In January, we looked into a mess caused by the WordPress security provider Wordfence falsely claiming that the plugin WooCommerce had contained a vulnerability. That was caused in part by Wordfence failing to do basic vetting, which they claim to Continue reading Automattic’s WPScan Falsely Claimed that Automattic’s WooCommerce Contained Vulnerability
While reviewing a recent hacker attempt to try to exploit a vulnerability in a WordPress plugin, which was stopped by our own firewall plugin, we found that Automattic’s WPScan had falsely claimed that a WordPress plugin contained a serious vulnerability. Continue reading Automattic’s WPScan Falsely Claims That WordPress Plugin Contained Serious Vulnerability
HTTP/3 is the third major version of the Hypertext Transfer Protocol used to exchange information on the web. It is built on top of a new protocol called QUIC, which is set to fix some limitations of the previous protocol Continue reading Bringing You a Faster, More Secure Web: HTTP/3 Is Now Enabled for All Automattic Services
Google’s search results have a reputation for being bad these days and for good reason, they are bad. Take the results we got when doing a search for “best wordpress security plugins 2024”. We got this information directly on the Continue reading Google’s Search Results for The Best WordPress Security Plugins in 2024 is as Bad As You Would Expect
In October 2022, after a very questionable action taken by the team running the WordPress’ Plugin Directory that was alleged by some to have been done to the benefit of the for-profit company from head of WordPress, we noted that Continue reading WordPress Stops Disclosing if Plugin Directory Team Works for Automattic After at Least Two Employees Secretly Joined Team
Our team here at WordPress.com, comprised of hundreds of people spread across the entire globe, accomplished a lot in 2023. On the blog, we published over 90 posts, from product upgrades, to brand new features, and even new additions to Continue reading WordPress.com’s Year in Review
When it comes to protecting WordPress websites from being hacked through vulnerabilities in plugins, the solution is often simply keeping plugins up to date. But that doesn’t work when a hacker finds a vulnerability and starts exploiting it, otherwise known Continue reading How a WordPress Firewall Plugin Stops Exploitation of Zero-Day That Automattic’s Jetpack Didn’t
The internet is undefeated in coining new terms to describe our digital lives: hashtag, blog, clickbait, lurk. Somehow, though, the most universal phenomenon of them all doesn’t have a word yet. How many times have you lost track of an Continue reading One Inbox to Rule Them All
On Saturday we had what appeared to be a hacker probing for usage of the WordPress plugin WP Job Portal on our website. That plugin is available in the WordPress Plugin Directory and has 3,000+ active installations according to WordPress’ Continue reading Hacker Targeted WordPress Plugin Still in Plugin Directory Despite Publicly Disclosed Unfixed SQL Injection Vulnerability
When it comes to securing WordPress websites, it is very common to find people assuredly claiming that WordPress firewall plugins provide less protection than web application firewalls (WAFs) from web hosts or cloud security providers, without any evidence to back Continue reading Automattic’s Web Application Firewall (WAF) Failed to Provide Protection Against Zero-Day That WordPress Firewall Plugins Did
Recently Automattic’s WPScan claimed that there had been what is normally a fairly serious type of vulnerability in a WordPress plugin. That being, as they put it, an “unauthenticated stored XSS” vulnerability or, as we would put it, a persistent Continue reading Automattic’s WPScan, Wordfence, and Patchstack Don’t Appear to Have a Basic Grasp of What Vulnerabilities Are
In March, the details of a vulnerability that had been fixed in a WordPress plugin that extends the functionality of the plugin WooCommerce were disclosed. The exploitabilty of it should have been limited as it required having access to a Continue reading WooCommerce Security Issue Plays Critical Role in Exploiting Serious Vulnerabilities in Other Plugins
Automattic has acquired the ActivityPub plugin for WordPress from German developer Matthias Pfefferle, who will be joining the company to continue improving support for federated platforms. Pfefferle, who is also the author of the Webmention plugin, said his new role Continue reading Automattic Acquires ActivityPub Plugin for WordPress
Serendipitous connections, like discovering a shared interest with someone in line at the coffee shop, look slightly different in distributed organizations. This year, leveraging the values of open source, Automattic shared the planning and organization of a company-wide 24-hour online Continue reading An Open Source Approach to Creating Company Events
Automattic’s WPScan WordPress security service makes a lot of impressive sounding claims on their homepage, including being “Enterprise-strength” protection: Enterprise-strength WordPress protection for everyone [Read more] ShareTweetSharePostSharePin It!
Anyone who has spent much time trying to use WordPress’ support forum and the connected plugin review system knows that the moderators of that often get in the way and causing unnecessary problems (as well other troubling behavior, including deleting Continue reading Two Weeks Later WordPress Hasn’t Taken Action With WordPress Plugin That Loaded Malicious JavaScript
Trust is an important part of security, so it probably isn’t surprising that security is in such bad shape and that at the same time, security companies are so obviously dishonest so often. That is something we frequently run across Continue reading WPScan and Wordfence Intelligence Community Edition Providing Misleading Data on When Information Was Published
In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use, we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic Continue reading Not Really a WordPress Plugin Vulnerability, Week of November 25
During the summer, one arm of the company closely associated with WordPress, Automattic, WPScan disclosed a vulnerability in plugin, Co-Authors Plus, maintained by another arm of Automattic. WPScan and others in Automattic appear to have failed to look all that Continue reading Automattic’s WPScan Failed to Catch That WordPress VIP’s Co-Authors Plus Plugin is Still Disclosing Email Addresses
A reoccurring issue we see with information on vulnerabilities in WordPress plugins is that inaccurate information is being provided to webmaster’s and then the sources of that inaccurate information are not the ones having to deal with the fallout of Continue reading iThemes Security Pro is Providing Customers Inaccurate Information on Vulnerabilities in WordPress Plugins