WooCommerce PayPal Object Injection

The fine people at Woo have released a security patch for WooCommerce, fixing a vulnerability in their PayPal notification system.

The vulnerability affects WooCommerce 2.0.20 – 2.3.10 when a “PayPal Identity Token” is set. It allows attackers to remotely execute code, via a known vulnerability in PHP’s unserialize function.

WooCommerce 2.3.11 contains a fix for this issue, and we strongly recommend that all users upgrade to this version as soon as possible.

We’ve released a hotfix with VaultPress 1.7.5, which protects all vulnerable versions of WooCommerce from attack. We are currently attempting to deploy this update to all VaultPress users affected by the issue. We will email site owners whose sites we are unable to update.

As always, if you have any questions, please drop us a line at vaultpress.com/contact.

Posted in General, Security | Comments Off on WooCommerce PayPal Object Injection

FAQs About FTP, SFTP, and SSH Credentials

Adding credentials for your site has huge benefits when you’re using VaultPress. It lets you restore your site, allows us to help you further if you run into issues, and overall improves the performance of the VaultPress plugin.

What are these credentials though? As a Happiness Engineer, I get asked a variety of questions every day about these credentials and thought it would be helpful to go over what they are, and why you should add them. I’ll also share some common questions we get about them.

What are FTP, SFTP, and SSH credentials?

For starters, I can tell you what they are NOT:

  • Your WordPress.org login
  • Your WordPress.com login
  • Your host’s control panel login

In short, these credentials are ways to access the files that make up your site. Rather than logging in using your WordPress.org login to access your dashboard, these login credentials let you access all of the files that make your site function. With these credentials, you can upload files, edit files, delete files, and more!

Where do I find these credentials?

Your host provides these credentials for you. Just contact them and they’ll point you in the right direction. You can also find them by referring to your host’s documentation, or by reading the email they sent you when you signed up.

Why does VaultPress need them?

We need credentials in order to restore your site or resolve some security threats, but not to back it up.

By adding these credentials, our team can better help solve any problems that arise by directly accessing the files that might be causing problems. Beyond just that, adding these credentials optimizes the performance of the plugin by giving the plugin a more direct route to the files and tables that we need to back up.

Which do you recommend adding?

We recommend SSH first and foremost as it’s the most robust and secure method you can add. If your host doesn’t allow SSH access, we recommend trying to get SFTP as it’s basically a more secure form of FTP. If you can’t get either, FTP will definitely still work.

Can I add all of them? 

While we only need one set of credentials, we do allow you to add multiple types of credential if you’d like.

How do I add them to VaultPress?

You can add them from your Settings page in the VaultPress dashboard. If you need a step by step, check out this post for FTP and this post for SSH.

Earn bonus points

  1. Make sure our IP ranges are whitelisted by your host as some hosts block access based on IP address. Whitelisting our IPs will ensure that we can access your server.
  2. Make sure the user you have provided us has full read and write access to your WordPress directory. Your hosting provider can help you with this step, if necessary.

As always, drop us a line if you have any follow-up questions!

Posted in General, Help | 11 Comments

Secrets from the Vault

While VaultPress is known for backups, restores, and security scanning, there’s a lot more to VaultPress than meets the eye. This post is going to cover a couple of features that VaultPress also offers so you can make the most of your subscription:

3 Different Types of Restores

Whether you need to restore your entire uploads or a single picture you accidentally deleted, VaultPress has your back with three different types of restores including full site restores, partial restores, and single table/file restores.

Alternate Restores

Not only can you perform different types of restores on your site, you can also run each of these to an alternate site. If you need to move hosts or want to set up a development site, VaultPress can help.

Backup Browser

If you’ve ever been curious about what files make up your site, check out our backup browser functionality. Not only is this helpful for restoring single tables or files but this also allows you to preview your content without having to use an FTP client.

Detailed Posts Table

If you hover over your posts table on your backups page, you can find at a glance more detailed information about what we’re backing up. This can be helpful if you’re wanting to run a restore and you’re not sure which backup includes the right amount of posts, pages, or drafts.

Screen Shot 2015-05-22 at 5.25.55 PM

Add SSH Credentials

While there’s the option to add FTP and SFTP credentials, we highly recommend adding SSH credentials as they are both the most secure and robust credentials you can add. By adding these credentials, the backup processes will be optimized, you will be able to restore your site, and we’ll be able to help you further if any issues come up!

Put your FTP, SFTP, or SSH Credentials to the test

Before you run a restore, there are certain best practices we recommend you follow. One of the lesser known tips involves testing your credentials before you run a restore! Instead of having to do this manual, you can run a test designed for VaultPress restores from within your Settings page of the VaultPress dashboard. To do this, just click into the credentials you want to test and then select “Test your credentials”:

test your credentials

Once you do this, we’ll run a variety of tests on your credentials and provide the results of each of these tests for you. If you’re curious here’s a summary document that covers each of the tests we run.

Add another person to your account

This can be super helpful if you have multiple people within your company or team that you want to have access to the site. This will give them full access to everything on your account except the billing information which is kept private! Here’s more information about how to add another person.

Download a backup

While we store all of your backups on our servers, you are free to download a backup at any time from our system. To do so, just head to your backups page > click “View Backup” next to the backup you want to download > click “Download” at the top of the page. From there, we’ll begin preparing the backup for download. No matter the size of the site, we’ll email you when the backup file is ready with a link to where you can begin the full site download!

Reuse a registration key

If you end up wanting to backup a different site midway through a subscription, no worries – just reuse the key by following these instructions. This can be helpful if you are a developer with clients and you need to move around which client sites you might want backed up!

Posted in Features, General | 2 Comments

Genericons XSS Vulnerability & WordPress 4.2.2

A XSS vulnerability has been found in Genericons. To explain further, Genericons includes a file called example.html which has been found to be vulnerable to attack from the Document Object Model level. Any WordPress plugin or theme that includes this file is open to an attack. To help combat this, we have done the following for VaultPress users:

1) We’ve deleted the file everywhere we can to proactively secure your site.

2) We’ve added it to our security scanner so that if there are any cases where we couldn’t detect the file or couldn’t delete it, you will still be notified if the file exists on your site. 

3) For users with sites where we couldn’t remove the file, we have personally emailed each of you with steps to remove the file and details about where the file is located.

Also, another important security update was released today for WordPress in Version 4.2.2. Version 4.2.2 fixes several vulnerabilities that could allow users to compromise your site including the Genericons vulnerability.

We encourage everyone to head over to Dashboard → Updates in their WordPress dashboard, and click “Update Now”. Otherwise, you can download WordPress 4.2.2 directly. Once you’re running WordPress 4.2.2, you’re protected from these vulnerabilities.

As always, drop us a line if you have any questions!

Posted in Security | 7 Comments

White Label CMS Vulnerability

A vulnerability has been found in White Label CMS, up to version 1.5.2. The vulnerability makes it possible to inject malicious code into websites, by tricking a site administrator into clicking a specially crafted URL. A fix has been released with version 1.5.3.

We have attempted to push an update to all websites on VaultPress with this plugin, upgrading them to 1.5.3. However, we were unable to update some websites due to permission issues.

We will email all site owners who we were unable to upgrade, recommending that they update their site as soon as possible.

As always, drop us a line if you have any questions!

Posted in General, Security | Comments Off on White Label CMS Vulnerability