New WordPress plugin and theme vulnerabilities were disclosed during the first week of March. This post covers the recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.
The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.
Each vulnerability will have a severity rating of Low, Medium, High, or Critical. The severity ratings are based on the Common Vulnerability Scoring System.
In the March, Part 1 Report
WordPress Core Vulnerabilities
WordPress Plugin Vulnerabilities
WordPress Theme Vulnerabilities
No new theme vulnerabilities have been disclosed this month.
March Security Tip: Why You Should Use Two-Factor Authentication
Using two-factor authentication for your WordPress website user logins can help keep your website secure even if you use one of the plugins in this edition of the vulnerability roundup with an authentication bypass vulnerability.
Using two-factor authentication for your WordPress website user logins can help keep your website secure even if you are using a plugin with an authentication bypass vulnerability.
Why? Two-factor authentication makes it nearly impossible for an unauthenticated user to login to your website.
What is two-factor authentication? Two-factor authentication is a process of verifying a person’s identity by requiring two separate methods of verification. Two-factor authentication adds an extra layer of WordPress security to verify it’s actually you logging in and not someone who gained access (or even guessed) your password.
Here are a few more reasons to use two-factor authentication to add another layer of protection to your WordPress login.
- Reused passwords are weak passwords. According to the Verizon Data Breach Investigations Report, over 70% of employees reuse passwords at work. But the most important stat from the report is that “81% of hacking-related breaches leveraged either stolen or weak passwords.”
- Even though 91% of people know reusing passwords is poor practice, a staggering 59% of people still reuse their passwords everywhere!
- Many people are still using passwords that have appeared in a database dump. A database dump occurs when a hacker successfully gains access to a user database and then dumps the contents somewhere online. Unfortunately for us, these dumps contain a ton of sensitive login and account information.
- The “Collection #1″ Data Breach that was hosted on MEGA hosted included 1,160,253,228 unique combinations of email addresses and passwords. This kind of score will provide a malicious bot with over a billion sets of credentials to use in brute force attacks. A brute force attacks refer to a trial and error method used to discover username and password combinations to hack into a website.
- Even if you have a strong password, you’re only as secure as every other admin user on your site. Okay, so you are the type of person that uses a password manager like LastPass to create strong and unique passwords for each of your accounts. But what about the other administrator and editor users on your site? If an attacker was able to compromise one of their accounts, they could still do a ton of damage to your website.
- Google has said two-factor authentication is effective against 100% of automated bot attacks. That alone is a pretty good reason.
How to Add Two-Factor Authentication to Secure Your WordPress Login with iThemes Security Pro
The iThemes Security Pro plugin makes it easy to add two-factor authentication to your WordPress websites. With iThemes Security Pro’s WordPress two-factor authentication, users are required to enter both a password AND a secondary code sent to a mobile device such as a smartphone or tablet. Both the password and the code are required to successfully log in to a user account.
To start using Two-Factor Authentication on your website, enable the feature on the main page of the iThemes Security Pro settings.
In this post, we unpack all the steps of how to add two-factor authentication to your site with iThemes Security Pro, including how to use a third-party app like Google Authenticator or Authy.
WordPress Disaster Week is Coming, March 16 – 18, 2021
Are you ready if disaster strikes your WordPress website today?
From running an update that breaks everything to hacks or accidentally deleting an important file, the reality is it’s not a matter of if but when something will go wrong with your site. And now, more than ever, the security threats your website faces are very real.
To help you combat the threat of website disasters, we’re hosting the biggest free, online iThemes training event of the year so that EVERYONE can have a plan if and when a website catastrophe strikes.
Grab your spot here for WordPress Disaster Week, happening March 16, 17 & 18, 2021, with daily sessions happening from 1:00 – 3:00 p.m. (CT).
During this training, we’ll cover a complete plan for how to prevent and recover when website calamity strikes, including:
- How to defend your site from the most common types of attacks in 2021
- Signs you’ve been hacked
- How to restore your site from a backup when something goes wrong
- How to strengthen your site’s security with the iThemes Security Plugin
- How to make money selling website backup & security services to clients