A critical remote code execution vulnerability (CVE-2022-1329) present in recent version of the WordPress Elementor plugin has been patched. This vulnerability affects versions 3.6.0 through 3.6.2. You should immediately upgrade to 3.6.3 to patch this vulnerability, which could allow an attacker complete access to your WordPress and more.
Category Archives: WordPress
WordPress LiteSpeed Cache Plugin
For more than twelve years, our hosting servers have exclusively used the performance focused LiteSpeed Web Server (LSWS). One of the most powerful features of LSWS is LSCache, a caching solution built directly into the web server. Over the years, LiteSpeed has created several free plugins to assist with configuring popular scripts to use LSCache.
Currently, there are eleven of these plugins available and we wanted to quickly highlight the WordPress plugin, which is by far the most popular. It compares very favorably to the many other WP caching plugins out there.
LiteSpeed Cache for WordPress (LSCWP) can be quickly and easily installed from within any WordPress instance. You can simply search for the “LiteSpeed Cache” plugin within your WP, then install and active it to get started. If you’re just wanting basic caching functionality that is intended to work with most WP instances, you won’t need to do anything further though they do have a very helpful Beginner’s Guide.
For those wanting to dig a little deeper, you can adjust settings to better suit your needs and even take advantage of the optimization features offered through LiteSpeed’s QUIC.cloud. To help you get started, all domains hosted on our servers receive free QUIC.cloud credits each month, allowing you to use their image / site optimization and a small amount of CDN bandwidth.
We encourage you to give LiteSpeed Cache for WordPress a try to see how it can improve your website!
Critical WP Plugin Vulnerabilities – All in One SEO
With more than three million active installs, All in One SEO is a very popular WordPress plugin. Two critical vulnerabilities, one privilege escalation and one SQL injection, were recently discovered in all versions of this plugin from 4.0.0 through 4.1.5.2. We have already seen exploitation of these vulnerabilities on client websites. If you are using this plugin, please urgently make sure that you have updated it to the latest version (4.1.5.3) which addresses these vulnerabilities.
Critical WP File Manager Plugin Vulnerability
The WordPress plugin File Manager contains a critical vulnerability that is actively being exploited by attackers to compromise WordPress sites. We saw a handful of these incidents on September 1st as the attacks were just starting to ramp up and a few more since then. Fortunately, in these cases the solution has been relatively simple: restore from a prior backup and delete the plugin.
This particular vulnerability has been present in the plugin since version 6.4, which was released in May. It was patched with the release of 6.9 on September 1st.
Due to the rate at which these attackers were occurring, we have proactively identified every single instance of a vulnerable version of this plugin being used on our servers and have removed it. Since this plugin merely offers a file management interface within the WordPress admin section, removing it doesn’t impact the functionality of the website. Users are welcome to re-install the latest version of this plugin if so desired.
This particular incident does bring to light an important topic though. It is best practice to use as a few plugins as possible, those that aren’t needed should be deleted (not just deactivated). There is certainly an argument to be made that a file manager plugin like this should never be installed but even if you disagree with that, there really isn’t strong justification for keeping a plugin like this installed beyond its intended use. It just allows another possible point of entry for attackers to exploit should a vulnerability be found.
Please keep this in mind as you continue to develop and secure your WordPress instances. If we can help in any way, please drop us a ticket and we’ll be happy to do so.
Beta: Dathorn WordPress Scanner
WordPress is not only the most popular script that we host, it is also most frequently targeted by attackers. While critical vulnerabilities in the WordPress core are relatively rare, they are fairly common in plugins and themes. It is important that these items are always kept updated to help prevent a compromise.
This can be a confusing process because the WP admin interface may not accurately portray certain situations. For example, if you’ve installed a plugin or theme outside of the WordPress repository, it may always show no updates being available even though that is not the case. The WP admin interface also doesn’t warn when something hasn’t received an update in a while, indicating it may no longer be actively maintained. These are both scenarios that require special attention but are easily overlooked.
Further, if a WordPress is compromised due to a vulnerability it can be very difficult to get the site back online in a secure state. Typically, we recommend a complete fresh re-install because there is no easy way to tell what attackers may have modified or left behind. Last modified dates on files can’t even be trusted once an account has been compromised. Continue reading
LiteSpeed Cache & WordPress
Our servers have been running the LiteSpeed Web Server for almost six years now and one of the lesser known but most powerful features of it is its caching. LiteSpeed cache is available on our servers although it is disabled on all domains by default. Enabling it globally just isn’t practical or wise because there is a lot of content that doesn’t need to be cached or shouldn’t ever be cached.
LiteSpeed cache can be used to cache your PHP scripts and thus speed up their load time significantly. This can be very beneficial if your site receives consistent traffic although even low traffic sites can see some benefits. The cache can be enabled and configured by means of some mod_rewrite rules in your .htaccess file. Below is a common example that can be used to cache WordPress:
<IfModule LiteSpeed>
CacheEnable public /
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(HEAD|GET)$
RewriteCond %{REQUEST_URI} !^(wp-admin|wp-login.php|wp-cron.php)
RewriteRule .* - [E=Cache-Control:max-age=120]
</IfModule>