This week, we look at the WordPress 5.4 release which includes turning distraction free editing on by default. We also look at new plugin vulnerabilities discovered by the Wordfence Threat Intelligence team, including those found in Rank Math and a Contact From 7 helper plugin. We review the new features recently added to Fast or Slow, the free global website speed profiler.
We also talk about Zoom’s recent security and privacy issues, including a recent discovery by a security researcher who found recordings of meetings containing sensitive information on Zoom’s cloud service.
Here are timestamps and links in case you’d like to jump around, and a transcript is below.
1:04 Join us for Wordfence Office Hours: WordPress Security Q&A
1:47 WordPress 5.4 released
4:03 Vulnerabilities in Rank Math SEO plugin on over 200,000 sites. Watch Ram’s talk on avoiding common vulnerabilities when developing WordPress plugins.
6:06 Vulnerabilities in the Contact Form 7 Datepicker plugin affects over 100,000 sites
8:30 New features added to Fast or Slow, the free global website profiler
10:00 Safety and security while using Zoom video conferencing, and a new report that Zoom meeting videos recorded to the cloud aren’t private
Episode 72 Transcript
Hi and welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. This is Episode 72.
And recording this on Saturday, April 4th after an extremely busy week in the land of WordPress. As such, I don’t have an interview again this week, but we do have some important news to share, and I didn’t want to wait. I have an interview ready, so hopefully I will be able to publish that next week.
I hope you are all doing well in this time of getting intimately familiar with our homes and families. I, too, am home with my family. My 11-year-old daughter is keeping things interesting. This morning I came downstairs to a Post-It note that said, “I will explain.” As much as I tried, I couldn’t figure out what needs an explanation, so as soon as she wakes up I’ll find out. If you want to know what that mystery is all about, you can follow me on Twitter, @KathyZant, and I will explain what the heck she’s up to once I figure that out.
We’d like to stay more connected with you, so we’re doing a Wordfence Office Hours for WordPress security Q&A and Tuesday morning. That’s Tuesday, April 7th at 9:00 AM Pacific, 12:00 noon Eastern. If you’d like to join us, write me at firstname.lastname@example.org and I’ll send you an invitation. Our customer service engineers, Tim Cantrell and Scott Miller will join me. We’ll answer your questions and find a way to entertain you, and ourselves, with some fun stories about WordPress security and also answer any questions you have so you can feel more secure in these interesting times.
Our first story this week, WordPress 5.4 was released. Justin Tadlock at WP Tavern did a great, succinct overview of WordPress 5.4. This version was named after American jazz musician Nat Adderley. The update includes new social icons and button blocks, usability improvements to the block editor and new API for developers to use in plugins and themes.
The most controversial addition was that the WordPress editor is now defaulting to full screen. Now previously, we’ve known that option as sort of “distraction free” mode. So if you don’t want full screen mode, you can revert this change by clicking the tools and options button, which is the vertical ellipsis icon in the upper right corner, and you can uncheck the full screen mode option.
If you’re a theme author, a WordPress theme author, you now have access to the Gradients API for the cover and button blocks. You should also check and make sure that your theme block styles are handling the new social icons and button blocks.
Several CSS, or Cascading Style Sheet, classes have been renamed within the block editor, so if you’re a developer working with the editor, please look for those. The core team also rewrote the HTML markup for the calendar widget and updated those classes.
Now that WordPress is all about blocks, block developers can use the Collections API to group collections of blocks by namespace, and the Variations API is providing for the capability of creating variations of an individual block. If you’re looking to use this, the new social icons block makes good use of this particular API.
Plugin and theme authors also have new hooks for adding custom fields to their navigation menus. WordPress 5.4 also introduces the apply_shortcodes() alias for the former do_shortcode() function. So WordPress 5.4.
Next up, we have a couple of important plugin vulnerabilities to report. First off, critical vulnerabilities affecting over 200,000 sites patched in Rank Math SEO plugin. Rank Math is gaining in popularity as an SEO plugin, now installed on, like I said, over 200,000 sites.
Ram Gall is one of our QA professionals and he found these vulnerabilities and worked with the team at Rank Math to make sure that these flaws were patched. Rank Math was extremely quick to respond and the most recent version of Rank Math is patched, that is version 18.104.22.168 that was released on March 31st, 2020.
There are actually two flaws that Ram found, both dealt with the REST API endpoint. The first was critical and could lead to take over of a WordPress site. With that unprotected REST API endpoint, any number of attacks could have been leveraged. The most critical would be of course locking an administrative user out of their own site. Now the second vulnerability also dealt with the REST API endpoint and it could be used to redirect site visitors, which we see a lot of malware that is redirecting to nasty parts of the internet.
Now, advice from Ram if you’re a plugin developer. If your plugin is using the REST API, make sure to include a permission call back on any endpoints that you don’t want to be available to the public, and be aware that this requires a valid wp_rest nonce to be generated and sent with requests to that protected endpoint to keep your customers’ sites safe.
Here’s the place where I tell you that we’ve got a great video of Ram talking about writing more secure plugin code. We recorded this at WordCamp Phoenix. If you’re a developer, make sure you check that out and lock those front doors where attackers get into WordPress. I’ll have a link to that video in the show notes.
Next up, we have another vulnerability also discovered by Ram Gall. This was in the Contact Form 7 Datepicker plugin installed on over a hundred thousand sites. Now this does not affect the core Contact Form 7 plugin. That one’s installed on over 5 million sites. The Contact Form 7 Datepicker plugin is one of those helper plugins that are sometimes used to extend the functionality of a core plugin. WooCommerce, another one that has a lot of helper plugins. So again, Contact Form 7 not affected by this vulnerability.
Now the Datepicker plugin is no longer actively maintained. Ram reached out to the plugins team and this plugin was pulled from download from the repository. The vulnerability is an authenticated stored cross site scripting vulnerability, so it could only be leveraged by an attacker that had an account that was authenticated to that WordPress install.
However, now if you’re allowing site visitors to subscribe to your blog, if you have a WooCommerce site and your users are all, or your customers are all in your user table, if you have people who can sign up to view like a course and you’re using a learning management system like LearnDash or Lifter LMS, basically anyone that gets an account within your user section of WordPress is what is considered authenticated if they’re logged in. So your site with a large number of users could fall victim to exploitation of this vulnerability, and so it’s still important to pay attention to. A lot of times people will brush off authenticated vulnerabilities, thinking, “Well, that’s not that easily exploitable,” but these still have cases where you can see exploitation.
So now, more importantly than that, this plugin is not going to be patched. So if you’re using it, you’ll need to look for an alternative. Ram did find that Contact Form 7 can do date picking without a separate plugin. It uses an HTML5 date field, so you can go look up how to do that. If you’re using Contact Form 7 Datepicker, make sure you deactivate and delete this plugin from your WordPress installations and look further at the HTML5 date field capabilities into Contact Form 7 itself.
Next up, Fast or Slow, the new site speed monitoring tool we launched a few weeks ago, got some updates. As a reminder, Fast or Slow is a tool that monitors your website’s performance from 13 different locations around the world. It’s a completely free tool. You can subscribe to get updates so you can stay on top of how your site is performing over time. Of course, site performance is critical to your user’s experience wherever they are in the world, as well as to your performance in the search engine result pages, as Google has noted that site speed is a ranking factor.
We have added better charts to Fast or Slow, and we’ve also ensured that you’re getting more up to date metrics than any other site performance tool, amongst other metrics. Of course, I scanned my own site with the new tool, and I can tell you I’m pretty happy with how the data from Fast or Slow is helping me make better decisions about optimizing my site’s performance.
I’m pretty happy with how my site’s performing. Lots to learn there, so check it out at fastorslow.com. We’ll have a number of new updates coming soon. I will keep you updated about how you can leverage those to speed up your site, rank better, convert better, and create better experiences ultimately. That’s what we’re looking for, right, to create better experiences on our websites for our site visitors.
With many of us staying home, we’re turning to Zoom to stay connected, not only with our coworkers, but friends and family as well. And Zoom has come under fire for security and privacy concerns, with good reason. Space X and NASA have banned the use of Zoom in their meetings and there have been some zero days discovered.
One of the reasons that Zoom is so popular is that it’s barrier to entry is super low, that means you can install it and basically get started meeting very quickly and easily. Unfortunately with that ease of use and that openness, a lot of users are not going through the extra steps of locking down their meetings and securing their Zoom experience. There’s also a lot of unfamiliarity of how Zoom works, so we decided to do a little research in how to make a Zoom meeting more secure.
We created a little video to walk you through some of the default settings that are turned on and suggest some that you can turn off. For example, if you don’t need chat, you can turn that off, using passwords to prevent Zoom bombers from invading your meeting, locking meetings, not letting anyone but the host share a screen, not using file sharing via Zoom, those types of things. So we’ve written a blog post and we’ve got a short two and a half minute video that kind of walks through Zoom settings. We’ll link those in the show notes.
The day after publication of that blog post, Zoom announced that they are turning passwords and waiting rooms on by default starting on April 5th. So that’s good news. They’ve also patched some vulnerabilities and they have announced a 90-day freeze on releasing new features. They’re going to focus on fixing privacy and security issues.
Now from my perspective, you know, dealing in the security world, that’s what you want to hear. Software is dependent upon trust. And you want to use software that is written by someone you can trust, someone that’s going to be transparent about problems when they arise and shows a sense of understanding the importance of those problems and a commitment to fixing them. From my perspective, Zoom is doing all of those things.
Unfortunately Zoom’s problems continue. An article published on April 3rd in The Washington Post noted that a security researcher named Patrick Jackson found a way to find recorded Zoom meetings. At issue was the file naming convention used by Zoom to label recorded meanings.
Now what he found, meetings such as recorded one-on-one therapy sessions, training orientations for workers doing tele-health calls, including people’s names and phone numbers, small business meetings with private company financial statements, elementary school classes with kids’ faces, voices and personal details. Not exactly something you want publicly available on the web.
So more advice, do not use Zoom to record meetings to the cloud. If you need to record, record and save that to your personal computer or don’t record the session at all. Also, never share private information via Zoom or any video conferencing system.
We are doing our little Wordfence office hours WordPress Q&A on Tuesday and we’re going to use Zoom. We tried out a few alternatives and it’s just easier to connect using Zoom. So we’re going to do so, but we’re also doing so smartly. We’re going to answer any question we can, but we’re going to start that meeting with the direction that we’re not answering any personal questions, either for ourselves or for attendees. Anything that looks like personally identifiable information will not be allowed. What we’re intending to do is entertain and inform, but not consult.
So use Zoom, but drill into your head that you’re there to publicly entertain and inform and share knowledge and connect, but draw the line at consulting. Draw the line at getting personal. I do hope that Zoom’s commitment to privacy and security plays out by all of us being better secured with our video meetings going forward, and I’m hopeful that that’s what’s going to happen.
So we’ll talk to you again soon and I hope you all stay safe. If you have anything to share, please write me email@example.com. Follow me on Twitter, @KathyZant, and we will talk to you soon.