Polyfill.io supply‑chain incident: what happened

In the past few days a supply‑chain incident involving Polyfill.io disrupted a large number of websites. Polyfill.io, a service that delivers small JavaScript polyfills to add missing browser features, allegedly distributed suspicious code that injected into many sites. Some reports estimate the impact reached more than 100,000 domains. Operators and investigators took the Polyfill.io domain offline while they responded.

How Cloudflare responded

Cloudflare moved quickly to reduce exposure. The company replaced references to Polyfill.io with a secure mirror served through cdnjs and has said it never recommended Polyfill.io. Cloudflare’s action reduced the risk of further automatic propagation through CDNs and reverse proxies.

Polyfill.io’s response and ownership concerns

Polyfill.io has publicly disputed the allegations. At the same time, reporting shows the project was in the process of being acquired by a Chinese firm, which raised additional concern because of that buyer’s reported ties to the Chinese government. Polyfill.io’s public statement is here: https://twitter.com/Polyfill_Global/status/1805923380857897277.

Who this affects

We do not use Polyfill.io, so our systems were not directly dependent on it. However, sites that relied on CDNs, reverse proxies, or other intermediaries sometimes received Polyfill.io assets even if the site owner never included them directly. That’s why some organizations saw collateral impact despite not calling Polyfill.io in their own code.

What you should do now

Remove any references to Polyfill.io from your projects and replace them with a trusted alternative. Cloudflare’s cdnjs mirror offers a non‑breaking option that serves the same polyfill content. Also audit other third‑party front‑end dependencies, and prefer self‑hosting critical libraries or pinning and hosting copies you control when practical.

Offer of help and next steps

If you want assistance locating or replacing Polyfill.io references, or if you’d like a broader audit of third‑party scripts and CDNs, we can help. We will continue to monitor the situation and share verified updates as more information becomes available

The post Breaking News: Web Service Scandal Unfolds with Polyfill.io and Cloudflare appeared first on Tarheel Media Digital Marketing.

1. Strong Usernames and Passwords
   The first line of defense for your WordPress website is a robust username and password combination. Avoid using common usernames like “admin” and create unique, complex passwords that include a combination of letters, numbers, and special characters. Regularly update your passwords and consider using password management tools to securely store and generate strong passwords.
2. Two-Factor Authentication
   Implementing two-factor authentication (2FA) adds an extra layer of security to your WordPress login process. It requires users to provide a second form of authentication, such as a temporary code generated by a mobile app or sent via SMS. By enabling 2FA, even if someone obtains your username and password, they would still need the additional authentication factor to gain access.
3. Keeping WordPress and Plugins Up to Date
   Regularly updating your WordPress core files and plugins is crucial for maintaining website security. Updates often include security patches and bug fixes that address vulnerabilities. Enable automatic updates whenever possible, and regularly check for plugin updates from reputable developers. Outdated software is a common entry point for hackers, so staying up to date is essential.
4. Secure Hosting Environment
   Choose a reliable and secure hosting provider for your WordPress website. Look for hosts that offer features like server-level firewalls, intrusion detection systems, and regular backups. A secure hosting environment provides an added layer of protection against potential threats and helps ensure the integrity of your website’s data.
5. Limit Login Attempts
   Brute-force attacks, where hackers attempt to gain access by trying multiple username and password combinations, are a common threat to WordPress websites. Limiting login attempts can mitigate this risk. Consider using security plugins like Wordfence, which provides functionality to restrict the number of login attempts and lockout suspicious IP addresses.
6. Wordfence Security Plugin
   Wordfence is a powerful security plugin designed specifically for WordPress. It offers a range of features to protect your website, including firewall protection, malware scanning, login security, and blocking suspicious IP addresses. Wordfence also provides real-time threat intelligence, monitoring your website for potential security risks and notifying you of any suspicious activity.
7. Regular Backups
   Creating regular backups of your WordPress website is essential in case of a security breach or other unforeseen events. Backups allow you to restore your website to a previous state and minimize potential damage. Use reliable backup solutions, either through your hosting provider or WordPress backup plugins, to ensure you have recent backups readily available.
8. Ongoing Monitoring and Maintenance
   Website security is an ongoing process that requires continuous monitoring and maintenance. Regularly scan your website for malware or vulnerabilities using security plugins like Wordfence. Stay informed about the latest security practices and potential threats by following reputable sources and forums dedicated to WordPress security.

Securing your WordPress website is crucial to protect your online presence, sensitive data, and maintain the trust of your visitors. By implementing strong usernames and passwords, enabling two-factor authentication, keeping WordPress and plugins up to date, choosing a secure hosting environment, limiting login attempts, utilizing security plugins like Wordfence, regularly backing up your website, and performing ongoing monitoring and maintenance, you can significantly enhance the security of your WordPress website and mitigate potential risks.

The post WordPress Website Security: Protecting Your Online Presence appeared first on Tarheel Media Digital Marketing.

If that wasn’t bad enough, Dave’s team came across remote code execution vulnerabilities or RCE’s. RCE’s are usually where bad code allows an attacker to gain administrative or super-user privileges and entirely take over a website or the entire information system.

Dave’s team, however, focused in on the SQL injections – a way of appending your own SQL query from code that does not escape its $_POST variables which is the variable where the stuff you submit to a website is stored. After just 3 months of research, Dave’s team found a staggering 35 plugins that had already been exploited by unauthorized users or hackers. While 35 sounds like a low number, those 35 plugins were in operation and were exploited on over 60,500 WordPress websites.

“Although the vast majority of the vulnerabilities I reported were unauthenticated SQL injection vulnerabilities, which would have enabled an attacker to dump the entire WordPress database contents, these were not the most devastating ones,” Dave said.

“The sitemap-by-click5 plugin suffered from an unauthenticated arbitrary options update flaw, which would have allowed an attacker to maliciously enable the registration functionality and set the default user role to that of an administrator.”

Dave explained that this would allow an attacker to create their own administrator account and entirely take over the WordPress website. Dave went on to say that he hopes this research forwards the ability to quickly identify security exploits in the future and minimize website intrusions.

After dealing with these WordPress Plugins and WordPress.org a pretty heavy blow, Dave did applaud the WordPress team for how well the disclosure process went in allowing Dave’s team to reach out and get these updates out there to these vulnerable websites that desperately needed it.

The post Outdated WordPress Plugins make 60,000 Websites Vulnerable appeared first on Tarheel Media Digital Marketing.