| |

Patchstack enriches open vulnerability data with signals showing attack volume, method, and source

Back in August, Oliver Sild announced in Post Status Slack that Patchstack was opening up “additional data” to “enrich the vulnerability data” their service discloses, now “with [a] real-time IP feed of attackers who hit [Patchstack’s] virtual patches.” Virtual patches are Patchstack’s quick interventions for customers’ sites when an official patch doesn’t exist yet for…

Over, Under, Around, and Through
| | | | |

Over, Under, Around, and Through

This week Alex Denning (Ellipsis) draws on Iain Poulson‘s historical, high-level plugin data at WP Trends to offer some thoughtful, somewhat contrary, but practical and grounded perspectives on the value of Active Install Data. At the WP Watercooler and elsewhere, a realization seems to be setting in that the data is not open source and not the property of the WordPress community. Like last week’s episode of Post Status Draft with Katie Keith of Barn2 Plugins, Till Krüss (Object Cache Pro, Relay) offers a lot of lessons this week about less travelled paths to success in the plugin business even as a very small company or company of one. Performance, testing, and support are key, interrelated parts of Till’s success and probably the most important ones to borrow in your own life and work if they resonate.

Active Install Data Story Update: Not a breach but abuse of an endpoint
| | | |

Active Install Data Story Update: Not a breach but abuse of an endpoint

John James Jacoby has been the main source of (unofficial) information about the removal of active install statistical tracking for plugins in the WordPress.org repository. On Friday, he provided more technical details on the WPwatercooler podcast.

Trust Issues
| | | | |

Trust Issues

Cory Miller asks, “What can we do to better support our plugin developers and product owners?” Katie Keith offers some clues with the story of her WordPress/WooCommerce agency and product shop, Barn2 Plugins. Dan Knauss and Nyasha Green talk about microaggressions, the Active Install Growth Data story, and US federal legislation aimed at Open Source Security. In an increasingly “demon-haunted world,” how can we know who is doing what with the hardware and software tools we use? Ben Gabler, CEO and Founder of Rocket.net, is in our Member Spotlight.

Open Source Communities: You May Not Be Interested in CISA, But CISA is Very Interested in You
| | | |

Open Source Communities: You May Not Be Interested in CISA, But CISA is Very Interested in You

United States national security interests are poised to become more invested in and engaged with open source projects classified as public infrastructure. From Log4j to the Securing Open Source Software Act, how did it all come together in 2022, and what may lie ahead?

Active Install Charts Removed from Plugin Repo
| | | | |

Active Install Charts Removed from Plugin Repo

In reaction to as-yet-unpublicized details about the abuse of active install data in the WordPress.org plugin repository, the charts displaying that data have been removed from plugin pages in a move expected to be temporary. Important (and some familiar) questions are emerging as this story unfolds: how to balance the values of openness, security, and privacy as well as cooperation and competition at WordPress.org — still the central hub for WordPress plugin businesses.

| |

We don’t need no stinkin’ standards!

I wonder how much WordPress is an outlier in even the PHP universe for tolerating the idea that it’s “punishment” and “unfair” to be held to a standard with mandatory testing for code that’s admitted to the WordPress.org repo for use on potentially 40% of the web. That’s how a number of developers responded to…

|

Sites hacked with fake CloudFlare DDoS alerts infected with RATs

Remote Access Trojans (RATs) are new to me — apparently, you can get one on a Windows machine as a malware payload from fake CloudFlare DDoS alert pages on hacked WordPress sites. Ben Martin at Sucuri explains “a recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead…

End of content

End of content