Netanel Rubin, a vulnerability researcher for Check Point Software and credited for properly disclosing a security vulnerability to WordPress, published the first in a trilogy of posts that explains how he discovered it.
The vulnerability was discovered during a full audit of WordPress’ code base in which Rubin praised the efforts of the WordPress development team.
In contrast to these frequent findings in 3rd party plug-ins’ code, barebones WordPress issues are rare, as WordPress core developers are well-trained to hold high security awareness for all released code.
We can confirm that during our audit of the source code, we witnessed the developers ‘leaving nothing to chance’, and implementing multiple layers of security protecting most attack vectors we could think of.
WordPress developers deserve praise for their efforts to maintain such complex software in this level of security, specifically considering the presence of the notoriously trigger-happy foot-gun called PHP.
I recommend reading the post as it’s a brief look into the mind of a white hat security researcher.
Although WordPress has seen its fair share of security related releases this year, it’s reassuring to hear a third-party whose job it is to penetrate software security praise WordPress’ codebase.
The feeling is mutual – Check Point have been a great team to work with, and their talent at finding extremely obscure bugs shows in this report.
Because it’s worth repeating, we always appreciate security reports at security@wordpress.org – even if you’re not sure, we’re happy to check it out.