WordPress 4.8.2 is available for download and users are encouraged to update as soon as possible. This release patches eight security vulnerabilities and has six maintenance related fixes. Hardening was also added to WordPress core to prevent plugins and themes from accidentally causing a vulnerability through $wpdb->prepare() which can create (more…)
Display Widgets, a plugin with more than 200,000 active installs, has been removed from WordPress.org due to its authors inserting malicious code. SEO consultant David Law was the first to bring this issue to the attention of the plugin team after discovering that Display Widgets was inserting content into sites (more…)
Equifax has launched a WordPress-powered website to connect with consumers affected by its recent security breach, which compromised 143 million customers’ personal data. The exposed data includes names, birth dates, social security numbers, addresses, credit card numbers, driver’s license numbers, and other sensitive financial information. The equifaxsecurity2017.com site was launched (more…)
SiteLock, a website security company, has acquired Patchman, a Dutch security startup that offers automated vulnerability patching and malware removal for hosting providers. Prior to the acquisition SiteLock protected 6 million sites, with 2.2 million of them running on WordPress. The addition of Patchman extends SiteLock’s customer base to 12 (more…)
The month of May is Mental Health Awareness month. On this episode, Ed Finkler, founder of Open Sourcing Mental Illness (OSMI), and Bridget Willard, Marketing Manager for WordImpress, join me to raise awareness of mental health. We start the show by discussing what mental health is and what it means (more…)
WordPress 4.7.5 was released today with fixes for six security issues. If you manage multiple sites, you may have seen automatic update notices landing in your inbox this evening. The security release is for all previous versions and WordPress is recommending an immediate update. Sites running versions older than 3.7 (more…)
WordPress now has its own official HackerOne account where security researchers can responsibly disclose vulnerabilities to the security team. The project’s page was previously listed under Automattic’s profile before HackerOne launched its free community edition for open source projects. WordPress has now transitioned to its own account, which also includes (more…)
Security researcher Dawid Golunski of Legal Hackers has published the details of an unauthorized password reset vulnerability in WordPress core. Golunski demonstrated how, under certain circumstances, an attacker could intercept the password reset email and gain access to a user’s account. His proof of concept takes advantage of WordPress using (more…)
Security researchers at Wordfence are reporting that thousands of hacked home routers are attacking WordPress sites. Wordfence firewall and malware scanner products are in use on more than 2 million WordPress sites and the company estimates that 6.7% of all attacks on these sites are coming from hacked home routers. (more…)
Last week, we highlighted the progress being made by the Theme Review Team in clearing out a 1K+ review backlog. In an effort to determine common problems with themes discovered by reviewers, Carolina Nymark, a member of the Theme Review Team, reviewed 100 tickets from 531 themes that were closed (more…)
In this episode, Marcus Couch and I are joined by Aaron D. Campbell, WordPress Security Team Lead. Campbell provides insight into who’s on the team and what they do behind the scenes to coordinate security releases. We discuss the complex nature of disclosures, when to publish them, and how much (more…)
There’s a lot of great WordPress content published in the community but not all of it is featured on the Tavern. This post is an assortment of items related to WordPress that caught my eye but didn’t make it into a full post. The REST API Democratizes Reading Mika Epstein (more…)