Webmaster level: advanced
An easy solution for web users is to use an optimizing proxy, like Chrome's. When users opt into this service their HTTP traffic goes via Google's proxy, which optimizes their page loads and cuts bandwidth usage by 50%. While this is great for these users, it's limited to people using Chrome who turn the feature on and it can't optimize HTTPS traffic.
With Optimize for Bandwidth, the PageSpeed team is bringing this same technology to webmasters so that everyone can benefit: users of other browsers, secure sites, desktop users, and site owners who want to bring down their outbound traffic bills. Just install the PageSpeed module on your Apache or Nginx server , turn on Optimize for Bandwidth in your configuration, and PageSpeed will do the rest.
Posted by Jeff Kaufman, Make the Web Fast
 If you're using a different web server, consider running PageSpeed on an Apache or Nginx proxy. And it's all open source, with porting efforts underway for IIS, ATS, and others.
A local file inclusion vulnerability in the WordPress Slider Revolution Plugin has been released:
Apparently this vulnerability has been discussed on some underground forums for a couple months but it wasn't until these more main stream websites published data that we saw attackers start scanning for vulnerable sites. Our web honeypots picked up increased scanning activity today. Here is an example full audit log dump of the HTTP request from our ModSecurity WAF:
In this attack example, the attacker is trying to access the WordPress config file in the hopes of obtaining sensitive data such as database credentials.Recommendations Update your WordPress Slider Revolution Plugin
Sucuri Security is seeing similar activity and it also reporting that the developer of this Plugin chose to silently patch this vulnerability. This did a disservice to the Plugin userbase to be aware of the problem and to prompt updating. A couple notes:
- Updating this plugin may need to be done manually if your WP manager does not provide an interface for it.
- Beware that "disabling' the Plugin may end up being superceded by the Theme and be re-enabled. You may need to remove it altogether if you can not update it.
WAFs can be used to help prevent exploitation until you can get your systems updated. Trustwave's WebDefend WAF would block this attack either through a generic "Directory Traversal Attack" signature or through an anomaly of the learned resource profile. For ModSecurity WAF, we have added a new signature to our commercial rules feed: