WordPress security news and issues.
Back in August, Oliver Sild announced in Post Status Slack that Patchstack was opening up “additional data” to “enrich the vulnerability data” their service discloses, now “with [a] real-time IP feed of attackers who hit [Patchstack’s] virtual patches.” Virtual patches are Patchstack’s quick interventions for customers’ sites when an official patch doesn’t exist yet for…
This is an important topic that came out of a Post Status Slack #security discussion involving Robert Rowley and John James Jacoby: WordPress Terminology Meta. It continued over at the WPwatercooler.
Critical OpenSSL vulnerability β’ Australia raises fines for data breaches β’ Apple only commits to patching the latest OS β’ EU may require secure code and timely patches.β’Β NSA/CISA guidance for software developers and suppliers
This week Alex Denning (Ellipsis) draws on Iain Poulson‘s historical, high-level plugin data at WP Trends to offer some thoughtful, somewhat contrary, but practical and grounded perspectives on the value of Active Install Data. At the WP Watercooler and elsewhere, a realization seems to be setting in that the data is not open source and not the property of the WordPress community. Like last week’s episode of Post Status Draft with Katie Keith of Barn2 Plugins, Till KrΓΌss (Object Cache Pro, Relay) offers a lot of lessons this week about less travelled paths to success in the plugin business even as a very small company or company of one. Performance, testing, and support are key, interrelated parts of Till’s success and probably the most important ones to borrow in your own life and work if they resonate.
John James Jacoby has been the main source of (unofficial) information about the removal of active install statistical tracking for plugins in the WordPress.org repository. On Friday, he provided more technical details on the WPwatercooler podcast.
Cory Miller asks, “What can we do to better support our plugin developers and product owners?” Katie Keith offers some clues with the story of her WordPress/WooCommerce agency and product shop, Barn2 Plugins. Dan Knauss and Nyasha Green talk about microaggressions, the Active Install Growth Data story, and US federal legislation aimed at Open Source Security. In an increasingly “demon-haunted world,” how can we know who is doing what with the hardware and software tools we use? Ben Gabler, CEO and Founder of Rocket.net, is in our Member Spotlight.
United States national security interests are poised to become more invested in and engaged with open source projects classified as public infrastructure. From Log4j to the Securing Open Source Software Act, how did it all come together in 2022, and what may lie ahead?
In reaction to as-yet-unpublicized details about the abuse of active install data in the WordPress.org plugin repository, the charts displaying that data have been removed from plugin pages in a move expected to be temporary. Important (and some familiar) questions are emerging as this story unfolds: how to balance the values of openness, security, and privacy as well as cooperation and competition at WordPress.org β still the central hub for WordPress plugin businesses.
Patchstack brings fast virtual patches and safe updates to any plugin or theme vulnerabilities potentially affecting Hostinger’s customers.
Ram Dall over at Wordfence has a good breakdown of three vulnerabilities patched in the WordPress 6.0.2 Security and Maintenance Release.
On August 8, wordpress.org was down for a few hours after a Chicago data center outage. During the outage, a user of a password security plugin reported it replaced salt keys with an outage notice, leading to a WSOD on a customer’s site.
Once you know these states, you can assign probabilities of transitioning from one state to another (someone hacks your account and locks you out, you forgot your own password, etc.) and then build optimal security and reliability to deal with it. Itβs a truly elegant way of conceptualizing the problem.
I wonder how much WordPress is an outlier in even the PHP universe for tolerating the idea that it’s “punishment” and “unfair” to be held to a standard with mandatory testing for code that’s admitted to the WordPress.org repo for use on potentially 40% of the web. That’s how a number of developers responded to…
Chinmayi Sharma argues our digital infrastructure is built on open source, and it cannot provide adequate security so governments should help out.
Remote Access Trojans (RATs) are new to me β apparently, you can get one on a Windows machine as a malware payload from fake CloudFlare DDoS alert pages on hacked WordPress sites. Ben Martin at Sucuri explains “a recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead…
Robert Rowley at Patchstack explains what I believe is the first-ever reported vulnerability in Gutenberg (the plugin, not in WordPress core) to make the National Vulnerability Database. Robert has opened an issue for discussion in the Gutenberg GitHub repo that has a good quick summary of the vulnerability. It appears to be only a theoretical…
End of content
End of content
