Fancybox WordPress plugin reveals zero day affecting thousands A WordPress plugin downloaded half a million times has been used in zero day attacks that served up malware. The plugin in question is called FancyBox and creates a lightbox-like interface with which to look at images. It's been used by unknown actors to deliver a malicious iframe through a persistent cross-site scripting …
To keep a WP site reasonably safe without too much hassle:
1 - do not install plugins and themes you don't need. Like services on a server, all you do is enlarge the attack surface. Keep it simple, and as bare as possible.
2 - do not use defaults for admin name as well as admin login path - from what I have seen so far in my logs, it's about the first thing an automated script tries (the next test is usually the admin path for a Joomla site). The simplest way to achieve this is to install one of the few plugins you ought to have, All in one WP security. It works, and it guides you through cleaning up your site. Be careful with auto-lockup of the front door, though, someone can use this for a Denial of Service on your admin ability.
3 - install a one time password (OTP) system like Google Authenticator. A lot of WP sites don't run SSL, which means that an admin login can be captured in transit. Using an OTP means you add a second password to the logon that changes every 30 seconds. I used the WP Google Authenticator plugin by Julien Liabeuf, but there are a few out there. No worries about Google backdoors, by the way, this is an RFC standard based protocol. Search for "Gauth" if you want other instances of this (the project lives on Github). The "Google authenticator" app which you need to generate the numbers to enter is freely available for iOS and Android, possibly for other platforms too.
4 - do your maintenance (update, review log files and make backups). As I'm loath to provide data to Google I use Counterise, which provides me with insight what sort of attempts have been made to break the site. If they frequently come from one location I blacklist it (resources for that can be found in that All in one WP Security plugin).
Once you've done 1..3 you ought to be quite safe, especially if your site doesn't allow comments.
While this is good advice, from what I have seen of WordPress sites in companies, the general life cycle is:
1. Install it for urgent requirement X. As the requirement is urgent, typically the hosting will be done via a third-party with management systems outside of IT's control.
2. Use it for a few months
3. Forget about it until it is compromised. As a corporate domain name was used, site is traced back to company and someone is notified.
4. Panic.
5. Fix issues and discuss shutting site down or bringing in-house but don't take any further action.
6. Got to 3.
I appreciate the instructions for users of WP - great job ... one thing I do not understand is the relationship between RFC's and backdoors ... there is none.
RFC's usually define a standard or protocol etc; it is when you implement the feature described in the RFC that you can add your backdoors. So RFC means nothing ... an FTP server, for example, could log usernames/passwords in plain text and send them to the vendor's servers. The FTP server can still implement all features in RFC 959.
There seems to be a general concern with the data slurping ways of Google that makes anything they bring out "for free" a target for suspicion. In this case, an established RFC defines how the thing ought to work, meaning that people with competence can go over the code and spot if weird stuff is happening. As we know from some recent nasties in Open Source, that doesn't always happen but at least the potential is there.
Having said that, it would not really matter unless Google also managed to acquire the actual static site password, which you need in addition to the OTP. The only way that could be grabbed would be through interfering with the admin resources to capture it in cleartext when a new one is entered - the database only stores the hash value so that would be of no use (you'll discover that if you ever have to reset the site admin password with phpAdmin). However, the plugins on the server end are not by Google (and, as far as I can tell, don't reach that deep), so you can put paranoia to rest for a bit..
In general, I rather like OTP. It's stupidly simple to implement (in Joomla it appears to be even part of the main code), it's very easy to use and it just works. Given that it costs nothing it seems a good thing to implement - I wished that wordpress.com added it as well (maybe it actually has, haven't been there for a while).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
