WordPress Versions 3.7-4.0 No Longer Get Security Updates

In September, WordPress’ Security Team announced it would be dropping support for versions 3.7 through 4.0 by December 1, 2022. Yesterday the final releases for these versions (3.7.41, 3.8.41, 3.9.40, and 4.0.38) were made available to the very small percentage of users who are running ancient versions of WordPress. As part of the final releases,… Continue reading WordPress Versions 3.7-4.0 No Longer Get Security Updates

Patchstack enriches open vulnerability data with signals showing attack volume, method, and source

Back in August, Oliver Sild announced in Post Status Slack that Patchstack was opening up “additional data” to “enrich the vulnerability data” their service discloses, now “with [a] real-time IP feed of attackers who hit [Patchstack’s] virtual patches.” Virtual patches are Patchstack’s quick interventions for customers’ sites when an official patch doesn’t exist yet for… Continue reading Patchstack enriches open vulnerability data with signals showing attack volume, method, and source

Security News Roundup

There’s a Slashdot discussion of ZDnet‘s reporting on a critical security vulnerability in OpenSSL: OpenSSL Warns of Critical Security Vulnerability With Upcoming Patch. Australia is increasing fines for massive data breaches. Apple has admitted they will only commit to patching their latest OS versions. Ars Technica‘s Andrew Cunningham: This confirms something that independent security researchers… Continue reading Security News Roundup

Over, Under, Around, and Through

WordPress Business News Roundup for the Week of October 3 This week Alex Denning (Ellipsis) draws on Iain Poulson‘s historical, high-level plugin data at WP Trends to offer some thoughtful, somewhat contrary, but practical and grounded perspectives on the value of Active Install Data. At the WP Watercooler and elsewhere, a realization seems to be… Continue reading Over, Under, Around, and Through

Active Install Data Story Update: Not a breach but abuse of an endpoint

At the WPwatercooler, JJJ clears up some of the mystery… There are two very simple and still live endpoints that have provided the obfuscated active install data at wordpress.org since 2017. They’re just PHP files, not endpoints that map to anything else. They access the database to give a JSON result to properly formed queries.… Continue reading Active Install Data Story Update: Not a breach but abuse of an endpoint

Trust Issues

Our WordPress Business News Roundup for the Week of October 3 Cory Miller asks, “What can we do to better support our plugin developers and product owners?” Katie Keith offers some clues with the story of her WordPress/WooCommerce agency and product shop, Barn2 Plugins. Dan Knauss and Nyasha Green talk about microaggressions, the Active Install… Continue reading Trust Issues

Open Source Communities: You May Not Be Interested in CISA, But CISA is Very Interested in You

United States national security interests are poised to become more invested in and engaged with open source projects classified as public infrastructure. From Log4j to the Securing Open Source Software Act, how did it all come together in 2022, and what may lie ahead? Estimated reading time: 8 minutes Back in 2016, the White House… Continue reading Open Source Communities: You May Not Be Interested in CISA, But CISA is Very Interested in You

Active Install Charts Removed from Plugin Repo

In reaction to as yet unpublicized details about the abuse of active install data in the WordPress.org plugin repository, the charts displaying that data have been removed from plugin pages in a move expected to be temporary. Important (and some familiar) questions are emerging as this story unfolds: how to balance the values of openness,… Continue reading Active Install Charts Removed from Plugin Repo

Patchstack Partners with Hostinger

In the run-up to WCUS, I missed out on mentioning Patchstack has partnered with Hostinger to offer their customers a proactive security monitoring and update tool. Hostinger CMO Daugirdas Jankas explains how that tool works, thanks to Patchstack’s vulnerability database. The database is constantly updated by a community of security researchers formerly called the Patchstack… Continue reading Patchstack Partners with Hostinger