At the end of last week, a plugin called WP GDPR Compliance sent out a security update for a privilege escalation vulnerability that was reported to the WordPress Plugin Directory team on November 6. The plugin was temporarily removed and then reinstated after the issues were patched within 24 hours (more…)
In this episode, John James Jacoby and I spend the first half of the show discussing WP Engine’s acquisition of StudioPress. We share reactions from social media, debate on whether it’s a good or bad thing for the WordPress ecosystem, and webhosts being at the top of the food chain. (more…)
In this episode, John James Jacoby and I are joined by Jack Lenox, Software Engineer at Automattic, to discuss his new project, SustyWP. Lenox explains how he built the site so that it only has 7KB of data transfer, what sustainability on the web means to him, and the relationship (more…)
WordPress 4.9.5 is available for download and is a maintenance and security release. WordPress 4.9.4 and earlier versions are affected by three security issues. The following security hardening changes are in 4.9.5. Localhost is no longer treated as the same host by default. Safe redirects are used when redirecting the (more…)
In July of last year, Let's Encrypt announced that it would begin issuing Wildcard certificates for free in January of 2018. Although a little late, the organization has announced that Wildcard certificate support is now live. In addition to these certificates, the organization has updated its ACME protocol to version (more…)
In 2016, WordFence published their findings of a vulnerability that could have compromised the servers that are used to send out WordPress updates. It turned out to be a complex, obscure vulnerability that ignited a conversation surrounding the security of api.wordpress.org and what could happen if the servers were compromised. (more…)
WordPress 4.9.2 has been released and patches a cross-site scripting vulnerability in the Flash fallback files in the MediaElement library. According to Ian Dunn, the Flash files are rarely needed and have been removed from WordPress. If you need access to the Flash fallback files, they can be obtained using (more…)
Jetpack has released version 5.6.1 which hardens the Contact Form module by improving permissions checking when updating a form's settings. In addition to security fixes, the character count for when Publicize publishes content to Twitter has been increased to 280. This release also fixes a bug that disabled the ability (more…)
WordPress 4.9.1 is available for download and is a maintenance and security release. This release addresses four security issues in WordPress 4.9 and below that could potentially be used as part of a multi-vector attack. According to the release notes, the following changes have been made to WordPress to protect (more…)
Last month GitHub launched its Dependency Graph feature that tracks a repository’s dependencies and sub-dependencies under the Insights tab. This week the company rolled out an expansion of the feature and will now identify known vulnerabilities and send notifications with suggested fixes from the GitHub community. Dependency graphs and security (more…)
In this episode, John James Jacoby and I discuss the news of the week including, a behind the scenes look at how WordPress 4.8.3 was released, WordPress 4.9 RC1, and Patreon launching an app directory along with a free WordPress plugin. We also talk about the difficulties of surveys, from (more…)
WordPress 4.8.3 is available and is a security release for 4.8.2 and all previous versions. This release addresses an issue with $wpdb->prepare() that could lead to a potential SQL injection. While WordPress core is not vulnerable, hardening has been added to prevent plugins and themes from inadvertently causing a vulnerability. (more…)