Clear PHP opcode caches before WordPress Updates: ease the updating process

In various hosting environments, WordPress core-, plugin- and theme updates sometimes fail because of enabled opcode caches. Popular PHP opcode caches are OPcache, WinCache and APC. This little WordPress Must Use Plugin tries to flush opcode caches. Making your live a bit easier when updating WordPress Core, Plugins and Themes.

Continue reading “Clear PHP opcode caches before WordPress Updates: ease the updating process”

Tips to speed up WordPress, serve gzip comressed static HTML files

Who said WordPress is slow on Windows Server IIS? Gzip compress and serve WP-Super-Cache or Cache Enabler static HTML files, to supercharge your WordPress blog. Here is how to serve gzip compressed HTML files through Windows Server IIS: create smaller, compressed, static HTML files, that are downloaded faster. This works with WP-Super-Cache and Cache Enabler on IIS!

Continue reading “Tips to speed up WordPress, serve gzip comressed static HTML files”

17 Valuable WordPress snippets you never knew you could live without

17 valuable WordPress snippets for a site-specific plugin and functions.php that give you a better WordPress experience. Enhance your WordPress site with these small PHP snippets: WordPress filters, actions and functions. Quickly add or extend the functionality you need for your WordPress website! Read on…

Continue reading “17 Valuable WordPress snippets you never knew you could live without”

Deny vulnerable WordPress plugins using Windows Server File Server Resource Manager’s File Screens

Using Windows Server File Server Resource Manager’s File Screens you can block vulnerable WordPress plugins from being saved on your IIS web server. In the following example, you’ll learn how to block WP DB Backup plugin system-wide on Windows Server, read on…

Continue reading “Deny vulnerable WordPress plugins using Windows Server File Server Resource Manager’s File Screens”

10% WordPress plugins in top ~1000 is vulnerable, a PHP static code analysis shows

Marcin Probola conducted a PHP static code analysis of the top ~1000 WordPress plugins, and the results showed 103 plugins were vulnerable to at least one vulnerability type (XSS, SQL injection). This is roughly 10 percent! Marcin Probola writes that scanning results were manually verified in his spare time and delivered to official plugins@wordpress.org from 04.07.2015 to 31.08.2015. Most of reported plugins are already patched, some are not. Vulnerable and not patched plugins are already removed from official wordpress plugin repository.

Continue reading “10% WordPress plugins in top ~1000 is vulnerable, a PHP static code analysis shows”

High-risk vulnerabilities in TheCartPress leaves WordPress sites at risk

TheCartPress eCommerce Shopping Cart – a popular WordPress e-commerce plugin that is actively used on over 5,000 websites – contains high-risk vulnerabilities that can be exploited to compromise customers’ data, execute arbitrary PHP code, and perform Cross-Site Scripting attacks against users of WordPress installations, claim High-Tech Bridge researchers. Users are advised to disable or remove the plugin.

Continue reading “High-risk vulnerabilities in TheCartPress leaves WordPress sites at risk”

XSS Vulnerability Affecting Multiple WordPress Plugins

Where the Vevida Optimizer WordPress plugin kept plugins on all my WordPress sites up-to-date: Sucuri reports that multiple WordPress plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress. If you haven’t configured automatic updates for WordPress plugins, please update NOW!

Continue reading “XSS Vulnerability Affecting Multiple WordPress Plugins”

WordPress Plugin Vulnerability Dump – Part 1

This post contains information on vulnerabilities for 7 (at least somewhat) popular WordPress plugins. All of these vulnerabilities were trivial to discover (and are trivial to fix). The state of WordPress plugin security is very sad indeed. None of the developers were contacted in advance of this post (except where otherwise noted). Additional vulnerabilities will be posted as time permits. WordPress Plugin Vulnerability Dump – Part 1

Install WordPress plugins without WP-admin access

Automate WordPress customization and plugin installation. WordPress has a little drop-in plugin option available in the form of /wp-content/install.php. This install.php file is not present at default, but when created it can be used to install plugins without wp-admin access. This is neat for automatic or unattended WordPress installations, customizations and so on.

Continue reading “Install WordPress plugins without WP-admin access”