Nexcess Blog

Bugs are an inevitable part of the software development process. As hard as developers try to avoid them — and they try very hard indeed — mistakes will be made and some of those mistakes will cause security vulnerabilities. What’s important is how developers handle vulnerabilities when they do occur, including how they communicate about […]

WordPress 4.7 was released towards the end of last year and brought with it a host of new features, including a new default theme, theme starter content, and REST API content endpoints. As is usually the case with a major new WordPress version, WordPress 4.7 was closely followed by a minor release with bugfixes. WordPress […]

Magento eCommerce stores are high value targets for online criminals. Thousands of dollars a month pass through even small stores, and although the vast majority of those stores use external payment processors, malware embedded in the store’s pages could still be used to steal data as the user enters it. Using an external payment processor […]

On July 26, TechCrunch, a popular WordPress-based technology business blog, was compromised by OurMine, a team of hackers responsible for a series of attacks targeting high-profile individuals and sites. The attackers accessed a user account and published a blog post announcing that TechCrunch’s security had been breached. In this case, the attackers were relatively benign; […]

WordPress professionals often find they need to work on a copy of a client’s site. It’s almost never a good idea to work on a live site — too many things can go wrong. When changes are needed, it’s better to copy the client’s site, make the necessary changes, test them, and then integrate any […]

The web has come a long way since the days in the early nineties when Tim Berners-Lee first published his ideas about a new way to organize information. But the web as we know it would be recognizable — if astonishing — to its early users because the core technology of the web, the link, […]

Passwords are not a great authentication method — a point that’s been made many times, not least by me on this blog. Passwords are great in theory, but in practice, when users are asked to choose and manage strong passwords, they don’t. They choose easy-to-remember and hence easy-to-guess passwords. And they use the same password […]

A brute force attack is the least sophisticated technique online criminals have to compromise WordPress sites. It doesn’t take advantage of obscure coding errors or advanced social engineering techniques. Rather, a brute force attacker simply tries lots of username and password combinations until they find one that works. The execution may be more or less […]

The SUPEE-6788 patch for Magento Community Edition and Magento Enterprise Edition includes fixes for potential SQL injection, remote code execution, and cross site scripting vulnerabilities. On 27th October, Magento released the SUPEE-6788 bundle of patches, which can be downloaded here. The bundle includes patches for a number of critical vulnerabilities. Magento users running versions of […]

WordPress site owners who use the Akismet comment spam filtering plugin should update to version 3.1.5 of the plugin as soon as possible. Older versions of the plugin are vulnerable to a cross-site scripting attack that could put WordPress sites and users at risk of compromise. Sites with automatic updates activated should already be running […]