20 Sep

Responsible Disclosure and Closing a WordPress Plugin With an Unfixed Vulnerability Didn’t Prevent Websites From Being Hacked

One of the things we do to keep track of vulnerabilities in WordPress plugins to warn customers of our service if they are using publicly known insecure plugins is monitoring WordPress support forum. Recently that hasn’t led to us finding out about any vulnerabilities we didn’t know about, but it does provide a regular reminder of the lack of concern of people in charge of WordPress about addressing the poor handling of security problems with plugins.

Yesterday a topic was started on the forum of Rich Reviews, “Plugin not supported; open to malware – uninstall now!“, which starts: [Read more]

02 Jan

What Happened With WordPress Plugin Vulnerabilities in December 2017

If you want the best information and therefore best protection against vulnerabilities in WordPress plugins we provide you that through our service.

Here is what we did to keep those are already using our service secure from WordPress plugin vulnerabilities during December (and what you have been missing out on if you haven’t signed up yet): [Read more]

19 Dec

The Results of Our WordPress Plugin Security Checker Lead to More Serious Issues in Plugin

We recently introduced a new tool to check WordPress plugins in the Plugin Directory for possible security issues. As we continue to look to how we can improve that, we are recording any issues identified by it, so that we can see what kinds of things it is identifying and where they might be room to refine the checks.

In looking over one of the plugins that it identified issues in, what we found was that one of the possible issues was not likely to be exploitable, but did point to the possibility that the pluginswas not all that securely written in general and led to us finding a more serious vulnerability in the plugin. That is obviously one data point, but it does indicate that it might be useful for plugins that are identified as having possible issue to have proper security review done. For those using our service they can then vote/suggest to have the plugin receive a review from us and for those that some reason are not interest in the service can always order a review separately. [Read more]