The biggest threat to the growth of WordPress: perceived security

Whenever I talk to web developers outside the inner circle of the WordPress community, it is bound to come up: WordPress security. It is the most important reason why a certain group of people does not want a WordPress site. They think, they’ve read, they’ve heard that WordPress sites are not secure and that they… Continue reading The biggest threat to the growth of WordPress: perceived security

#110 – Thomas J. Raef on the Shift in How Hackers Attack, and How to Protect Your Site

Transcript [00:00:00] Nathan Wrigley: Welcome to the jukebox podcast from WP Tavern. My name is Nathan Wrigley. Jukebox is a podcast which is dedicated to all things WordPress. The people, the events, the plugins, the blocks, the themes, and in this case how your session cookies are being used to attack WordPress websites. If you’d… Continue reading #110 – Thomas J. Raef on the Shift in How Hackers Attack, and How to Protect Your Site

Wordfence CLI 2.0.1 Update Adds Free Vulnerability Scanning

Wordfence CLI 2.0.1 introduced free vulnerability scanning this week. The new CLI product was launched at WordCamp US two months ago with malware detection capabilities, but the latest update brings in the most highly requested feature – vulnerability scanning at scale. Wordfence is most well-known for its Web Application Firewall, malware scanner, and login security… Continue reading Wordfence CLI 2.0.1 Update Adds Free Vulnerability Scanning

Patchstack Reports 404 Vulnerabilities Affecting 1.6M+ Websites to WordPress.org Plugins Team

After an accumulation of undisclosed and unpatched vulnerabilities in plugins hosted on WordPress.org, Patchstack has reported 404 plugins to WordPress’ Plugin Review Team. “This situation creates a significant risk for the WordPress community, and we decided to take action,” Patchstack researcher Darius Sveikauskas said. “Since these developers have been unreachable, we sent the full list… Continue reading Patchstack Reports 404 Vulnerabilities Affecting 1.6M+ Websites to WordPress.org Plugins Team

Business Roundup Week Ending August 18

Zoom AI Privacy Controversy Zoom’s Terms grant them access to your video, audio, and chat transcripts to train their AI tools, but their latest update promises not to use them without your permission. Zoom’s previous privacy issues raise the concerns of some watchdog groups about the trustworthiness of the new policy. Read the facts: https://gizmodo.com/zoom-ai-privacy-policy-train-on-your-data-1850712655 … Continue reading Business Roundup Week Ending August 18

Business Roundup Week Ending August 11

AI: The Next Chapter Online Event September 14 This second installment of Human Made’s AI Event series will highlight the latest in WordPress AI and explore the broader changes created in the rapid advancement of AI. Speaker applications and attendee registration are now open for this free event. How can you better leverage AI in… Continue reading Business Roundup Week Ending August 11

Ninja Forms Version 3.6.26 Patches Multiple High Severity Security Vulnerabilities

If you use the Ninja Forms plugin and your sites aren’t set to get automatic plugin updates, add a round of updates to your weekend plans. Patchstack is reporting multiple high severity security vulnerabilities in the plugin, including the following: a POST-based reflected XSS (7.6 CVSS 3.1 score) a broken access control on form submissions… Continue reading Ninja Forms Version 3.6.26 Patches Multiple High Severity Security Vulnerabilities

All-In-One Security Plugin Patches Sensitive Data Exposure Vulnerability in Version 5.2.0

All-In-One Security (AIOS), a plugin active on more than a million WordPress sites, was found to be logging plaintext passwords from login attempts in the database and has patched the security issue in version 5.2.0. In a post titled “Cleartext passwords written to aiowps_audit_log” published to the plugin’s support forum two weeks and five days… Continue reading All-In-One Security Plugin Patches Sensitive Data Exposure Vulnerability in Version 5.2.0

MalCare, Blogvault, and WPRemote Plugins Patch Vulnerabilities Allowing Site Takeover Through Stolen API Credentials

 Snicco, a WordPress security services provider, has published an advisory on a vulnerability in the MalCare plugin, which is active on more than 300,000 sites. “MalCare uses broken cryptography to authenticate API requests from its remote servers to connected WordPress sites,” WordPress security researcher Calvin Alkan said. “Requests are authentication by comparing a shared secret stored… Continue reading MalCare, Blogvault, and WPRemote Plugins Patch Vulnerabilities Allowing Site Takeover Through Stolen API Credentials

Ultimate Member 2.6.7 Patches Privilege Escalation Vulnerability

Authors of the Ultimate Member plugin have released version 2.6.7 with a patch for a privilege escalation vulnerability. Last week WPScan reported that Ultimate Member had still not fully patched the vulnerability after multiple inadequate attempts. There was evidence that it was being actively exploited in the wild. Working through the complexities of this security… Continue reading Ultimate Member 2.6.7 Patches Privilege Escalation Vulnerability