At the end of last week, a plugin called WP GDPR Compliance sent out a security update for a privilege escalation vulnerability that was reported to the WordPress Plugin Directory team on November 6. The plugin was temporarily removed and then reinstated after the issues were patched within 24 hours by its creators, Van Ons,…
In this episode, John James Jacoby and I spend the first half of the show discussing WP Engine’s acquisition of StudioPress. We share reactions from social media, debate on whether it’s a good or bad thing for the WordPress ecosystem, and webhosts being at the top of the food chain. We also talk about a…
In this episode, John James Jacoby and I are joined by Jack Lenox, Software Engineer at Automattic, to discuss his new project, SustyWP. Lenox explains how he built the site so that it only has 7KB of data transfer, what sustainability on the web means to him, and the relationship between sustainability and optimization to…
WordPress 4.9.5 is available for download and is a maintenance and security release. WordPress 4.9.4 and earlier versions are affected by three security issues. The following security hardening changes are in 4.9.5. Localhost is no longer treated as the same host by default. Safe redirects are used when redirecting the login page if SSL is…
In July of last year, Let's Encrypt announced that it would begin issuing Wildcard certificates for free in January of 2018. Although a little late, the organization has announced that Wildcard certificate support is now live. In addition to these certificates, the organization has updated its ACME protocol to version 2.0. ACMEv2 is required for…
In 2016, WordFence published their findings of a vulnerability that could have compromised the servers that are used to send out WordPress updates. It turned out to be a complex, obscure vulnerability that ignited a conversation surrounding the security of api.wordpress.org and what could happen if the servers were compromised. One idea that was brought…
WordPress 4.9.2 has been released and patches a cross-site scripting vulnerability in the Flash fallback files in the MediaElement library. According to Ian Dunn, the Flash files are rarely needed and have been removed from WordPress. If you need access to the Flash fallback files, they can be obtained using the MediaElement Flash Fallback plugin.…
Jetpack has released version 5.6.1 which hardens the Contact Form module by improving permissions checking when updating a form's settings. In addition to security fixes, the character count for when Publicize publishes content to Twitter has been increased to 280. This release also fixes a bug that disabled the ability to save widgets after removing…
WordPress 4.9.1 is available for download and is a maintenance and security release. This release addresses four security issues in WordPress 4.9 and below that could potentially be used as part of a multi-vector attack. According to the release notes, the following changes have been made to WordPress to protect against these vulnerabilities. Use a…
Last month GitHub launched its Dependency Graph feature that tracks a repository’s dependencies and sub-dependencies under the Insights tab. This week the company rolled out an expansion of the feature and will now identify known vulnerabilities and send notifications with suggested fixes from the GitHub community. Dependency graphs and security alerts are automatically enabled for…
In this episode, John James Jacoby and I discuss the news of the week including, a behind the scenes look at how WordPress 4.8.3 was released, WordPress 4.9 RC1, and Patreon launching an app directory along with a free WordPress plugin. We also talk about the difficulties of surveys, from asking the right questions, to…
WordPress 4.8.3 is available and is a security release for 4.8.2 and all previous versions. This release addresses an issue with $wpdb->prepare() that could lead to a potential SQL injection. While WordPress core is not vulnerable, hardening has been added to prevent plugins and themes from inadvertently causing a vulnerability. If you’re experiencing a bit…
In early October the popular Postman SMTP plugin was removed from WordPress.org due to security issues. The plugin had not been updated in two years and also contained a reflected cross-site scripting (XSS) vulnerability that was made public in June and left unfixed. The security researcher’s attempts to contact the plugin’s author, Jason Hendriks, were…
GitHub announced a new Dependency Graph feature at the Github Universe conference yesterday. It lists all the dependencies for a repository and will soon identify known vulnerabilities. The graph can be accessed under the Insights tab and currently supports Ruby and JavaScript dependencies with Python coming soon. Public repositories display the graph by default and…
Disqus, a comment management and hosting service, has announced it suffered a data breach that affects 17.5 million users. A snapshot of its database from 2012 with information dating back to 2007 containing email addresses, usernames, sign-up dates, and last login dates in plain-text were exposed. Passwords hashed with the SHA1 protocol and a salt…