- Вчера написал эту статью, а сегодня атаковали мои сайты
- ВЫВОД: не оставляйте черновики сайтов долго на хостинге!
- Каждую неделю выявляется более 100 уязвимостей в плагинах и темах.
- Anti-Spam by CleanTalk — Известна на 30-10-2024. Уязвимость:
- Плагин с уязвимостью, который нашёл лично…
- Сканеры и программы
- «Айболит» — https://revisium.com/ai/
- LMD — https://www.rfxn.com/projects/linux-malware-detect/
- Яндекс Манул — https://github.com/antimalware/manul
- Плагины для защиты сайтов
- WP Cerber
- Quettera
- — сканер основаный на «облачной» проверке
- GOTMLS
- WordFence — Я использую с 2FA для аутентификации + reCAPTCHA v3
- Sucuri
- Сервисы проверки сайта
- Sucuri Sitecheck
- Unmask Parasites
- VirusTotal
- Cloaked Link Checker
- Уязвимые плагины за неделю с 18-11-2024 по 24-11-24, к примеру:
- WordPress Themes with Reported Vulnerabilities Last Week
Вчера написал эту статью, а сегодня атаковали мои сайты
Лог ниже на скрине. Уязвимость по wp-includes/js/ известна с 2022года. Подробнее: https://1ps.ru/blog/sites/virus-soaksoak-atakuet-sajtyi-pod-upravleniem-cms-wordpress/ — Проверьте свои сайты сегодня, особенно если они работают без обновления с 2022года на WP.
В итоге с защитой сайт выстоял, а без неё и тот на который не заходил год, черновик сайта без защиты, слетел! (( Пойду восстанавливать из архива и добавлять защиты на него.
ВЫВОД: не оставляйте черновики сайтов долго на хостинге!
Каждую неделю выявляется более 100 уязвимостей в плагинах и темах.
Потому так часто выходят обновления… А если обновления не выходят более 6-12 месяцев, значит что то не так с разработчиком кода…. Не используйте такой плагин или тему.
Anti-Spam by CleanTalk — Известна на 30-10-2024. Уязвимость:
«Обход авторизации с помощью обратного DNS-спуфинга», установок: > 200 000, Источник ( wordfence.com/blog/2024/11/ )
Плагин с уязвимостью, который нашёл лично…
Лично, не выясняю причину взлома, восстанавливаю сайта из архива и ставлю более сильную защиту… Чищу кэши, куки, базу удаляю записи старые в базе блокирую пользователей, …..Все зависит от того как «сломался» сайт.
Сканеры и программы
«Айболит» — https://revisium.com/ai/
— сканер вирусов и вредоносных скриптов на хостинге, есть также Windows версия для проверки локальной копии файлов сайта.
LMD — https://www.rfxn.com/projects/linux-malware-detect/
— Linux Malware Detect — инструмент сканирования на вредоносный код в скриптах расчитанный в.т.ч. и на применение через системный cron
Яндекс Манул — https://github.com/antimalware/manul
— В настоящее время закрытый проект, до сих пор доступный на GitHub, возможно окажется полезным.
Плагины для защиты сайтов
WP Cerber
- комбайн плагина безопасности и проверки целостности файлов сайта включая скрипты тем и плагинов использующий API wordpress.org, есть сканер сигнатур вредоносного кода.
Quettera
-
— сканер основаный на «облачной» проверке
GOTMLS
WordFence — Я использую с 2FA для аутентификации + reCAPTCHA v3
Sucuri
Сервисы проверки сайта
Осуществляют анализ страницы сайта на наличие вредоносного JavaScript кода, перенаправлений, скрытых ссылок, проверку нахождения сайта в черных списках
Sucuri Sitecheck
.
Unmask Parasites
.
VirusTotal
.
Cloaked Link Checker
ГЛАВНОЕ? ДЕЛАЙТЕ ЧАЩЕ АРХИВЫ СВОИХ САЙТОВ, ДЕШЕВЛЕ И БЫСТРЕЕ ВОССТАНОВИТЬ ПОТОМ ИХ.
Уязвимые плагины за неделю с 18-11-2024 по 24-11-24, к примеру:
Software Name | Software Slug |
---|---|
404 Solution | 404-solution |
Absolute Addons For Elementor | absolute-addons |
Activity Log – Monitor & Record User Changes | aryo-activity-log |
Advanced Event Manager | advanced-event-manager |
affiliate-toolkit – WP Affiliate Plugin with Amazon | affiliate-toolkit-starter |
Ahmeti Wp Güzel Sözler | ahmeti-wp-guzel-sozler |
AI Quiz | Quiz Maker | ai-quiz |
AI Responsive Gallery Album | ai-responsive-gallery-album |
amr shortcodes | amr-shortcodes |
Announcement & Notification Banner – Bulletin | bulletin-announcements |
Anonymous Restricted Content | anonymous-restricted-content |
April’s Call Posts | aprils-call-posts |
AtaraPay WooCommerce Payment Gateway | atarapay-woocommerce |
AutoListicle: Automatically Update Numbered List Articles | autolisticle-automatically-update-numbered-list-articles |
Awesome Studio | awesome-studio |
Banner System | banner-system |
Bard Extra | bard-extra |
Beds24 Online Booking | beds24-online-booking |
Booster for WooCommerce | woocommerce-jetpack |
Branda – Branda – White Label & Branding, Custom Login Page Customizer | branda-white-labeling |
Button Block – Get fully customizable & multi-functional buttons | button-block |
Buying Buddy IDX CRM | buying-buddy-idx-crm |
Chameleoni Jobs | chameleon-jobs |
Checkout with Cash App on WooCommerce | wc-cashapp |
Chessgame Shizzle | chessgame-shizzle |
Classified Listing – Classified ads & Business Directory Plugin | classified-listing |
Clone | wp-clone-by-wp-academy |
Co-marquage service-public.fr | co-marquage-service-public |
Community by PeepSo – Download from PeepSo.com | peepso-core |
Contact Form 7 Email Add on | cf7-email-add-on |
Contact Page With Google Map | contact-page-with-google-map |
Continue Shopping From Cart | continue-shopping-from-cart-page |
Control horas | control-horas |
Crypto and DeFi Widgets – Web3 Cryptocurrency Shortcodes | security-force |
Custom CSS, JS & PHP | custom-css |
Custom Shortcode Sidebars | custom-shortcode-sidebars |
de:branding | debranding |
DeBounce Email Validator | debounce-io-email-validator |
Dino Game – Embed Google Chrome Dinosaur Game in your website | dino-game |
Distance Based Shipping Calculator | distance-based-shipping-calculator |
Document & Data Automation | document-data-automation |
Dynamic «To Top» Plugin | dynamic-to-top |
Dynamic URL SEO | dynamic-url-seo |
Easiest Funnel Builder For WordPress & WooCommerce by WPFunnels | wpfunnels |
Easy Liveblogs | easy-liveblogs |
Easy Twitter Feed – Twitter feeds plugin for WP | easy-twitter-feeds |
Elementor Portfolio Builder | portfolio-builder-elementor |
Elfsight Telegram Chat CC | elfsight-telegram-chat-cc |
Email Subscription Popup | email-subscribe |
Enter Addons – Ultimate Template Builder for Elementor | enteraddons |
Explara Events | explara-events |
Extensions for Elementor | extensions-for-elementor |
F4 Improvements | f4-improvements |
Favicon My Blog | favicon-my-blog |
Fediverse Embeds | fediverse-embeds |
Fence URL wp-login.php | fence-url |
Fintelligence Calculator | fintelligence-calculator |
FireCask’s Twitter Follow Button | twitter-follow |
FluentSMTP – WP SMTP Plugin with Amazon SES, SendGrid, MailGun, Postmark, Google and Any SMTP Provider | fluent-smtp |
Footer Flyout Widget | footer-flyout-widget |
Formidable Forms – Contact Form Plugin, Survey, Quiz, Payment, Calculator Form & Custom Form Builder | formidable |
Friendly Functions for Welcart | friendly-functions-for-welcart |
Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery | simply-gallery-block |
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress | gamipress |
GD bbPress Attachments | gd-bbpress-attachments |
GD Rating System | gd-rating-system |
Generic Elements | generic-elements-for-elementor |
Geolocator | geolocator |
Getwid – Gutenberg Blocks | getwid |
Google for WooCommerce | google-listings-and-ads |
Google Plus Share and +1 Button | google-plus-share-and-plusone-button |
GoQMieruca | goqmieruca |
GoQSmile | goqsmile |
Grey Owl Lightbox | grey-owl-lightbox |
Grid View Gallery | grid-view-gallery |
Gutenberg Blocks with AI by Kadence WP – Page Builder Features | kadence-blocks |
HIPAA Compliant Forms with Drag’n’Drop HIPAA Form Builder. Sign HIPAA documents | hipaatizer |
Hotlink2Watermark | hotlink2watermark |
HTML5 Lyrics Karaoke Player | html5-lyrics-karaoke-player |
HUSKY – Products Filter Professional for WooCommerce | woocommerce-products-filter |
IceStats | icestats |
Idealien Category Enhancements | idealien-category-enhancements |
If-So Dynamic Content Personalization | if-so |
Image horizontal reel scroll slideshow | image-horizontal-reel-scroll-slideshow |
Image Optimizer, Resizer and CDN – Sirv | sirv |
ImbaChat | imbachat-widget |
Include Mastodon Feed | include-mastodon-feed |
Increase Maximum Upload File Size | Increase Execution Time | wp-maximum-upload-file-size |
Infinite Slider | infinite-slider |
iPhone Webclip Manager | iphone-webclip-manager |
ITERAS | iteras |
JobBoardWP – Job Board Listings and Submissions | jobboardwp |
Kevin’s Plugin | kevins-plugin |
LA-Studio Element Kit for Elementor | lastudio-element-kit |
Lazy load videos and sticky control | lazy-load-videos-and-sticky-control |
LeadBoxer | leadboxer |
LeanPress | leanpress |
LGPD Framework By Data443 | lgpd-framework |
Library Bookshelves | library-bookshelves |
LinkLaunder SEO | linklaunder-seo-plugin |
Lock User Account | lock-user-account |
LSX Tour Operator | tour-operator |
MailChimp Forms by MailMunch | mailchimp-forms-by-mailmunch |
MailMunch – Grow your Email List | mailmunch |
Memberlite Shortcodes | memberlite-shortcodes |
Meteor Slides | meteor-slides |
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar | mp3-music-player-by-sonaar |
MP3 Sticky Player | fwdmsp |
MStore API – Create Native Android & iOS Apps On The Cloud | mstore-api |
Multi Feed Reader | multi-feed-reader |
My Contador lesr | my-contador-wp |
nBlocks – Responsive Gutenberg News Blocks | nblocks |
Office Locator | office-locator |
Opal Woo Custom Product Variation | opal-woo-custom-product-variation |
Open edX LMS and WordPress integrator (LITE) | edunext-openedx-integrator |
Ortto | autopilot |
Page Parts | page-parts |
Parallax Image | parallax-image |
Pathomation | pathomation |
Payments Plugin and Checkout Plugin for WooCommerce: Stripe, PayPal, Square, Authorize.net | peachpay-for-woocommerce |
PDF Invoices & Packing Slips Generator for WooCommerce | pdf-invoicing-for-woocommerce |
Post By Email | post-by-email |
Post Ideas | post-ideas |
Premium Packages – Sell Digital Products Securely | wpdm-premium-packages |
Pricing table addon for elementor | pricing-table-addon-for-elementor |
Product Designer | product-designer |
Product Table for WooCommerce by CodeAstrology (wooproducttable.com) | woo-product-table |
ProfileGrid – User Profiles, Groups and Communities | profilegrid-user-profiles-groups-and-communities |
Protect Your Content | protect-your-content |
PublishPress Revisions: Duplicate Posts, Submit, Approve and Schedule Content Changes | revisionary |
Pure CSS Circle Progress bar | pure-css-circle-progress-bar |
QRMenu Restaurant QR Menu Lite | qrmenu-lite |
Quick Learn | quick-learn |
Quotes llama | quotes-llama |
Rank Math SEO – AI SEO Tools to Dominate SEO Rankings | seo-by-rank-math |
RealtyCandy IDX Broker Extended | realtycandy-idx-broker-extended |
RecipePress Reloaded | recipepress-reloaded |
Request a Quote for WooCommerce and Elementor – Get a Quote Button – Product Enquiry Form Popup – Product Quotation | get-a-quote-button-for-woocommerce |
Rescue Shortcodes | rescue-shortcodes |
Restaurant Menu – Food Ordering System – Table Reservation | menu-ordering-reservations |
Run Contests, Raffles, and Giveaways with ContestsWP | contest-code-checker |
salavat counter Plugin | salavat-counter |
Save as PDF Plugin by Pdfcrowd | save-as-pdf-by-pdfcrowd |
School Management System for WordPress | school-management |
Shine PDF Embeder | shine-pdf |
Shopready – Elementor addons for WooCommerce Page Builder | shopready-elementor-addon |
Silverlight Video Player | smooth-streaming-player |
Simple Membership | simple-membership |
Simple Travel Map | simple-travel-map |
Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery) | sky-elementor-addons |
Slick Sitemap | slick-sitemap |
Slotti Ajanvaraus | slotti-ajanvaraus |
Social Login | oa-social-login |
SP Blog Designer | sp-blog-designer |
Sticky Social Icons | sticky-social-icons |
Stratum – Elementor Widgets | stratum |
StreamWeasels Online Status Bar | stream-status-for-twitch |
Subaccounts for WooCommerce | subaccounts-for-woocommerce |
SuevaFree Essential Kit | suevafree-essential-kit |
Sugar Calendar – Event Calendar, Event Tickets, and Event Management Platform | sugar-calendar-lite |
SVG Block | svg-block |
Tailored Tools | tailored-tools |
Team Rosters | team-rosters |
The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce | the-plus-addons-for-elementor-page-builder |
Theater for WordPress | theatre |
Theme Builder For Elementor | theme-builder-for-elementor |
TM Islamic Helper | tm-islamic-helper |
Tribute Testimonials – WordPress Testimonial Grid/Slider | tribute-testimonial-gridslider |
Tutor LMS – eLearning and online course solution | tutor |
Ultimate Classified Listings | ultimate-classified-listings |
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | ultimate-member |
Ultimate YouTube Video & Shorts Player With Vimeo | ultimate-youtube-video-player |
UltraAddons – Elementor Addons (Header Footer Builder, Custom Font, Custom CSS,Woo Widget, Menu Builder, Anywhere Elementor Shortcode) | ultraaddons-elementor-lite |
User registration & user profile – UserPlus | userplus |
Wawp OTP Verification, Order Notifications, and Country Code Selector for WooCommerce | automation-web-platform |
Wc Recently viewed products | wc-recently-viewed-products |
Weather Atlas Widget | weather-atlas |
What Would Seth Godin Do | what-would-seth-godin-do |
WIP Incoming Lite | wip-incoming-lite |
Wishlist for WooCommerce: Multi Wishlists Per Customer PRO | wish-list-for-woocommerce-pro |
WooCommerce Price Alert | price-alert-woocommerce |
WooCommerce Product Table Lite | wc-product-table-lite |
WordPress Bootscraper | wp-bootscraper |
WordPress Brute Force Protection – Stop Brute Force Attacks | guardgiant |
wp auto top | wp-auto-top |
WP e-Commerce Style Email | wp-e-commerce-style-email |
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts | wedevs-project-manager |
WP Travel Engine – Tour Booking Plugin – Tour Operator Software | wp-travel-engine |
WP User Manager – User Profile Builder & Membership | wp-user-manager |
WP-ISPConfig 3 | wp-ispconfig3 |
WP-Orphanage Extended | wp-orphanage-extended |
WPAdverts – Classifieds Plugin | wpadverts |
WPB Popup for Contact Form 7 – Showing The Contact Form 7 Popup on Button Click – CF7 Popup | wpb-popup-for-contact-form-7 |
WPBakery Visual Composer WHMCS Elements | void-visual-whmcs-element |
WPDash Notes | wpdash-notes |
WPGYM — WordPress Gym Management System | gym-management |
Xpresslane Fast Checkout | xpresslane-integration-for-woocommerce |
Yaad Sarig Payment Gateway For WC | yaad-sarig-payment-gateway-for-wc |
Youneeq Recommendations | youneeq-panel |
yPHPlista | yphplista |
Zajax – Ajax Navigation | zajax-ajax-navigation |
Экспресс Платежи платежный модуль | express-pay |
우커머스 네이버페이 | mshop-npay |
워드프레스 결제 심플페이 – 우커머스 결제 플러그인 | pgall-for-woocommerce |
코드엠샵 소셜톡 | mshop-naver-talktalk |
WordPress Themes with Reported Vulnerabilities Last Week
Software Name | Software Slug |
---|---|
AccessPress Staple | accesspress-staple |
Ashe | ashe |
Bard | bard |
ForumEngine | forumengine |
jobify | jobify |
Источник: www.wordfence.com/blog/2024/