking-27-of-the-web-via-wordpress-auto-update/ Wed, 23 Nov 2016 22:39:09 +0000 http://www.paul-hayes.org/?p=35 We think that some of the tools that we use for the web are secure if it comes automatically from a central point. Well, the guys over at Wordfence found a pretty significant point of failure at the api.wordpress.org service.

 

]]>