When it comes to the hackings of WordPress websites due to the software on them, those are largely due to security issues in WordPress plugins. So you would assume that a major focus of security companies involved in the security of WordPress websites would be based around those, but what we have found is that isn’t true. Often others in the industry are warning about vulnerabilities weeks after us (and often only after they have been wide spread exploitation attempts) and they spend a troubling amount of time making up threats that don’t really exist (maybe because it is easy to protect against non-existent threats). In the wake of an option update vulnerability in the plugin WP GDPR Compliance being widely exploited the response of one high profile company that failed to protect their paying customers was to lie about that.

While we provided our customers with warning ahead of exploitation of that vulnerability, we look at every situation where there is large scale exploitation as an opportunity to improve what we do. There is still an idea we have to improve based on what happened in that situation that we haven’t implemented, but others we implemented right away. One of those was trying to detect more of vulnerabilities like the one that was exploited. That lead to us spotting the same kind of vulnerability in one of the 1,000 most popular plugins less than a week later, which would go on to be exploited as well. Others in the security industry have just been becoming aware of that even though it has almost been a month since we warned about. In the meantime we have been catching more vulnerabilities relating to that type of issue. [Read more]