WordPress REST API: How to Access, Use, & Secure It (Full Tutorial)

If you’re planning to become a WordPress developer, you’ll come across something called ‘REST API.’ This is an interface that expands the functionality of WordPress and enables you to connect the platform with other applications. Some developers find it really helpful as part of their process — especially if they’re looking to implement advanced functionality. 

Fortunately, you don’t need to be an experienced developer to gain expertise with the WordPress REST API. Once you have a solid understanding of the interface and how it works, you can easily implement it into your web-building projects.

In this post, we’ll provide an in-depth guide to the WordPress REST API. We’ll discuss what it is, how to use it, and how to protect it against threats. We’ll also show you how to fix common REST API errors, how to use the interface with other frameworks, and how it compares to other WordPress API solutions. Finally, we’ll cover some frequently asked questions.

Continue reading → WordPress REST API: How to Access, Use, & Secure It (Full Tutorial)

Posted in Security | Comments Off on WordPress REST API: How to Access, Use, & Secure It (Full Tutorial)

MainWP Partners with Jetpack for WordPress Security

Managing multiple WordPress sites can be stressful. With the average WordPress site running 22 plugins, it’s crucial that every vulnerability is accounted for. That’s why we’re thrilled to announce our partnership with MainWP, bringing you two new Jetpack extensions in the MainWP marketplace. With this new agreement in place, managing multiple WordPress sites has never been easier.

Continue reading → MainWP Partners with Jetpack for WordPress Security

Posted in Jetpack News, scan, Security, Utilities & Maintenance, Vulnerabilities | Comments Off on MainWP Partners with Jetpack for WordPress Security

How to Add CAPTCHA to a WordPress Contact Form

Most websites — including those using WordPress — deal with spam on a daily basis. Even if you just created your first site a few weeks ago, chances are you’re already facing the reality of spam comments, queries, account sign-ups, and more. 

CAPTCHAs can effectively mitigate unwanted spam, especially if it’s coming from your contact forms. But while one can help alleviate problems with spam, you’ll likely encounter the unintended consequence of a more difficult experience for your real visitors.  

That’s why many sites have chosen to use Akismet — a more streamlined anti-spam solution for WordPress — instead. 

So, which option is right for your site?

In this article, we’ll start by talking about the downsides and alternatives to using CAPTCHAs, so you get the full picture. Then, we’ll show you how to protect your WordPress contact forms both with and without CAPTCHAs.

Continue reading → How to Add CAPTCHA to a WordPress Contact Form

Posted in Security | Comments Off on How to Add CAPTCHA to a WordPress Contact Form

How Malware Can Abuse the .htaccess File

You learned about the importance of the .htaccess file in our blog post How to Access and Edit the Default WordPress .htaccess File. As you can imagine, an important file such as .htaccess can be a target for bad actors. In this article, we’ll point out cases and indicators of compromise that affect this file.

Continue reading → How Malware Can Abuse the .htaccess File

Posted in Security, Vulnerabilities | Comments Off on How Malware Can Abuse the .htaccess File

VaultPress Backup: Your Agency’s Superhero Against Website Crashes

If you build WordPress sites, you know the importance of keeping them up and running smoothly. But let’s face it, even the best-laid plans can go awry. That’s why having a reliable backup system in place is crucial — and that’s where Jetpack VaultPress Backup comes in. This powerful plugin is the ultimate solution for your client’s websites, providing peace of mind for everyone.

Continue reading → VaultPress Backup: Your Agency’s Superhero Against Website Crashes

Posted in backup, Security | Comments Off on VaultPress Backup: Your Agency’s Superhero Against Website Crashes

Fake plugin wave affecting WordPress sites

Recently our colleague Joshua Goode escalated to the Security Research team an investigation he was performing on several websites that presented the same indicators of compromise. There were small variations in what the final payload was, but the attack timeline was always the same.

Attack timeline

As Joshua initially pointed out and subsequently confirmed by me, the chain starts with the installation of the core-stab plugin, followed by other additional items. The following timeline depicts one of the many compromised sites we reviewed:

  •  Jan 10, 2023 @ 17:29:49.587 UTC – Core stab plugin upload – /wp-admin/update.php?action=upload-plugin
  • Jan 10, 2023 @ 17:29:52.270 – /wp-content/plugins/core-stab/index.php
  • Jan 11, 2023 @ 02:12:50.773 – /wp-admin/theme-install.php?tab=upload
  • Jan 11, 2023 @ 02:12:57.862 – Classic theme upload –  /wp-content/themes/classic/inc/index.php
  • Jan 11, 2023 @ 03:37:58.870 – Another core-stab install
  • Jan 11, 2023 @ 04:15:06.014 – Installation of a new plugin, task-controller, /wp-content/plugins/task-controller/index.php
  • Jan 11, 2023 @ 08:23:26.519 – Installation of WP File Manager (Unsure if by attacker but this plugin is typical with a lot of malware)

The most common “coincidence” is that all users involved in this attack had their emails listed on at least one public password leak since 2019, which only corroborates the overall findings: the attacker(s) used compromised or leaked accounts to install the malware.

You can find more details on how the core-stab malware works, as well as detailed detection and blocking information for WP security experts, via WPScan.

Testing and validating our Proof-of-Concept for the malicious code.

What to do if my site was infected?

If you find the core-stab plugin installed on your site, the first thing you should do is remove it and then follow these next steps:

  • Change all admin user’s passwords and make sure you’re using multi-factor authentication.
  • Review all WordPress users and remove the ones you don’t recognize (especially the admin ones).
  • Review for unused or unknown themes and plugins and remove anything unnecessary or unknown.
  • Reinstall all your plugins since they may have been compromised.
  • Review your theme for added or changed files that weren’t added or changed with your consent.
  • Reinstall WordPress core files.

Finally, at Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. The Jetpack Security bundle is one great WordPress security option to ensure your site and visitors are safe. This product includes real-time malware scanning, site backups, comment and form spam protection from Akismet, brute force attack protection, and more.

Posted in scan, Security, Vulnerabilities | Tagged | Comments Off on Fake plugin wave affecting WordPress sites

How to Access and Edit the Default WordPress .htaccess File

Every WordPress installation has a selection of “core” files. These are the files behind critical functionality, and one of them is .htaccess. It includes configuration options for your web server. In other words, it’s extremely important.

If you know how to find and edit .htaccess, you can change your site’s permalink structure, set up redirects, increase security for the dashboard, and make many more tweaks. You don’t even need to know how to code if you follow instructions carefully.

In this article, we’ll talk about the .htaccess file and how it works. We’ll show you how to locate, access, and edit the file. Finally, we’ll wrap up with some frequently asked questions.

Continue reading → How to Access and Edit the Default WordPress .htaccess File

Posted in Security | Comments Off on How to Access and Edit the Default WordPress .htaccess File

How to Recover and Restore Your WordPress Site after a Crash

WordPress is an excellent platform for your website. But that doesn’t mean that it’s invincible. If you’re working on your site and encounter a sudden glitch, freeze, or crash, it’s easy to enter panic mode.

Fortunately, there are ways to recover and restore your WordPress site after a crash. Whether you installed a poorly-coded plugin or accidentally deleted a file, you can get your site up and running again by following the right steps.

In this post, we’ll take a closer look at WordPress website crashes and some common causes. Then, we’ll guide you through five steps to recover and restore your site after a crash. Let’s get started!

Continue reading → How to Recover and Restore Your WordPress Site after a Crash

Posted in Security | Comments Off on How to Recover and Restore Your WordPress Site after a Crash

6 Best WordPress Malware Removal Plugins (Paid & Free)

Your WordPress website is the product of countless hours of hard work, so it’s important to keep it secure. One essential part of your security setup should be a robust and reliable malware scanner. An effective WordPress malware plugin will help you quickly identify any malicious software that makes its way onto your WordPress website, and provide guidance on removing it. 

But, with lots of different WordPress malware scanner plugins available, it may be a challenge to determine which one is right for you. To help, we’ve reviewed six of the most popular options and set out some key things to consider when deciding on the best WordPress malware scanner for your website. 

Continue reading → 6 Best WordPress Malware Removal Plugins (Paid & Free)

Posted in Security | Comments Off on 6 Best WordPress Malware Removal Plugins (Paid & Free)

How to Update Your WordPress Theme (Without Losing Anything)

Although WordPress themes are typically well-coded, they need regular updates to patch security vulnerabilities and introduce new features. But if you’ve made a lot of customizations to your theme, you might worry that updating it will cause you to lose all of your hard work.

Fortunately, there are a few easy ways to update your WordPress theme without losing anything. Backing up your site, using a child theme, and testing any changes in a staging environment can help you preserve your settings. Then, you can easily update the theme from your WordPress dashboard, cPanel, or using File Transfer Protocol (FTP).

In today’s guide, we’ll explore the importance of updating your WordPress theme. Then, we’ll explain the best methods to do this while maintaining any theme customizations. Let’s get to work!

Continue reading → How to Update Your WordPress Theme (Without Losing Anything)

Posted in Security | Comments Off on How to Update Your WordPress Theme (Without Losing Anything)
  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 112,040 other subscribers
  • Browse by Topic