One of the impediments to better security for WordPress websites (and security in general) is that people are not taking basic security measures and instead relying on security solutions that fail to provide the protection that those basic security measures Continue reading WordFence Security Fails to Provide the Protection Keeping WordPress Plugins Updated Would
A reoccurring issue we see with information on vulnerabilities in WordPress plugins is that inaccurate information is being provided to webmaster’s and then the sources of that inaccurate information are not the ones having to deal with the fallout of Continue reading iThemes Security Pro is Providing Customers Inaccurate Information on Vulnerabilities in WordPress Plugins
This post provides the details of a vulnerability in the WordPress plugin Advanced CF7 DB not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the Continue reading Persistent Cross-Site Scripting (XSS) Vulnerability in Advanced Contact Form 7 DB (Advanced CF7 DB)
Making backups of WordPress websites is an important security measure, but it can also create security risks of its own. That too often comes in the form of security vulnerabilities that are in backup plugins, where even plugins with millions Continue reading Sectigo’s CodeGuard is Sharing the Files From Their Customers’ WordPress Websites With Third-Parties
This post provides the details of a vulnerability in the WordPress plugin ImageMagick Engine not discovered by us, where the discoverer hadn’t provided the details needed for us to confirm the vulnerability while we were adding it to the data Continue reading Cross-Site Request Forgery (CSRF) Vulnerability in ImageMagick Engine
Last week we saw what appears to be a hacker probing for usage of the WordPress plugin BulletProof Security. That is, as you might guess based on the name, a security plugin. It has 40,000+ active installations according to wordpress.org Continue reading Amid Hacker Probing for WordPress Plugin BulletProof Security, New Vulnerability Discovered in It
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of October 14
The poor treatment of WordPress plugin developers by those in control of WordPress has recently gotten attention because of an odd, largely unexplained, situation involving removing a chart showing the install growth of plugins on their WordPress Plugin Directory pages. Continue reading The “Mark Zahra” Problem That the WordPress Community Deals With
Automattic’s WPScan recently claimed there was an admin+ arbitrary file access vulnerability in WPForms Lite. The entry claimed they had verified the vulnerability: [Read more] ShareTweetSharePostSharePin It!
In our monitoring of the WordPress Support Forum for discussions possibly discussing WordPress plugin vulnerabilities, we have recently been seeing a lot of topics involving vague claims coming from the WordPress security provider Wordfence, through their Wordfence Security plugin, that Continue reading Wordfence is Claiming That WordPress Plugin Has Vulnerability Despite Having No Idea if That is True
How WordPress security companies market themselves and what they actually deliver are often far apart. Unfortunately, WordPress and security journalists are failing to provide critical coverage that would warn people about what is going on. As an example of what Continue reading Two Weeks On, Automattic’s WPScan and Patchstack Haven’t Warned About Vulnerability Impacting 600,000+ WordPress Websites
The WordPress security provider Wordfence claims to engage in responsible disclosure of vulnerabilities: Wordfence has been performing successful vulnerability research and responsible disclosure for over a decade. [Read more] ShareTweetSharePostSharePin It!
Companies operating in the WordPress space have to deal with a problematic situation. While WordPress is promoted as an open source community, the head of WordPress, Matt Mullenweg, uses his various entities to exert control and influence over the community Continue reading Automattic’s Idea of Coopetition Involves Copying Data From Competitors Without Credit
The two most recent support forum topics for the 30,000+ install WordPress plugin Kraken.io Image Optimizer are about a claimed security vulnerability in the latest version of the plugin: [Read more] ShareTweetSharePostSharePin It!
The WordPress community is in the midst of a controversy involving a strange, largely unexplained, situation. A chart that used to be shown on the Advanced View page for plugins in the WordPress’ plugin directory was removed. This is an Continue reading Automattic Employees Don’t Appear to Understand What Security Is
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of October 7
One of the ways we measure how much protection that WordPress security plugins provide against the real threat of vulnerabilities in other WordPress plugins, is to run software we have designed to make sure that our own firewall plugin’s protection Continue reading All In One WP Security & Firewall Only WordPress Firewall Plugin to Increase Protection in Our Testing This Month
A week ago, we highlighted a key detail of a recent hacking of the news outlet Fast Company, which other news outlets covering it were failing to discuss. That being that the hacker of Fast Company’s WordPress website claimed they Continue reading Security Journalist Blames WordPress for Poor Security Handling Unrelated to WordPress
As detailed in a more technical post, proactive monitoring we do caught a serious vulnerability of a type highly likely to be exploited being introduced in to a WordPress plugin this week. By the install count of the plugin, this Continue reading Automattic Employee Introduced Serious Exploitable Vulnerability Into WordPress’ Own Plugin
An odd controversy has recently taken up the spotlight in the WordPress plugin developer community, the removal of the Active Install Growth chart from the Advanced View page for plugins in the WordPress Plugin Directory. That chart showed the growth Continue reading WordPress is Obfuscating the Connection Between the WordPress Plugin Directory and Automattic