Linux Archives - Page 39 of 42 - Appunti dalla rete

macOS Ventura adds powerful productivity tools and new Continuity features that make the Mac experience better than ever

CUPERTINO, CALIFORNIA Apple today previewed macOS Ventura, the latest version of the world’s most advanced desktop operating system, which takes the Mac experience to a whole new level. Stage Manager gives Mac users an all-new way to stay focused on the task in front of them while seamlessly switching between apps and windows. Continuity Camera uses iPhone as the webcam on Mac to do things that were never possible before,¹ and with Handoff coming to FaceTime, users can start a FaceTime call on their iPhone or iPad and fluidly pass it over to their Mac. Mail and Messages come with great new features that make the apps better than ever, while Safari — the world’s fastest browser on Mac² — ushers in a passwordless future with passkeys. And with the power and popularity of Apple silicon, and new developer tools in Metal 3, gaming on Mac has never been better.

“macOS Ventura includes powerful features and new innovations that help make the Mac experience even better. New tools like Stage Manager make focusing on tasks and moving between apps and windows easier and faster than ever, and Continuity Camera brings new videoconferencing features to any Mac, including Desk View, Studio Light, and more,” said Craig Federighi, Apple’s senior vice president of Software Engineering. “With helpful new features in Messages, state-of-the-art search technologies in Mail, and an updated design for Spotlight, Ventura has so much to offer and enriches many of the ways customers use their Macs.”

The new Stage Manager feature stacking several app windows to the left of the Safari window on the 14-inch MacBook Pro.

iPhone 13 Pro being used as a webcam with Continuity Camera on the new 13-inch MacBook Pro.

A New Way to Work Across Apps and Windows

Stage Manager automatically organises open apps and windows so users can concentrate on their work and still see everything in a single glance. The current window users are working in is displayed prominently in the center, and other open windows appear on the left-hand side so they can quickly and easily switch between tasks. Users can also group windows together when working on specific tasks or projects that require different apps. Stage Manager works in concert with other macOS windowing tools — including Mission Control and Spaces — and users can now easily get to their desktop with a single click.

Pause playback of video: Stage Manager in macOS Ventura

Stage Manager automatically arranges open windows and puts the app the user is currently working with front and center.

Apple Devices Working Together with Continuity

Continuity Camera now gives Mac customers the ability to use their iPhone as a webcam, and unlocks new capabilities that were never possible before on a webcam. With the power of Continuity, Mac can automatically recognise and use the camera on iPhone when it is nearby — without the need to wake or select it — and iPhone can even connect to Mac wirelessly for greater flexibility.³ Continuity Camera delivers innovative features to all Mac computers including Center Stage, Portrait mode, and the new Studio Light — an effect that beautifully illuminates a user’s face while dimming the background. Plus, Continuity Camera taps into the Ultra Wide camera on iPhone to enable Desk View, which simultaneously shows the user’s face and an overhead view of their desk — great for creating DIY videos, showing off sketches over FaceTime, and so much more.⁴

iPhone 13 Pro on MacBook Pro being used as a webcam.

Handoff now comes to FaceTime, allowing users to start a FaceTime call on one Apple device and seamlessly transfer it to another Apple device nearby. Users can be on a FaceTime call on iPhone or iPad, then move the call to their Mac with just a click, or start a call on their Mac and shift to iPhone or iPad when they need to continue on the go.

A FaceTime call on iPhone 13 Pro with the Handoff option to switch to Mac displayed on MacBook Pro.

Powerful Updates to Key macOS Apps and Features

Safari offers the fastest and most power-efficient browsing experience on the Mac, along with trailblazing privacy features. In macOS Ventura, Safari introduces a powerful new way for users to browse together: With shared Tab Groups, friends, family, and colleagues can share their favorite sites in Safari and see what tabs others are looking at live. Users can also build a list of bookmarks on a shared Start Page, and even start a Messages conversation or FaceTime call right from Safari — great for planning a trip or researching a project together.

A Safari window displaying the new shared Tab Groups feature.

In the biggest overhaul to search in years, Mail now uses state-of-the-art techniques to deliver more relevant, accurate, and complete results. Users can quickly find what they are looking for as soon as they click into search, including recent emails, contacts, documents, photos, and more, all before they even start typing. Users can also schedule emails and even cancel delivery after hitting send,⁵ and Mail now intelligently detects if items such as an attachment or cc’d recipient is missing from their message. In Mail, users can set reminders to come back to a message at a particular date and time, and receive automatic suggestions to follow up on an email if there has been no response.

The new search results in Mail displayed on MacBook Pro.

The new scheduling feature in Mail displayed on MacBook Pro.

Messages on the Mac now includes the ability to edit or undo a recently sent message, mark a message as unread, or even recover accidentally deleted messages.⁶ New collaboration features make working with others quick and seamless. Now, when a user shares a file via Messages using the share sheet or drag and drop, they can choose to share a copy or collaborate. When they choose to collaborate, everyone on a Messages thread is automatically added. And when someone makes an edit to the shared document, activity updates appear at the top of the thread. Users can also join SharePlay sessions from their Mac right in Messages, so they can chat and participate in synchronised experiences.

An Apple TV SharePlay session in Messages on MacBook Pro.

Spotlight includes an updated design that makes navigation easier, new features that provide a more consistent experience across Apple devices, and Quick Look for quickly previewing files. Users can now find images in their photo library, across the system, and on the web. They can even search for their photos by location, people, scenes, or objects, and Live Text lets them search by text inside images. To be even more productive, users can now take actions from Spotlight, like starting a timer, creating a new document, or running a shortcut. And Spotlight now includes rich results for artists, movies, actors, and TV shows, as well as businesses and sports.

Spotlight search results across iPad and MacBook Pro.

The new photo search experience in Spotlight on MacBook Pro.

The new search results for a TV show in Spotlight on MacBook Pro.

With iCloud Shared Photo Library, users can now create and share a separate photo library among up to six family members, so everyone can enjoy all of their family photos. Users can choose to share all of their existing photos from their personal libraries, or share based on a start date or people in the photos. To help keep their Shared Library up to date, users will receive intelligent suggestions to share relevant photo moments that include participants in the library and any other people they choose. Every user in the Shared Photo Library can add, delete, edit, or favorite the shared photos and videos, which will appear in each user’s Memories and Featured Photos so that everyone can relive more complete family moments.

More Secure Browsing in Safari

Browsing in Safari is even safer with passkeys, next-generation credentials that are more secure, easy to use, and designed to replace passwords. Passkeys are unique digital keys that stay on device and are never stored on a web server, so hackers can’t leak them or trick users into sharing them. Passkeys make it simple to sign in securely, using Touch ID or Face ID for biometric verification, and iCloud Keychain to sync across Mac, iPhone, iPad, and Apple TV with end-to-end encryption. They will also work across apps and the web, and users can even sign in to websites or apps on non-Apple devices using their iPhone.

The new passkeys sign-in experience on MacBook Pro.

Immersive Gaming Experiences

The power of Apple silicon enables every new Mac to run AAA games with ease, including upcoming titles such as EA’s GRID Legends and Capcom’s Resident Evil Village. And since Apple silicon also powers iPad, game developers can bring their AAA games to even more users, like No Man’s Sky from Hello Games, which is coming to both Mac and iPad later this year.

Metal 3, the latest version of the software that powers the gaming experience across Apple platforms, introduces new features that take the gaming experience on Mac to new heights and unleash the full potential of Apple silicon for years to come. MetalFX Upscaling enables developers to quickly render complex scenes by using less compute-intensive frames, and then apply resolution scaling and temporal anti-aliasing. The result is accelerated performance that provides gamers with a more responsive feel and graphics that look stunning. Game developers also benefit from a new Fast Resource Loading API that minimizes wait time by providing a more direct path from storage to the GPU, so games can easily access high-quality textures and geometry needed to create expansive worlds for realistic and immersive gameplay.

Pause playback of video: Gaming with Metal 3

Metal 3 brings new features that unleash the full potential of Apple silicon for even greater gaming experiences.

More Great Experiences Coming with macOS Ventura

Live Text uses on-device intelligence to recognise text in images across the system, and now adds support for paused video frames, as well as Japanese and Korean text. Users can also now lift the subject away from an image and drop it into another app. And Visual Look Up expands its recognition capabilities to now include animals, birds, insects, statues, and even more landmarks.

The Weather and Clock apps, with all the features users know and love from iPhone, have been optimized for Mac.

New accessibility tools include Live Captions for all audio content, Type to Speak on calls, Text Checker to support proofreading for VoiceOver users, and more.⁷

System Settings is the new name for System Preferences, and comes with a refreshed and streamlined design that is easier to navigate and instantly familiar to iPhone and iPad users.

macOS security gets even stronger with new tools that make the Mac more resistant to attack, including Rapid Security Response that works in between normal updates to easily keep security up to date without a reboot.

MacBook Air, the 24-inch iMac, and the new MacBook Pro.

Availability

The developer beta of macOS Ventura is available to Apple Developer Program members at developer.apple.com starting today. A public beta will be available to Mac users next month at beta.apple.com. macOS Ventura will be available this fall as a free software update. For more information, including compatible Mac models, visit apple.com/in/macos/macos-ventura-preview. Features are subject to change. Some features may not be available in all regions or languages.

Source :
https://www.apple.com/in/newsroom/2022/06/macos-ventura-brings-powerful-productivity-tools-new-continuity-features-to-mac/

Horde Webmail – Remote Code Execution via Email

A webmail application enables organizations to host a centralized, browser-based email client for their members. Typically, users log into the webmail server with their email credentials, then the webmail server acts as a proxy to the organization’s email server and allows authenticated users to view and send emails.

With so much trust being placed into webmail servers, they naturally become a highly interesting target for attackers. If a sophisticated adversary could compromise a webmail server, they can intercept every sent and received email, access password-reset links, and sensitive documents, impersonate personnel and steal all credentials of users logging into the webmail service.

This blog post discusses a vulnerability that the Sonar R&D team discovered in Horde Webmail. The vulnerability allows an attacker to fully take over an instance as soon as a victim opens an email the attacker sent. At the time of writing, no official patch is available.

Impact

The discovered code vulnerability (CVE-2022-30287) allows an authenticated user of a Horde instance to execute arbitrary code on the underlying server.

The vulnerability can be exploited with a single GET request which can be triggered via Cross-Site-Request-Forgery. For this, an attacker can craft a malicious email and include an external image that when rendered exploits the vulnerability without further interaction of a victim: the only requirement is to have a victim open the malicious email.

The vulnerability exists in the default configuration and can be exploited with no knowledge of a targeted Horde instance. We confirmed that it exists in the latest version. The vendor has not released a patch at the time of writing.

Another side-effect of this vulnerability is that the clear-text credentials of the victim triggering the exploit are leaked to the attacker. The adversary could then use them to gain access to even more services of an organization. This is demonstrated in our video:

https://youtube.com/watch?v=pDXos77YHpc%3Ffeature%3Doembed

Technical details

In the following sections, we go into detail about the root cause of this vulnerability and how attackers could exploit it.

Background – Horde Address Book configuration

Horde Webmail allows users to manage contacts. From the web interface, they can add, delete and search contacts. Administrators can configure where these contacts should be stored and create multiple address books, each backed by a different backend server and protocol.

The following snippet is an excerpt from the default address book configuration file and shows the default configuration for an LDAP backend:

turba/config/backends.php

$cfgSources['personal_ldap'] = array(
   // Disabled by default
   'disabled' => true,
   'title' => _("My Address Book"),
   'type' => 'LDAP',
   'params' => array(
       'server' => 'localhost',
       'tls' => false,
    // …

As can be seen, this LDAP configuration is added to an array of available address book backends stored in the $cfgSources array. The configuration itself is a key/value array containing entries used to configure the LDAP driver.

CVE-2022-30287 – Lack of type checking in Factory class

When a user interacts with an endpoint related to contacts, they are expected to send a string identifying the address book they want to use. Horde then fetches the corresponding configuration from the $cfgSources array and manages the connection to the address book backend.

The following code snippet demonstrates typical usage of this pattern:

turba/merge.php

 14 require_once __DIR__ . '/lib/Application.php';
 15 Horde_Registry::appInit('turba');
 16
 17 $source = Horde_Util::getFormData('source');
 18 // …
 19 $mergeInto = Horde_Util::getFormData('merge_into');
 20 $driver = $injector->getInstance('Turba_Factory_Driver')->create($source);
 21 // …
 30 $contact = $driver->getObject($mergeInto);

The code snippet above shows how the parameter $source is received and passed to the create() method of the Turba_Factory_Driver. Turba is the name of the address book component of Horde.

Things start to become interesting when looking at the create() method:

turba/lib/Factory/Driver.php

 51     public function create($name, $name2 = '', $cfgSources = array())
 52     {
 53     // …
 57         if (is_array($name)) {
 58             ksort($name);
 59             $key = md5(serialize($name));
 60             $srcName = $name2;
 61             $srcConfig = $name;
 62         } else {
 63             $key = $name;
 64             $srcName = $name;
 65             if (empty($cfgSources[$name])) {
 66                 throw new Turba_Exception(sprintf(_("The address book \"%s\" does not exist."), $name));
 67             }
 68             $srcConfig = $cfgSources[$name];
 69         }

On line 57, the type of the $name parameter is checked. This parameter corresponds to the previously shown $source parameter. If it is an array, it is used directly as a config by setting it to $srcConfig variable. If it is a string, the global $cfgSources is accessed with it and the corresponding configuration is fetched.

This behavior is interesting to an attacker as Horde expects a well-behaved user to send a string, which then leads to a trusted configuration being used. However, there is no type checking in place which could stop an attacker from sending an array as a parameter and supplying an entirely controlled configuration.

Some lines of code later, the create() method dynamically instantiates a driver class using values from the attacker-controlled array:

turba/lib/Factory/Driver.php

 75  $class = 'Turba_Driver_' . ucfirst(basename($srcConfig['type']));
 76	// …
112  $driver = new $class($srcName, $srcConfig['params']);

With this level of control, an attacker can choose to instantiate an arbitrary address book driver and has full control over the parameters passed to it, such as for example the host, username, password, file paths etc.

Instantiating a driver that enables an attacker to execute arbitrary code

The next step for an attacker would be to inject a driver configuration that enables them to execute arbitrary code on the Horde instance they are targeting.

We discovered that Horde supports connecting to an IMSP server, which uses a protocol that was drafted in 1995 but never finalized as it was superseded by the ACAP protocol. When connecting to this server, Horde fetches various entries. Some of these entries are interpreted as PHP serialized objects and are then unserialized.

The following code excerpt from the _read() method of the IMSP driver class shows how the existence of a __members entry is checked. If it exists, it is deserialized:

turba/lib/Driver/Imsp.php

223   if (!empty($temp['__members'])) {
224      $tmembers = @unserialize($temp['__members']);
225   }

Due to the presence of viable PHP Object Injection gadgets discovered by Steven Seeley, an attacker can force Horde to deserialize malicious objects that lead to arbitrary code execution.

Exploiting the vulnerability via CSRF

By default, Horde blocks any images in HTML emails that don’t have a data: URI. An attacker can bypass this restriction by using the HTML tags <picture> and <source>. A <picture> tag allows developers to specify multiple image sources that are loaded depending on the dimensions of the user visiting the site. The following example bypasses the blocking of external images:

<picture>
  <source media="(min-width:100px)" srcset="../../?EXPLOIT">
  <img src="blocked.jpg" alt="Exploit image" style="width:auto;">
</picture>

Patch

At the time of writing, no official patch is available. As Horde seems to be no longer actively maintained, we recommend considering alternative webmail solutions.

Timeline

Date	Action
2022-02-02	We report the issue to the vendor and inform about our 90 disclosure policy
2022-02-17	We ask for a status update.
2022-03-02	Horde releases a fix for a different issue we reported previously and acknowledge this report.
2022-05-03	We inform the vendor that the 90-day disclosure deadline has passed

Summary

In this blog post, we described a vulnerability that allows an attacker to take over a Horde webmail instance simply by sending an email to a victim and having the victim read the email.

The vulnerability occurs in PHP code, which is typically using dynamic types. In this case, a security-sensitive branch was entered if a user-controlled variable was of the type array. We highly discourage developers from making security decisions based on the type of a variable, as it is often easy to miss language-specific quirks.

Source :
https://blog.sonarsource.com/horde-webmail-rce-via-email/

Novartis says no sensitive data was compromised in cyberattack

Pharmaceutical giant Novartis says no sensitive data was compromised in a recent cyberattack by the Industrial Spy data-extortion gang.

Industrial Spy is a hacking group that runs an extortion marketplace where they sell data stolen from compromised organizations.

Yesterday, the hacking group began selling data allegedly stolen from Novartis on their Tor extortion marketplace for $500,000 in bitcoins.

The threat actors claim that the data is related to RNA and DNA-based drug technology and tests from Novartis and were stolen “directly from the laboratory environment of the manufacturing plant.”

**Novartis data sold on the Industrial Spy extortion marketplace**
*Source: BleepingComputer*

The data being sold consists of 7.7 MB of PDF files, which all have a timestamp of 2/25/2022 04:26, likely when the data was stolen.

As the amount of data for sale is minimal, it is not clear if this is all the threat actors stole or if they have further data to sell later.

BleepingComputer emailed Novartis to confirm the attack and theft of data and received the following statement.

“Novartis is aware of this matter. We have thoroughly investigated it and we can confirm that no sensitive data has been compromised. We take data privacy and security very seriously and have implemented industry standard measures in response to these kind of threats to ensure the safety of our data.” – Novartis.

Novartis declined to answer any further questions about the breach, when it occurred, and how the threat actors gained access to their data.

Industrial Spy is also known to use ransomware in attacks, but there is no evidence that devices were encrypted during the Novartis incident.

Source :
https://www.bleepingcomputer.com/news/security/novartis-says-no-sensitive-data-was-compromised-in-cyberattack/

The Cybersecurity CIA Triad: What You Need to Know as a WordPress Site Owner

One of the core concepts of cybersecurity is known as the CIA Triad. There are three pillars to the triad, with each pillar being designed to address an aspect of securing data. These three pillars are Confidentiality, Integrity, and Availability.

The Confidentiality pillar is intended to prevent unauthorized access to data, while the Integrity pillar ensures that data is only modified when and how it should be modified. Finally, the Availability pillar assures access to data when it is needed. When employed in unison, these three pillars work together to build an environment where data is properly protected from any type of attack, compromise, or mishap.

While managing a website may not always feel like a cybersecurity role, a crucial purpose of any website is to maintain data, which calls for the use of the CIA Triad. Managing a WordPress site is no exception to the need for the CIA Triad, even if you are not actively writing any code for the website.

As you build or update a website, it is important to keep the CIA Triad in mind when determining which plugins and functionality to include on the website. While user experience is often the main consideration, it is important to research any plugins or themes you may be considering for your website to ensure you are only installing ones that are well-maintained, and do not have a track record of being an attack vector in website data breaches. Ignoring any of the three pillars of the CIA Triad can lead to a weakness in your website which could impact your site’s users or your business. This makes it important to understand how the Triad applies to management of a WordPress site.

Maintaining the Confidentiality of Privileged Data

The Confidentiality pillar of the CIA Triad is frequently in the public eye, especially when it fails. The basic concept is that any data that should be kept private is restricted to prevent unauthorized access. Privileged data on a WordPress site can vary, but includes administrator and user credentials as well as personally identifiable information (PII) like addresses and phone numbers. Depending on the purpose of the site, additional customer information may also be included, especially in scenarios where you might be running an e-commerce or membership website. Aside from personal data, you may also have business data that should be kept confidential as well, which means that the concept of Confidentiality needs to be employed properly in order to protect this data from unauthorized access.

One thing to keep in mind is that unauthorized access can easily be accidental. Each page on a WordPress website can be set to require specific permissions for access. If you are publishing restricted information, you will need to ensure that the page is not published publicly. Even when updating a page, a good best practice is to always check the post visibility prior to publishing any changes in order to ensure that restricted data cannot be accessed without a proper access level. This check is quick, and only takes a moment to correct if the visibility is set incorrectly.

Shows how to set post visibility in wordpress

Malicious access is also something that needs to be accounted for when managing a website. One of the most common types of attacks on web applications is cross-site scripting (XSS). A danger of XSS attacks is that they are often simple for an attacker to implement, simply by generating a specially crafted URL. If an XSS vulnerability is present on the website and an attacker can convince your users, or administrators, to click on a link they have generated, they can easily steal user cookies or perform actions using the victim’s session. If the vulnerability is stored XSS, a site administrator accessing the vulnerable page may be all that is needed in order for the attacker to obtain admin access to the site. If the attacker is able to obtain authentication cookies, then they will have the same access to information on the website as the user or administrator that they stole the cookie from. Further, when it comes to WordPress sites, XSS vulnerabilities can easily be exploited to inject new administrative users or add back-doors via specially crafted JavaScript that makes it incredibly easy for attackers to gain unauthorized access to sensitive information on your WordPress site.

Unauthorized access to confidential information can have lasting negative effects on a business or website owner, but taking steps to secure this data goes a long way in mitigating these risks. Whether you’re running a personal blog that collects subscriber emails addresses, or an online retail site, there will be data that should be protected from accidental and malicious access. Keeping the concept of Confidentiality in mind while building and updating your WordPress website is a critical part of protecting this data. Even if it feels like a hassle to do the initial research and choose plugins that are known for their security, you will end up saving time and money by avoiding a potential data breach in the future.

When researching themes and plugins, one aspect you will want to consider is the developer’s transparency with any vulnerabilities. A few disclosed and patched vulnerabilities likely means the developer actively fixes any problems. A theme or plugin that does not list any patched vulnerabilities in the changelog may be just as much of a problem as one that has had too many vulnerabilities, especially when the theme or plugin has been around for a significant amount of time. This signifies the importance of not just relying on whether a plugin or theme has had any previously disclosed vulnerability, but rather focusing on the transparency and communication about security management from WordPress software developers.

Ensuring the Integrity of Site Data

Integrity is the pillar that defines how data is maintained and modified. The idea here is that data should only be modified by defined individuals, and any modification should be accurate and necessary as defined by the purpose of the data. Incorrect or unnecessary changes to data can cause confusion at a minimum, and can even have legal and financial consequences in some cases. While the Confidentiality pillar plays a role here, Integrity must be addressed independently to ensure that data being accessed has not been maliciously or accidentally compromised.

Capability checks are one way that WordPress not only protects Confidentiality, but also Integrity. Any plugins should be using capability checks to ensure that the user making a change to the site information, configuration, or contained data actually has the correct permissions to make those changes. From a site owner or maintainer perspective, researching any plugins and testing any that are being considered for the website to ensure that data can only be changed by its owner, or by an appropriate level of editor or administrator. If data is available on the website in any form, it will need to be checked because a vulnerable plugin could allow an attacker to change or delete data if they know how to exploit the vulnerability. Site settings and code are also data, and if their Integrity is impacted, it can result in a complete compromise of the Confidentiality and Availability of any other data on the site.

Due to the fact that not every plugin will properly use capability checks, it is the site maintainer’s responsibility to ensure the Integrity of data. In addition to testing plugins for access errors, all users should be properly maintained with appropriate access levels. In a business setting, this will also mean that user audits will need to be performed, and any employee who leaves the company should be immediately removed or disabled on the site. In many cases, having a policy of separating contributors and editors is a good practice as well. This will provide an environment where more than one set of eyes are seeing the changes to help catch any errors in the changes made to the data. Integrity is all about proper maintenance of data, but both malicious intent and unintentional errors must be taken into account to protect the Integrity of the data.

Guaranteeing the Availability of All Data

The final pillar in the Triad is Availability. In this sense, Availability means that data is available when requested. With a WordPress website, this means that the website is online, the database is accessible, and any data that should be available to a given user is available as long as they are logged in with the correct level of access. What Availability does not mean is that data will be available to everyone at any time. The first two pillars in the triad must be taken into account when determining Availability of data. Availability is the pillar that relies more heavily on infrastructure than on what most will consider to be security.

Availability may be the most obvious pillar to the end user, as it is clear to them when a website is not available, or the data they try to access on the website won’t load. The end user may not always be able to tell when confidential information is accessed without authorization or when data is incorrectly modified, but a lack of Availability is always going to be obvious. WordPress websites have a lot of working parts, and in order for data in a WordPress site to be available upon demand, all of those parts must work together flawlessly. This means that the website must be hosted somewhere reliable, fees associated with the domain name, hosting or other aspects of the infrastructure must be paid for in a timely manner, TLS certificates need to be renewed on time, and the website software must be updated regularly.

Countless articles have been written on the importance of updating WordPress components to protect Confidentiality and Integrity, but the topic of updating for Availability is just as important. Again, limiting access and ensuring Integrity play a role here, as data can be deleted maliciously or accidentally, but proper maintenance of the components of your website are just as critical. As technologies change on web servers, or new features are added to the website, older components may become incompatible and cease to function. Keeping a proper maintenance schedule, and testing functionality after each update is an imperative part of guaranteeing the Availability of your website and the data it contains.

I’m Not A Cybersecurity Expert, How Do I Use The CIA Triad?

Fortunately, you don’t need to be a cybersecurity expert in order to keep the CIA Triad concepts at the core of the work you do. Defining policies for maintenance schedules, how to address problems with plugins, and even procedures for publishing changes to data will guide your processes. Wordfence, including Wordfence Free, provides a number of tools to help you keep to these standards, including two-factor authentication (2FA) to protect user accounts, and alerts for outdated site components or suspicious activity. The Wordfence WAF blocks attacks that threaten your data’s Confidentiality and Integrity, and the Wordfence Scan detects malware and other indicators that your data’s Integrity may have been compromised. Wordfence Premium includes the most up to date WAF rules and malware signatures as well as country blocking, and our Real-Time IP Blocklist, which keeps track of which IPs are attacking our users and blocks them so they don’t even have a chance to threaten your site.

Wordfence also offers two additional services: Wordfence Care and Wordfence Response. Both services help maintain your site’s security by following the core principles of the CIA Triad. Our team of security experts review your site initially through a complete security audit to identify ways you can improve your WordPress site’s data Confidentiality, through things like TLS certificates & cryptographic standards. Our team also recommends best practices that can improve your WordPress site’s Integrity and Availability of data, such as performing regularly maintained back-ups and not using software with known vulnerabilities. Both Wordfence Care and Wordfence Response include monitoring of your WordPress site by our team of security professionals to ensure that your site’s Confidentiality, Integrity, and Availability are not compromised, and both services include security incident response and remediation. Wordfence Response offers the same service as Wordfence Care, but with 24/7/365 Availability and a 1-hour response time.

Conclusion

Employing the CIA Triad will help any website owner or maintainer to manage the security of the data on the site, even if they are not specifically in a cybersecurity role. No matter who the website is for, the data on it needs to be confidential, accurate, and available. The concepts covered by the CIA Triad are here to guide decisions that will ensure this need is met. Employing these concepts will help you breathe easier knowing that you have minimized the chances of your data being compromised in an attack or accident.

Source :
https://www.wordfence.com/blog/2022/06/the-cybersecurity-cia-triad-what-you-need-to-know-as-a-wordpress-site-owner/

Yoast SEO 19.0: Optimize crawling and Bing discoverability

One of the most important aspects of SEO is optimizing the crawlability of your site. Search engines have near-endless resources, so they have the power to crawl everything they find — and they will. But, that is not the way it should be. Almost every CMS outputs URLs that don’t make sense and that crawlers could safely skip. With Yoast SEO Premium 18.6, we’re starting a series of additions to clean up those unnecessary URLs, feeds, and assets so that the more critical stuff stands a better chance of being crawled.

Making your site easier to crawl

Google and other search engines crawl almost everything they can find — as Yoast founder Joost de Valk proves in a post on his site. But it can be hard to get them to crawl what you want them to crawl. Moreover, crawlers can come by many times each day and still not pick up the important stuff. There’s a lot to gain for every party involved — from the crawlers, site owners, and environment — to make this process more sensible. Yoast SEO Premium will help search engines crawl your site more efficiently.

In Yoast SEO Premium 18.6, we’re introducing the first addition to our crawl settings, allowing you to manage better what search engines can skip on your site. In this release, we’re starting with those RSS feeds of post comments in WordPress, but we have a long list of stuff that we want to help you manage.

Head over to our new Crawl settings section in the General settings of Yoast SEO Premium and activate the first addition to preventing search engines from crawling the post comment feeds.

From Yoast SEO Premium 18.6 on, the Crawl settings will host additional controls that impact crawling

This feature is available to all Yoast SEO Premium subscribers in beta form, and we’ve selected not to activate this for every site. In some cases, there still might be sites that use this in a way we can’t anticipate. We’re rolling out more crawling options — big and small — in the coming releases.

Let’s all start cleaning up the crawling on our sites — it’s better for you, your visitors, search engines, and the environment. All with a little help from Yoast SEO Premium. Let’s go!

Go Premium and get access to all our features!

Premium comes with lots of features and free access to our SEO courses!Get Yoast SEO Premium »Only €99 EUR / per year (ex VAT) for 1 site

Keeping Bing updated on your site

Yoast SEO 19.0 and Premium 18.6 also help Bing find your XML sitemaps. Last week, Bing changed the way they previously handled XML sitemaps. Before, we could submit sitemaps URLs anonymously using an HTTP request, but Bing found that spammers were misusing it thanks to this anonymity. You have two options to submit your sitemaps to Bing: a link in the robots.txt file or Bing Webmaster Tools.

To make your sitemaps available to Bing, we’ve updated Yoast SEO to add a link to your XML sitemap to your robots.txt file — if you want. This ensures that Bing can easily find your sitemap and keep updated on whatever you publish or change on your site. If you haven’t made a robots.txt file yourself, we’ll now add one with a link to your sitemap.xml file. You can add the link yourself via the file editor in Yoast SEO if you already have one.

Also, this might be an excellent opportunity to check out Bing Webmaster Tools — there are some great insights to be gained into your site’s performance on Bing.

An example from Bings homepage that shows the XML sitemaps properly links in the robots.txt

Other enhancements and fixes

Of course, we did another round of bug fixes and enhancements. There are two that we’d like to highlight here. We’ve enhanced the compatibility with Elementor, ensuring that our SEO analysis functions appropriately.

In addition, we enhanced our consecutive sentence assessment in the readability analysis. This threw warnings when you had multiple sentences starting with the same word in a list. We handle content in lists differently now, and having various instances with the same word should not throw a warning anymore.

Update now to Yoast SEO 19.0 & Premium 18.6

In this release, we’re introducing more ways to control crawling on your site. For Yoast SEO Premium, we’re starting with a small addition to manage post comment feeds, but we’re expanding that in the coming releases. The feature is in beta, so we welcome your feedback!

In addition, we’ve also made sure that Bing can still find your XML sitemap, and we’ve fixed a couple of bugs with Elementor and our readability analyses.

Source :
https://yoast.com/yoast-seo-may-31-2022/

How IT executives are advancing sustainability with the cloud

Sustainability action is a necessity for organizations looking to satisfy stakeholders, prepare their business for the effects of climate change, and reduce their environmental impact. While more organizations are implementing environmental sustainability practices—such as using sustainable materials, becoming more energy efficient, and embedding sustainability into employee training—these efforts alone are not enough to eliminate waste and reach net zero.

In a recent survey of executives, Deloitte found that more than a third of organizations are only implementing one out of five “needle-moving” sustainability actions. To begin moving the needle quickly, IT executives can help their organizations accelerate sustainability by reducing the environmental impact of IT, facilitating a more circular economy, working with sustainable partners, and leading efforts that support environmental, social, and governance (ESG) measurement and reporting.

Sustainability pressures are becoming policies

The pressure for more transparent sustainability action is continuing to rise: For the first time, the US Securities and Exchange Commission has proposed a rule to make environmental reporting mandatory. The recently proposed rule would require public companies to disclose climate-related risk management as well as direct and indirect greenhouse gas emissions (scope 1 and 2), eventually phasing in reporting for material emissions from value chains (scope 3).

The EU has long been ahead of the US when it comes to requiring organizations to report on emissions. Last year, the European Commission adopted a proposal for a Corporate Sustainability Reporting Directive (CSRD), which extends the scope of the Non-Financial Reporting Directive (NFRD) adopted in 2014. The CSRD proposal expands the number of companies required to report, introduces an audit and more detailed reporting, and would require organizations to report according to EU sustainability reporting standards.

88% of consumers want companies to help them be more sustainable (OnePulse)

Though policies and reporting requirements intensify the pressure for more corporate sustainability action, there is also pressure coming from consumers and employees. According to a PwC survey, 86% of employees prefer to work for organizations that share their values, and 76% of consumers would “discontinue [their] relationship with companies that treat the environment, employees, or the community in which they operate poorly.” This sentiment is matched by the results of a survey from OnePulse, which found that 88% of consumers want companies to help them be more sustainable.

There’s a growing need for IT sustainability guidance

To address sustainability reporting requirements and demands from customers, employees, and boards, IT executives are stepping up. But amidst ever-changing guidelines and new climate data, knowing where and how to start implementing more sustainable IT practices remains challenging. Research from Capgemini found that only 18% of organizations have a defined sustainability strategy for IT.

Nonprofits like SustainableIT.org are starting to fill the growing need for guidance by providing benchmarks for ESG measurements. Launched by CIOs and other tech leaders, the nonprofit plans to define sustainable digital transformation programs and provide best practices, education, and training for technology leaders that help support sustainable actions across their operations.

IT executives can also look to research and consulting firms like Gartner, who recently released a report that provides a framework to help organizations plan for infrastructure and operations sustainability goals.

In addition to peer groups and research firms, IT executives can also use widely accepted measures provided by organizations such as:

Cloud solutions help reduce the environmental impact of IT

On-premises infrastructure often requires large amounts of power and additional physical materials to scale. According to estimates from Cloudscene, there are over 8,000 data centers worldwide and these data centers are estimated to account for nearly 1% of global energy consumption.

1 billion metric tons of CO2 can be prevented from entering the atmosphere between 2021-2024 with cloud computing (IDC)

IT leaders can reduce the carbon footprint of their computing infrastructure simply by moving to cloud systems. The cloud can help reduce greenhouse gas emissions, as cloud computing is more efficient than what organizations can achieve with on-premises infrastructure. Cloud data centers have higher utilization rates, use advanced cooling technologies that are more energy efficient, and are often powered by renewable energy. As more businesses migrate to the cloud, these efficiencies are estimated to potentially prevent more than 1 billion metric tons of CO2 from entering the atmosphere over the next few years.

One customer case study found a 93% reduction in greenhouse gas emissions associated with migrating from a customer hosted Oracle ERP solution to Oracle ERP on Oracle Cloud Infrastructure. This included a 71% reduction in scope 1 emissions, 100% reduction in scope 2 emissions, and 84% reduction in scope 3 emissions (Figure 2).

The cloud can also promote a more circular economy

A key tenet of the circular economy is to decouple physical assets from the services they provide. This is exactly what the cloud provides. The cloud can contribute to a more eco-optimized supply chain by eliminating the need to procure and physically own your computing hardware.

Cloud computing can support a more circular economy

As organizations make the transition to cloud, they should also account for the impact that retired hardware has on the environment. To address this, IT executives can look to cloud providers that offer services like Oracle’s take back programs to help dispose of and recycle excess products in an environmentally responsible manner.

IT executives can accelerate sustainability with analytics

More transparency and better emissions data isn’t just about meeting reporting requirements—it’s also an essential component of reaching net zero. IT executives can help accelerate progress towards net zero by leading efforts to measure ESG performance.

Deloitte found that “difficulty measuring environmental impact” was identified by executives as one of the five biggest obstacles to their sustainability efforts. By investing in cloud solutions and services such as integrated analytics platforms and IoT, AI and ML capabilities, IT executives can embed environmental-related data collection and reporting into the mainstream of business operations and associated IT infrastructure.

30% of executives identify measuring environmental impact as a barrier to facilitating sustainability (Source: Deloitte)

At Oracle, we’ve been transforming our business operations to be more environmentally friendly by leveraging Oracle’s own innovative technology. Sustainability is now inherent in the way think about and approach nearly every aspect of our business, from operational efficiency, to product development and to employee engagement. We use our own technology because Oracle Cloud is the only end-to-end cloud platform that enables the cross-functional process flows required to increase sustainability.

Partners and providers should meet your sustainability requirements

Providers and partners play a pivotal role in reducing your environmental impact, either helping or hindering your ability to achieve sustainability goals. Ensuring that business partners and suppliers meet your sustainability requirements is one of the five key actions that businesses need to take to realize the benefits of sustainability, according to Deloitte’s 2022 CxO Sustainability Report.

Beyond ensuring that your providers align with specific sustainability criteria, it’s also important to consider how they can contribute to changing business needs. As demands for greener products grow, IT executives should be primed to understand not only their risks, but also their ability to act on new opportunities. By partnering with cloud providers that offer advanced cloud technologies and a wide range of services and solutions, you can position your business to capture new value when it arises and do so quickly.

Take a step towards sustainability with Oracle Cloud Infrastructure

Oracle Cloud Infrastructure is a high-performance green cloud solution that provides customers with the opportunity to drive business value and reduce their environmental impact. Oracle data centers are 75% more energy efficient than a typical corporate data center. Because we design, build, deploy, and recycle our hardware, we are contributing to a more circular economy that minimizes waste, maximizes circularity, and helps achieve net-zero carbon.

By consolidating and optimizing our IT infrastructure while delivering advanced technologies, such as AI and blockchain, we help organizations reduce their environmental impact, measure progress, and achieve their sustainability goals.

Get started today for free. Learn more about Oracle Cloud sustainability and take a step towards sustainability with Oracle Cloud Free Tier.

1. OnePulse, 88% Of Consumers Want You To Help Them Make A Difference

2. IDC, Cloud Computing Could Eliminate a Billion Metric Tons of CO2 Emission Over the Next Four Years, and Possibly More, According to a New IDC Forecast

3. Deloitte, Deloitte 2022 CxO Sustainability Report

Source :
https://blogs.oracle.com/sustainability/post/how-it-executives-are-advancing-sustainability-with-the-cloud

How to Fix WordPress 404 Page Not Found Error – A Detailed Guide

It is common that you come across the WordPress 404 or “WordPress site permalinks not working” error on your website if it is not maintained properly. But there are times when your website is under maintenance and your visitors will be automatically directed to a 404 error page.

Are you facing a WordPress 404 error or a “WordPress page not found” error? Don’t freak out! We have a solution for you.Table of Contents

What is a WordPress 404 Error?

The 404 error is an HTTP response code that occurs when a user clicks on a link to a missing page or a broken link. The web hosting server will automatically send the user an error message that says, for example, “404 Not Found”.

The error has some common causes:

You’ve newly migrated your site to a new host
You have changed your post/page slug but haven’t redirected the old URL
You don’t have file permission
You have opened an incorrect URL
Poorly coded plugin/theme

Many WordPress themes offer creative layout & content options to display the 404 error page. Cloudways’s 404 error has custom design and layout too:

Managed WordPress Hosting Starting from $10/month.

Enjoy hassle-free hosting on a cloud platform with guaranteed performance boosts.Try Now

How to Fix WordPress 404 Error in 8 Simple Steps

In this tutorial, I am going to show you how to easily fix the WordPress “404 not found” error on your website. So let’s get started!

1. Clear Browser History & Cookies

The very first troubleshooting method that I perform is clearing the browser cache and cookies. Or you can try to visit your site incognito.

2. Set Up Your Permalink

If, apart from your homepage, your other WordPress website pages give you a 404 page not found error, you can follow these steps to resolve the issue.

Log in to your WordPress Dashboard
Go to Settings → Permalinks
Select the Default settings
Click Save Changes button
Change the settings back to the previous configuration (the once you selected before Default). Put the custom structure back if you had one.
Click Save Settings

Note: If you are using a custom structure, then copy/paste it in the Custom Base section.

This solution could fix the WordPress 404 not found or “WordPress permalinks not working” error. If it doesn’t work, you’ll need to edit the .htaccess file in the main directory of your WordPress installation (where the main index.php file resides). 404 errors are also usually due to misconfigured .htaccess file or file permission related issues.

3. Restore Your .httaccess File

.htaccess is a hidden file, so you must set all files as visible in your FTP.

Note: It’s alway recommended to backup your site before editing any files or pages.

First login to your server using FTP. Download the .htaccess file which is located in the same location as folders like /wp-content/ wp-admin /wp-includes/.

Next, open this file in the text editor of your choice.

Visit the following link and copy/paste the version of the code that is most suitable for your website. Save the .htaccess file and upload it to the live server.

For example, if you have Basic WP, use the code below.

# BEGIN WordPress
RewriteEngine On
RewriteRule .* – [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

4. Setup a 301 Redirect

If you have changed the URL of any specific page and haven’t redirected it yet, it’s time to redirect the old URL to your new URL. There are two easy ways to redirect your old post/page: via plugin and htaccess file.

If you are comfortable working with htaccess, add the following code to your htaccess file. Don’t forget to replace the URLs with your own website.

Redirect 301 /oldpage.html https://www.mywebsite.com/newpage.html

For an easier way, install the Redirection Plugin and go to WordPress Dashboard > Tools > Redirection. Complete the setup and Add new redirection.

5. Disabling Plugins/Theme

It’s possible that an un-updated or poorly coded plugin is causing the 404 error on your WordPress site. To check this, you need to deactivate all our plugins.

Access your WordPress files using an FTP like FileZilla. Go to public_html > wp-content and change the plugins folder name to something like myplugins.

Now go back to your browser to check if the website starts working or not. If the error has been resolved then one of the plugins is the culprit.

Note: If it’s not resolved then simply change the myplugins folder name to plugins and move to the next troubleshoot method.

If it’s resolved, change the myplugins folder name to plugins and open your WordPress dashboard to find the culprit. Go to Plugins > Installed Plugins. Activate each plugin one by one and check if your website is working. This way you can find the problematic plugin and resolve your WordPress 404 error.

6. Change and Update WordPress URL in Database

Maybe you’re seeing this error on your WordPress website.

“The requested URL was not found on this server. If you entered the URL manually, please check your spelling and try again.”

Go to your PHPMyAdmin, navigate to your database name, and select wp-option. For example, blog > wp-option.

Now change the URL. For example, from https://www.abc.com/blog/ to http://localhost/blog.

7. Fix WordPress 404 Error on Local Servers

Many designers and developers install WordPress on their desktops and laptops using a local server for staging purposes. A common problem with local server installations of WordPress is the inability to get permalink rewrite rules to work. You might try to change the permalinks for posts and pages, but eventually the website shows the WordPress “404 Not Found” error.

Fixing Errors is Easier With Cloudways

Try Our managed cloud hosting for a hassle-free experience

Start Free!

In this situation, turn on the rewrite module in your WAMP, XAMPP, or MAMP installation. For the purpose of this tutorial, I am using WAMP. Navigate to the taskbar and find the WAMP icon. After that navigate to Apache → Apache modules.

It will enable a long list of modules that you can toggle on and off. Find the one called “rewrite_module” and click it so that it is checked.

Then check out whether your permalinks are working or not again.

8. Alternative Method

Navigate to the local server. Find the Apache folder, then go to the “conf” folder. Navigate to httpd.conf file. Search for a line which looks like:

#LoadModule rewrite_module modules/mod_rewrite.so

Just remove the “#” sign so it looks like this:

LoadModule rewrite_module modules/mod_rewrite.so

Conclusion

I hope you find this guide helpful and that you were able to solve your “WordPress 404 page error” or “WordPress permalinks not working” problem. Have you figured out any other way to get rid of this problem? Please share your solutions with us in the provided comment section below.

Frequently Asked Questions

Q. Why am I getting a 404 error?

WordPress 404 errors usually occur when you have removed certain pages from your website and haven’t redirected them to other pages that are live. Sometimes, WordPress 404 page errors can also occur when you have changed a URL of a specific page.

Q. How do I test a 404 error?

There are multiple tools you can use to test WordPress 404 errors, like Deadlinkchecker.

Q. How to redirect WordPress 404 pages?

On your WordPress dashboard, navigate to Tools > Redirection. There you can apply redirection by pasting the broken URL in the source box and the new URL in the Target box.

Q. How to edit a WordPress 404 page?

On your WordPress dashboard, navigate to Appearance > Theme Editor. Find the file named “404.php file” and edit the file yourself or using the help of a WordPress developer.

Source :
https://www.cloudways.com/blog/wordpress-404-error/

Trend Micro’s One Vision, One Platform

The world moves fast sometimes. Just two years ago, organizations were talking vaguely about the need to transform digitally, and ransomware began to make headlines outside the IT media circle. Fast forward to 2022, and threat actors have held oil pipelines and critical food supply chains hostage, while many organizations have passed a digital tipping point that will leave them forever changed. Against this backdrop, CISOs are increasingly aware of running disjointed point products’ cost, operational, and risk implications.

That’s why Trend Micro is transforming from a product- to a platform-centric company. From the endpoint to the cloud, we’re focused on helping our customers prepare for, withstand, and rapidly recover from threats—freeing them to go further and do more. Analysts seem to agree.

Unprecedented change

The digital transformation that organizations underwent during the pandemic was, in some cases, unprecedented. It helped them adapt to a new reality of remote and now hybrid working, supply chain disruption, and rising customer expectations. The challenge is that these investments in cloud infrastructure and services are broadening the corporate attack surface. In many cases, in-house teams are drowning in new attack techniques and cloud provider features. This can lead to misconfigurations which open the door to hackers.

Yet even without human error, there’s plenty for the bad guys to target in modern IT environments—from unpatched vulnerabilities to accounts protected with easy-to-guess or previously breached passwords. That means threat prevention isn’t always possible. Instead, organizations are increasingly looking to augment these capabilities with detection and response tooling like XDR to ensure incidents don’t turn into large-scale breaches. It’s important that these tools are able to prioritize alerts. Trend Micro found that as many as 70% of security operations (SecOps) teams are emotionally overwhelmed with the sheer volume of alerts they’re forced to deal with.

SecOps staff and their colleagues across the IT function are stretched to the limit by these trends, which are compounded by industry skills shortages. The last thing they need is to have to swivel-chair between multiple products to find the right information.

What Gartner says

Analyst firm Gartner is observing the same broad industry trends. In a recent report, it claimed that:

Vendors are increasingly divided into “platform” and “portfolio” providers—the latter providing products with little underlying integration
By 2025, 70% of organizations will reduce to a maximum of three the number of vendors they use to secure cloud-native applications
By 2027, half of the mid-market security buyers will use XDR to help consolidate security technologies such as endpoint, cloud, and identity
Vendors are increasingly integrating diverse security capabilities into a single platform. Those which minimize the number of consoles and configuration planes, and reuse components and information, will generate the biggest benefits

The power of one

This is music to our ears. It is why Trend Micro introduces a unified cybersecurity platform, delivering protection across the endpoint, network, email, IoT, and cloud, all tied together with threat detection and response from our Vision One platform. These capabilities will help customers optimize protection, detection, and response, leveraging automation across the key layers of their IT environment in a way that leaves no coverage gaps for the bad guys to hide in.

There are fewer overheads and hands-on decisions for stretched security teams with fewer vendors to manage, a high degree of automation, and better alert prioritization. Trend Micro’s unified cybersecurity platform vision also includes Trend Micro Service One for 24/7/365 managed detection, response, and support—to augment in-house skills and let teams focus on higher-value tasks.

According to Gartner, the growth in market demand for platform-based offerings has led some vendors to bundle products as a portfolio despite no underlying synergy. This can be a “worst of all worlds,” as products are neither best-of-breed nor do they reduce complexity and overheads, it claims.

We agree. That’s why Trend Micro offers a fundamentally more coherent platform approach. We help organizations continuously discover an ever-changing attack surface, assess risks and then take streamlined steps to mitigate that risk—applying the right security at the right time. That’s one vision, one platform, and total protection.

To find out more about Trend Micro One, please visit: https://www.trendmicro.com/platform-one

Source :
https://www.trendmicro.com/en_us/research/22/e/platform-centric-enterprise-cybersecurity-protection.html

WordPress 6.0: A major release with major improvements

It’s only been 4 months since the previous major release but we’re already excited to welcome WordPress 6.0. Of course, as with every other major release, you can expect loads of loads of improvements and exciting new features. This new version is no different. WordPress 6.0 continues to refine and iterate on the tools and features introduced in earlier releases. Let’s dive deeper into what WordPress 6.0 brings to your table!

For starters, this release will include all the great new features, enhancements and gains from Gutenberg 12.0 and 13.0. At the same time, developers and contributors continue to work on bug fixes and improvements that significantly impact the overall user experience on WordPress. This translates to over 400 updates, 500 bug fixes, and 91 new features in just one release, which is huge!

We’re getting an improved list view experience, style theme variations, additional templates, new blocks, new enhancements to the block editors and many more. Since there are many new things coming in this release, we’d like to bring your attention to some of the features and improvements that will likely have an impact on the way you use WordPress.

Full site editing enhancements and new features

Full site editing was the talk of the town when this major feature was introduced in previous releases. WordPress 6.0 continues to build upon the groundwork laid in 5.9 and further improves on what you can do with full site editing. You will need to use a block-based theme such as WordPress’s Twenty-Twenty-Two to take advantage of full site editing.

Style variations and global style switcher

Many people in the WordPress community are excited about this feature in the Site editor. You’ll be able to use theme variations derived from one single theme using various color and font combinations. It’s kind of like having several child themes but integrated into one single theme. And it’s incredibly easy to apply a new style variation across your entire site. From now on, you’ll be able to change the look and feel of your website with just a click.

Easily change the look and feel of your site using style variations

Theme export capability

Another huge improvement to full site editing specifically and the WordPress platform as a whole is the ability to export block themes. Any templates, layouts and style changes you made can be saved and exported to a .zip file. This feature is huge because it’s paving the way for visual theme building. You can create a WordPress theme just by purely using Gutenberg blocks. And of course, no coding knowledge is required!

To export your theme, go to your Site editor and click on the 3 dots icon in your top right corner. There should appear a menu with the option to download your theme.

New templates

Being able to use and customize templates to build your website content is great because it helps you to save time. We had templates to work with in previous WordPress versions, but the options were limited. WordPress 6.0 expands on this and introduces several new templates for specific functions. These include templates for displaying posts from a specific author, category, date, tag, or taxonomy.

List view enhancements

When you access the list view in WordPress 6.0, you will see that your blocks are grouped together and collapsed instead of showing everything like in previous versions. This will make navigating the list view much easier. Next to this, when you’re working on a page with the list view open and you click anywhere on the page, it will highlight precisely where you are in the list view. Anyone who regularly works on complex pages should appreciate this enhancement.

The improved list view experience in WordPress 6.0

Block editor enhancements

New core blocks

WordPress 6.0 will ship with several new blocks including post author biography, avatar, no result in query loop and read more. We want to point you to the new comment query loop block because it further ‘blockifies’ the comment section of your post. With this new block, you’ll get plenty of customization options to design the comment section the way you want to.

The comment query loop block lets you customize your comment section

More features and enhancements

There are quite a lot of improvements and enhancements to the block editor that we can’t cover everything in this post. Instead, we will mention a few that we think will be the most beneficial for you.

The first new enhancement in the block editor we want to introduce is block locking. Moving forward, you’ll be able to lock a block so it can’t be moved and/or edited. A locked block will display a padlock when you click on it. And when you open the list view, you’ll also see the padlock indicating a locked block. This feature is especially useful if you work a lot with reusable blocks and don’t want anyone messing around with those blocks. It’s also beneficial for preserving design layouts when you’re creating templates or working with clients.

Next to that, in WordPress 6.0, when you customize a button and then add a new button using the plus button, it will have the same style as the one you’ve just customized. Before, you would need to redo all the customization if you want to add several buttons with the same style.

Another cool feature in this new version is style retention. It’s now possible to keep a block’s style when transforming certain blocks from one type to another and vice versa. It works with quite a few blocks, ranging from quote, list, code, heading, pullquote, verse, etcetera.

Lastly, the cover block can now dynamically grab your featured image and set it as the background for the cover block. All you have to do is select the ‘use featured image‘ setting and WordPress will do the rest.

The cover block can now dynamically grab your post’s featured image and use it as a background

Writing improvements

You can expect several notable writing improvements in this new version of WordPress. They are not major changes by any means, but you’ll definitely notice and appreciate the refinement in your overall writing experience.

Have you ever tried selecting text from 2 separate blocks and got annoyed because it automatically selected all the text from both blocks? Well, you won’t be bothered by that anymore. From WordPress 6.0 onwards, you can easily select text across blocks and edit it to your liking. This is definitely a quality of life improvement.

You can conveniently select text across blocks in WordPress 6.0

Also coming your way is a new link completer shortcut. You can access this shortcut anytime by typing “[[” and it will show you a list of links on your site. This feature can be handy when you’re doing internal linkings, for instance.

Lastly, WordPress will remind you to add tags and categories as the last step before you can publish a post. When you publish a lot of posts, it can be easy to forget this step so this is quite a neat feature for forgetful folks.

Design and layout tools

We won’t be diving too much into the improvements in design and layout tools, but we do think the following two features deserve a mention.

The first one is transparency control for background, which is very useful when you want to use a background with columns. You’ll surely elevate your post design if you can make use of this feature. The next fun addition to WordPress 6.0 is gap support for the gallery block. This just means you have more control over the spacing of your images, giving you a bit more freedom on how you want to display your image gallery. Anyone can take advantage of these 2 new features, but photography and fashion website runners can probably appreciate them the most.

Source :
https://yoast.com/wordpress-6-0/

QNAP Urges Users to Update NAS Devices to Prevent Deadbolt Ransomware Attacks

Taiwanese network-attached storage (NAS) devices maker QNAP on Thursday warned its customers of a fresh wave of DeadBolt ransomware attacks.

The intrusions are said to have targeted TS-x51 series and TS-x53 series appliances running on QTS 4.3.6 and QTS 4.4.1, according to its product security incident response team.

“QNAP urges all NAS users to check and update QTS to the latest version as soon as possible, and avoid exposing their NAS to the internet,” QNAP said in an advisory.

This development marks the third time QNAP devices have come under assault from DeadBolt ransomware since the start of the year.

In late January, as many as 4,988 DeadBolt-infected QNAP devices were identified, prompting the company to release a forced firmware update. A second uptick in new infections was observed in mid-March.

DeadBolt attacks are also notable for the fact that they allegedly leverage zero-day flaws in the software to gain remote access and encrypt the systems.

According to a new report published by Group-IB, exploitation of security vulnerabilities in public-facing applications emerged as the third most used vector to gain initial access, accounting for 21% of all ransomware attacks investigated by the firm in 2021.

Source :
https://thehackernews.com/2022/05/qnap-urges-users-to-update-nas-devices.html