WordPress 5.0.1 Patches Code Execution Vulnerability Nearly A Year After Public Guide On How To Exploit WP Vuln

Posted on January 13, 2019January 14, 2019Categories wordpress exploitTags , ,

1 year ago Ripstech reported a way anyone who has the ability to edit and delete media files could exploit WordPress. By default Authors and higher have this ability, however some plugins also grant users this ability.

This was reported in January of 2018 and blogged about in June of 2018, since there had been no fix. The blog post was a complete guide for anyone who would want to hack WordPress. We found this exploit in all old versions of WordPress we reviewed. On December 12th, 2018 WordPress 5.0.1 was released fixing this issue. Was this a hard, painful fix with tons of code? No. It was adding essentially one word to one line of code, yet WordPress waited nearly a year to fix this issue.

Keep on reading!

Airtight Security Patches Issue with Yoast Impacting Podcasters

Posted on January 12, 2019January 14, 2019Categories yoast seo

Power companies join forces to help WordPress users.

Update: our patch for podcasters and anyone else dependent on RSS , despite being tested repeatedly wasn’t perfect. We our honest about our code, so we will have a patch that works for everyone soon! Until then we removed our patch for the feeds.

We just released another free patch in Airtight Security, fixing yet another issue in Yoast impacting who can see and hear your podcast. The same issue that we reported on sitemaps were also affecting podcasts. We have gone over our code to ensure that it fixes this issue for your podcast while you are using Yoast and it does! Comment your favorite podcast down below.

PowerPress Joins Battle Against Yoast Hurting Customers Online Visibility

Posted on January 12, 2019January 14, 2019Categories technology, yoast seoTags , , , ,

PowerPress, a large podcasting company for WordPress has announced on Yoasts GitHub that they’re making a fix for the Yoast issue hurting their customers visibility online. Our software airtight security a fixes that for sitemaps and will fixing it for podcasts in approximately 24 hours. PowerPress is solely focusing on the podcast side of this battle with Yoast showing that it is hurting podcasters, as they have the dataset showing the visibility issue to podcast users. They don’t have the dataset that we do focusing on regular website visibility for the average user, so we understand their statement. We also understand that no one, including us takes on a big company without a large dataset to back up what we are saying. So, PowerPress choosing only to defend podcast users makes sense, due to their dataset. And now let’s see their statement.

I have a pre-release version of PowerPress that fixes this issue. Please contact me cio [at] rawvoice dot com for the link if you would like to test/use.
For those who want to wait, this feature will be released PowerPress 7.4.1 in 1-4 weeks, depending on how fast testers get back to us how the fix worked out for them.
For a regular website I get it, the feeds should not be indexed. For a podcast though this prevents your podcast from getting onto Google Podcasts, which is a big deal especially since podcasts may soon to be treated as 1 class citizens in search, similar to youtube videos.

We knew our podcast had visibility issues, but did not did not have the data to support the hypothesis until recently. Our podcast wasn’t visible so we moved on to other venues of communication. We didn’t mention podcasts in our original post about sitemap visibility, since we don’t collect that data.

You can use our software Airtight Security to fix this issue for podcasts and your sitemap or try and join PowerPress if you use their software.

Many SEO Software Companies Are Making You Not Rank As Well Costing you money

Posted on January 8, 2019July 3, 2019Categories cyber security, information security, yoast seoTags , , ,

Based on our research, top SEO plugins cause sites to drop in Google rankings due to telling Google not to index their sitemaps. We support this with graphs and facts with our software fix.

We wrote this article in January, thatpointed directly to Yoast SEO as causing issues with sites being not seen by Google. We later learned Google was suggesting the code that Yoast was using it to all major SEO software companies we’ve discovered.

Update: Yoast requested to have this post deleted and our plugin removed that fixes this issue.

Yoast SEO is one of the most popular WordPress Plugins with over 5 million sites using their software. While Yoast provides a template to fill in the meta description field, it also generates a sitemap as do many other SEO software products.

Sitemaps are extremely important for Google to be able to see your site and be able to decide what it should index and what it shouldn’t index.

Yoast, All in one SEO, and many other seo products are essentially telling Google to not look at your sitemap by putting no-index in their header. This makes it much harder for Google to find links on your site.

While the list of SEO software that we’ve found containing the code Google suggests, we are happy Yoast will be fixing this in 11.7.

The SEO software companies currently include Yoast, All In One SEO & an independent plugin called Google XML sitemap Genator for WordPress, which was not made by Google.

This started around July 5th, 2018 and cost one of our clients tourslosangeles.com over 100,000 dollars and another client an undisclosed amount of money from all in one seo. We made a free fix with our plugin Airtight Security so you can continue to use these programs and Google can see your sitemap. This means Google can find your site a lot easier. All you have to do to get our plugin is go to your WordPress site and log in. Then go to your plugins and click add new. After clicking add new search for airtight security and download our plugin and activate it. It will automatically fix the issue without any intervention by you.

The rest of this article is kept intact for historical purposes with minor updates, as this article was written in January.

Does A sitemap guarantee Google Will Index My Links?

No, it does not and Moz pointed this out in an extremely honest and detailed piece on xml sitemaps they wrote. What a sitemap does is let Google see you have content, rank the content using their algorithm and decide if the content should be included on Google and how valuable it is. The reason this is so important is that serious companies will be writing content that is of value every single day and expect their sitemap to help Google find it quickly instead of having to manually go to Google Webmasters and enter each link manually.

What Happens When Google Sees my Sitemap When using one of these SEO companies?

Here are screenshots of what Google sees when we tested this using Yoast.

Yoast SEO no-index sitemap
Yoast SEO blocks XML Sitemaps
YOAST SEO XML Sitemap no-index header
Yoast SEO XML Sitemap has no-index http header on it

Is that not enough proof for you that Yoast among others are blocking your sitemap from being indexed? This is what happens when you try to index a Yoast sitemap without going to the live test view, which is what we displayed above.

Prove SEO Software Is Causing this!

While Our team initially thought the site was infected with malware, we found no malware. We finally found the code SEO products making it not possible to index the sitemap. All that is required is to remove a few lines of code to stop the problem.

When we turn on our program airtight security the no-index header created by Yoasts sitemaps are removed.

Google allows sitemap indexing after Airtight Security Fixes Yoast SEO

When we turn off airtight security and use a chrome extension that let’s you see http headers, you can visually see the no-index header on the sitemap.

You see where it says x-robots-tag noindex, follow? That is how your sitemaps aren’t being indexed.

DO Premium Versions Fix This?

Since we were not aware that Google was telling SEO companies to do this when this was first published we noticed Yoast, which is where this investigation began at  was pushing their premium version what seemed to be more than usual. At the time we thought Yoast  had possibly  patched  the  issue in their free version if you upgraded to their paid version and bought the product for analysis to learn that isn’t the case.

 Yoast did not want to remove these lines as they believe this is helpful and makes sitemaps not rank higher in the search engines. While it is true it makes sitemaps not rank higher, since you’re not indexing them at all, our data also shows all these companies, not just Yoast are making companies less visible online. So far we’ve identified All In One SEO, Yoast & Google Sitemap Generator which is a WordPress plugin.

Leafly used Yoast

Leafly is a website that suffered a massive depletion of users, yet magically jumped back up and are doing great. So how is this possible if they use Yoast? Because they abandoned WordPress when customers started dropping off as the chart shows in September and October. We know they used Yoast thanks to this site that tracks users of Yoast. When they stopped using yoast the no-index code was removed and they became more visible.

Google ranking dropped with Yoast SEO
Icepop progressively loses users as they use Yoast version with no-index


Icepop.com has progressively lost users in the same time period our customer experienced a drop in customers, which was towards the end of summer, though it is worth noting they no longer publicly display they are using yoast in their view-source. They still both have something in common, they both used Yoast. But is that it, just two sites that have had a decrease in traffic? Nope, not at all, so let’s keep looking.

yoast SEO lowers Google Ranking
Cheatsheet has lost a massive amount of visitors due to Yoast

Cheatsheet.com has had a major decrease at the same time of all the other sites, though it is worth noting they currently use Yoast SEO Premium. It is of no surprise to us that cheatsheet.com has had a massive decrease of visitors to their site since Yoast put a no-index on the sitemap. While we could compare millions of  sites this helps give you a visual of the issue that Yoast caused. It is also important to note that around the time this issue started, someone filed a github complaint that they noticed the rss feeds were not being indexed.

Does Yoast Know About the No-index issue?

Yoast initially considered this a feature in January, not a bug or an issue as that is what Google told them, but in July announced they are releasing a fix.

Their employee jono-alderson addressed the feature. Jono said on August 26th, 2018 when this started about the RSS Feed issue that ”
From an SEO perspective, it’s generally worthwhile preventing Google from indexing RSS feeds via the x-robots HTTP header. Note for reference, that when this has a value of noindex, that doesn’t prevent Google from accessing or consuming the information – just from indexing it.
That aside, we should definitely add the ability to filter this value, so that we can be podcast-friendly. Easy fix! “

Let’s break that down into easily, consumable pieces. First they claim no-index does not stop Google from “accessing or consuming the information”.

Google and any other search engine goes to a link, checks the headers and if the header says no-index, they go away, since that is what no-index means. So, from the statement by the Yoast employee since they can access the site and be told to leave, that is fine. What we haven’t mentioned is that Yoast uses noindex, follow which is very misleading and we clear up how this messes up your site in the words of Google’s Webmaster Round Table John Mueller who is in Charge of Webmaster Trends Analyst at Google.

Let’s be very clear, they do not consume the information on your sitemap, meaning they can not use it they ignore it per Yoast’s instructions. Google explains why they ignore it in the next paragraph. Also, one person pointed out they are violating Google’s rules on RSS feeds for podcasts. 

Google who is an industry leader in SEO says the exact opposite about Yoast’s noindex, follow technique in their Google SEO round table. John Mueller who is the Webmaster Trends Analyst at Google essentially said that if you put noindex, follow they won’t index that page or follow any of the links.

John Mueller explained how Google handles the exact type of code that Yoast and other SEO companies are using in a 2017 Google webmaster round table.
“It’s tricky with noindex, which I think is something of a misconception in general within the SEO community. With a noindex and follow it’s still the case that we see the noindex. In the first step we say ‘okay you don’t want this page shown in the search results’. We’ll still keep it in our index, we just won’t show it and then we can follow those links.”

That part seems to support Yoast’s claim, but the next paragraph debunks Yoasts claim.

“If we see the noindex there for longer than we think this page really doesn’t want to be used in search so we will remove it completely. And then we won’t follow the links anyway. So noindex and follow is essentially the same as a noindex, nofollow. There’s no really big difference there in the long run. “

So, what John Mueller is saying is that if you put noindex, follow on a page for a few days they would still follow the links and add the content into Google, like Yoast claims. However, if the noindex, follow stays on the same page for say a few weeks they will ignore that page and all the links on it. So, in short Google is addressing the exact code Yoast is using months before Yoast released it. Since the sitemap made by Yoast never removes the no-index header Google now ignores the sitemap and all of it’s links. However since we’ve found this issue John Mueller is trying to say that Google processes XML differently, but the search engine results are not reflecting that statement.

This disproves everything that Yoast claims and is why your site is having so much trouble. When it comes to how search engine optimization works, I listen to data.

Joost De Valk in July has announced this will be fixed in 11.7 and has tested it to make sure it works properly.

Joost De Valk from Yoast in January commented “

I’m sorry but this just isn’t true AT ALL. XML sitemaps aren’t indexed like normal webpages. Or at least: they shouldn’t be. Google reads them differently and doesn’t obey the indexing directives when it ingests them like that. Sometimes they get linked to on the web as well. At that point, Google *does* index them normally, and follows indexing directives. So we set the noindex header on the XML sitemaps so as to make it impossible for XML sitemaps to start showing up in search results. They do *not* prevent Google from using them for what they’re important for: getting URLs into the index.

We talk regularly to Google and are in fact looking at making XML sitemaps better for everyone together with them, so I’m 100% certain of this.”

None of what he said is supported by information from Google, charts showing damage as we showed above or even from Yoast’s customers.