Eric Mann notes that “WordPress nonces…

ByDan Knauss Posted onOctober 16, 2019

Eric Mann notes that “WordPress nonces are, admittedly, not numbers and not used once.” Since they’re not “true nonces,” WordPress nonces “fall down horribly” and constitute a “fatal flaw” when developers use them to secure the admin. 🔓

Eric says we urgently need “true cryptographic operations,” and there’s a possible path to that destination, but it is “incredibly steep.” It will require “a major paradigm shift in WordPress development” — and developer education.

I want to also note some comments here from Andrew Nacin on Twitter: “…we shouldn’t have called them nonces. But, time-based, stateless HMAC tokens are just as valid (and commonly used) for CSRF protection. The primary point of these tokens isn’t to prevent a replay attack. Its only point is to guard against CSRF, and it does that well.”

Security

I stumbled on the “Tozny API”…

ByDan Knauss March 3, 2017

I stumbled on the “Tozny API” recently which instead of passwords presents a functionality similar to “email me an access code” from Slack. The purpose of which is to help either verify email addresses or promote password-free authentication for your users. It’s an interesting concept although i’m not sure if it’s going to be accepted…

Eric Mann recently announced a side…

ByDan Knauss September 7, 2018

Eric Mann recently announced a side project — an “Advanced Passwords” premium plugin. As Eric explains, this project aims to better protect WordPress sites by securing passwords used for authentication and protected content.

Development

Redis object cache for WordPress

ByBrian Krogsgard March 31, 2014October 13, 2022

WordPress has long had a Memcached backend available for object caching. Over the past several weeks, Eric Mann and Erick Hitter have built out a Redis-based alternative for object caching. Updated Source: https://ethitter.com/2014/04/redis-object-cache-plugin-available-for-download/

Over, Under, Around, and Through

ByDan Knauss October 14, 2022October 14, 2022

This week Alex Denning (Ellipsis) draws on Iain Poulson‘s historical, high-level plugin data at WP Trends to offer some thoughtful, somewhat contrary, but practical and grounded perspectives on the value of Active Install Data. At the WP Watercooler and elsewhere, a realization seems to be setting in that the data is not open source and not the property of the WordPress community. Like last week’s episode of Post Status Draft with Katie Keith of Barn2 Plugins, Till Krüss (Object Cache Pro, Relay) offers a lot of lessons this week about less travelled paths to success in the plugin business even as a very small company or company of one. Performance, testing, and support are key, interrelated parts of Till’s success and probably the most important ones to borrow in your own life and work if they resonate.

Draft | Planet | Post Status Podcasts

Till Krüss on Object Cache Pro, WordPress, Plugins, Testing, and Performance — Post Status Draft 126

ByDan Knauss October 14, 2022October 21, 2022

Till Krüss explains how he found his way into WordPress and a successful business that’s solving the hard problems of caching and performance optimization. His work and business model suggest several areas of opportunity for developers and founders working in the WordPress plugin market today.

Eric Mann announced the release of…

ByBrian Krogsgard March 26, 2018

Eric Mann announced the release of DGXPCO: Digital Guarantees for eXplicitly Permitted Core Operations plugin. This plugin (available on the WordPress plugin repo) integrates directly with the WordPress core updater and ensures that any core package being installed has a valid signature. At the moment DGXPCO only secures WordPress core updates. Eric says a future…

Similar Posts

Post Status is proudly supported by great partners