Yesterday we ran across a vague claim that the WordPress security plugin WordPress HTTPS, which has 50,000+ installs, might have a security vulnerability that is involved in hacks of website. The source isn’t a reliable one (despite being the developer of a popular security plugin) and they didn’t provide any information to back that up. In checking over the plugin, we quickly found a reasonably serious vulnerability, though one that seems unlikely to be connected with the hacking claim being made.

We tested and confirmed that our firewall plugin for WordPress protected against the vulnerability even before we discovered it, as part of its protection against zero-day vulnerabilities. [Read more]