Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better Continue reading How Our Customers Helped Make WordPress Plugins More Secure, Week of March 1
Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better Continue reading How Our Customers Helped Make WordPress Plugins More Secure, Week of February 23
In our testing of WordPress firewall plugins, the NinjaFirewall plugin has been the best free option. It turns out it does something else where it isn’t so good. That would be warning about vulnerable plugins. We recently noticed the developer Continue reading NinjaFirewall is Providing Misleading Information on Vulnerable WordPress Plugins
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of February 16
Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better Continue reading How Our Customers Helped Make WordPress Plugins More Secure, Week of February 16
We recently had a strange interaction with the team running the WordPress Plugin Directory over their failure to make sure a likely exploited vulnerability was fixed. It was yet another example of their poor handling of security. That runs counter Continue reading WordPress Plugin Team Appears to Not Understand Proper Use of SQL Escaping Function esc_sql()
For a couple of months now, a phishing email campaign has been sending emails warning of a vulnerability on WordPress websites and telling people to download a plugin for that. That email has this format: Dear user [Read more] ShareTweetSharePostSharePin Continue reading Cloudflare Still Providing DNS Service for WordPress Security Team Impersonation Scam
Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That works often goes unmentioned. So we are highlighting that to help to better Continue reading How Our Customers Helped Make WordPress Plugins More Secure, Week of February 9
As we warned our customers on Friday, the latest version of the WordPress plugin Easy Digital Downloads incompletely fixed a vulnerability. That is something we ran across while preparing to see if another security fix made in it fixed a Continue reading Wordfence Claims It Is a Vulnerability For Users With the unfiltered_html Capability to Use Unfiltered HTML
It would be rather notable if the 200,000+ install WordPress plugin from the security provider Cloudflare contained a vulnerability. And that was just the claim made recently by a couple of WordPress security providers. Here was one of them, Patchstack, Continue reading WordPress Security Providers Falsely Claimed Cloudflare’s Plugin Contained Vulnerability
The latest version of WordPress, 6.4.3, has created a lot of headaches for the WordPress community, as installing plugins by uploading most zipped copies of plugins that have been compressed on Macs are not working (and possibly zipped in some Continue reading Bug Introduced in WordPress 6.4.3 Highlights a Problem With Fixing Vulnerabilities That Are Not Really Vulnerabilities
We are currently in the process of reviewing a partially disclosed possible vulnerability in a 200,000+ install WordPress plugin that extends the 5+ million install plugin Elementor. One issue we found with the possible vulnerability is that the developer is Continue reading Elementor is Still Providing Access to Security Nonces to WordPress Users Who Shouldn’t Have Them
Are you concerned a WordPress plugin you use is insecure? Maybe there is a claim that it contains a vulnerability? Let’s walk through some important elements of understanding what you need to know about the possible insecurity and how it Continue reading How To Secure a WordPress Plugin You Use
We recently ran across a WordPress support service that was making some extraordinary claims about their handling of security. They were not close to true, considering we were visiting their website to try to notify them that they had failed Continue reading Cloudflare Only Added One Firewall Rule for a WordPress Plugin Vulnerability Last Year and It Was Eight Months Late
In the work we do to keep track of vulnerabilities in WordPress plugins for our customers, we see a lot going wrong with the handling of vulnerabilities in them. While a lot of that involves plugin developers, it also involves Continue reading What to do If Someone is Claiming There is a Vulnerability in Your WordPress Plugin
Having accurate data on vulnerabilities in WordPress plugins is important. Lots of people trust one provider of WordPress plugin vulnerability data, Wordfence. It seems like their data should be trusted considering the CEO of Wordfence, Mark Maunder, has claimed their Continue reading Wordfence Claims Unfixed WordPress Plugin Vulnerability Has Been Fixed in Version That Doesn’t Even Exist
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of January 26
Yesterday, the Bleeping Computer ran a story headlined “Hackers target WordPress database plugin active on 1 million sites,” written by Bill Toulas. The plugin being referenced was Better Search Replace, which had a security change in the latest version. There Continue reading Contrary to Bleeping Computer Story, Hackers Don’t Seem to Have Targeted Security Issue in Better Search Replace
One of the many issues we now check for when doing security reviews of WordPress plugins is proper usage of the sanitize_callback when using register_setting() to register settings. That helps to make sure that settings of the plugin don’t contain Continue reading How to Use the sanitize_callback When Using the WordPress register_setting() Function
One of the tools we have to try to help make WordPress plugins more secure is our Plugin Security Checker, which flags possible security issues in WordPress plugins. From time to time, we spot check the results of plugins from Continue reading Catching a Future Vulnerability in a WordPress Plugin With Our Plugin Security Checker