Security

WordPress security news and issues.

Naming is hard—but important

Photo of author
Dan Knauss
This is an important topic that came out of a Post Status Slack #security discussion involving Robert Rowley and John James Jacoby: WordPress Terminology Meta. It continued over at the WPwatercooler.

Security News Roundup

Photo of author
Dan Knauss
Critical OpenSSL vulnerability • Australia raises fines for data breaches • Apple only commits to patching the latest OS • EU may require secure code and timely patches.• NSA/CISA guidance for software developers and suppliers

Over, Under, Around, and Through

Photo of author
Dan Knauss
This week Alex Denning (Ellipsis) draws on Iain Poulson's historical, high-level plugin data at WP Trends to offer some thoughtful, somewhat contrary, but practical and grounded perspectives on the value of Active Install Data. At the WP Watercooler and elsewhere, a realization seems to be setting in that the data is not open source and not the property of the WordPress community. Like last week's episode of Post Status Draft with Katie Keith of Barn2 Plugins, Till Krüss (Object Cache Pro, Relay) offers a lot of lessons this week about less travelled paths to success in the plugin business even as a very small company or company of one. Performance, testing, and support are key, interrelated parts of Till's success and probably the most important ones to borrow in your own life and work if they resonate.

Trust Issues

Photo of author
Dan Knauss
Cory Miller asks, "What can we do to better support our plugin developers and product owners?" Katie Keith offers some clues with the story of her WordPress/WooCommerce agency and product shop, Barn2 Plugins. Dan Knauss and Nyasha Green talk about microaggressions, the Active Install Growth Data story, and US federal legislation aimed at Open Source Security. In an increasingly "demon-haunted world," how can we know who is doing what with the hardware and software tools we use? Ben Gabler, CEO and Founder of Rocket.net, is in our Member Spotlight.

Active Install Charts Removed from Plugin Repo

Photo of author
Dan Knauss
In reaction to as-yet-unpublicized details about the abuse of active install data in the WordPress.org plugin repository, the charts displaying that data have been removed from plugin pages in a move expected to be temporary. Important (and some familiar) questions are emerging as this story unfolds: how to balance the values of openness, security, and privacy as well as cooperation and competition at WordPress.org — still the central hub for WordPress plugin businesses.

A Taxonomy of Access Control

Photo of author
Dan Knauss
Once you know these states, you can assign probabilities of transitioning from one state to another (someone hacks your account and locks you out, you forgot your own password, etc.) and then build optimal security and reliability to deal with it. It’s a truly elegant way of conceptualizing the problem.

We don’t need no stinkin’ standards!

Photo of author
Dan Knauss
I wonder how much WordPress is an outlier in even the PHP universe for tolerating the idea that it's "punishment" and "unfair" to be held to a standard with mandatory testing for code that's admitted to the WordPress.org repo for…

When the Free Rider is Government

Photo of author
Dan Knauss
Chinmayi Sharma argues our digital infrastructure is built on open source, and it cannot provide adequate security so governments should help out.

Pentesting as Contributing

Photo of author
Dan Knauss
Robert Rowley at Patchstack explains what I believe is the first-ever reported vulnerability in Gutenberg (the plugin, not in WordPress core) to make the National Vulnerability Database. Robert has opened an issue for discussion in the Gutenberg GitHub repo that…
A2 Hosting
WordPress.com