Security Weekly

We are just a few days away from Christmas holidays and many people have already gone to their well deserved vacations. When companies are under staffed and resources are allocated only to …

I was thinking wether to leave this as the last security weekly, but I recon that by releasing this in the middle of the holidays will most likely not get the attention …

Virtual patching is a security strategy that involves applying protective measures to the WordPress application without modifying any of the source code (core/plugins/themes). Virtual patches aim to provide a real-time response and …

We can’t ignore the power of LLMs and AI when it comes to security. At Patchstack, we work closely together with Google and earlier in 2024 we were selected into a Google …

As of writing this article, it’s a hot topic. Some plugins which have been available on WordPress.org plugins repository have been moved over to custom distribution systems or to GitHub. Meanwhile, the …

In previous weeks, we have talked a lot about different security vulnerabilities and linked to their CVE IDs. I realized however, that I have not properly covered what a CVE is and …

You’ve most likely noticed a CVSS score whenever a security vulnerability has been reported to you. CVSS (Common Vulnerability Scoring System) scores are calculated to give a quick understanding of the severity …

CSV Injection vulnerability is rare and somewhat controversial vulnerability which has been found in less than 100 WordPress plugins over the recent years. In the Patchstack bug bounty program, where security researchers …

The Arbitrary File Upload vulnerabilities are among some of the most dangerous security flaws in the WordPress ecosystem. These vulnerabilities allow malicious users to upload files that can execute harmful code on …

Privilege Escalation occurs when a lower-privileged or unauthenticated user can perform an action that escalates their current privilege to a higher level. These vulnerabilities allow attackers to gain elevated access to a …

Imagine that you receive an email from your favorite service provider saying that there was an attempt to access your account. Or a phishing email in your inbox on behalf of your …

The legendary Remote Code Execution is an uncommon but critical security vulnerability that allows an attacker to run arbitrary code or command line commands on a server or application remotely. In the …

Local File Inclusion (LFI) is a type of vulnerability in web applications that occurs when an attacker manipulates the application into including files from the server’s filesystem. What Causes a Local File …

Let’s talk about Cross-Site Request Forgery. It’s a common security vulnerability that might have affected your website as well. In fact, according to the 2022 State of WordPress Security Report, Cross-Site Request …

This week, let’s dive into broken access control vulnerabilities. It’s probably one of the most self-explanatory vulnerability types, as it arises from—you guessed it—broken access control. More specifically, these vulnerabilities occur when …

Cross-Site Scripting is one of the most common security vulnerabilities found in WordPress plugins over the years. In 2023, XSS ranked #1 as the most common vulnerability in the WordPress ecosystem, with …

In our 15th TAB Security Weekly, we explored some of the most dangerous vulnerabilities commonly exploited in WordPress plugins. However, there are many different types of vulnerabilities we haven’t covered yet. With …

Occasionally, we still encounter people who passionately recommend security measures that offer questionable value. Many of these recommendations fall into the category of security through obscurity. This week, let’s discuss some of …

Terms like headless architecture, Jamstack, or Composable often pop up during discussions about the future of the web. While those terms differ a bit from each other, they all circle around decoupling …

In the previous posts (part 1 & part 2), we explored the critical steps of preparing for a potential hack on your WordPress site, including the initial triage phase and the comprehensive …

In the previous post, we explored the importance of being prepared for a potential hack on your WordPress site, discussed the Incident Response (IR) plan phases, and dive deeper into the triage …

In previous episodes, we have extensively covered one of the key aspects of security: the proactive approach (or safeguards). This includes all the measures related to good security hygiene and posture to …

In the previous two episodes, I covered the importance of password managers and why 2-factor authentication is equally important. What about if a password is not needed at all or when you …

In the last weekly, we covered the importance of password managers. While making sure to not re-use passwords is improving your security posture significantly – it’s still possible for hackers to figure …

One of the most basic security related question I’m constantly being asked is “What password manager should I use?”. This mostly comes from people who have not yet done much for their …

Sometimes developers and security researchers find bugs accidentally or when intentionally testing software security. If they are ethical, they would then report these security issues to the software vendor so they could …

We’ve touched the topic of site isolation in February on an episode covering server level security. A few days ago, Vladimir Smitka, a well known Czech security researcher in the WordPress ecosystem, …

In the recent weeks, we’ve talked a lot about what to avoid when building websites. This week, let’s cover the basics of a professional WordPress website development and how correct workflows can …

Every once and a while, I see a new GPLClub-like marketplace, that is selling nulled premium WordPress plugins for a fraction of the original price. While these marketplaces are not illegal, they …

Something that has been coming up a lot lately is the issue of abandoned WordPress plugins and themes. Since around 30% of security vulnerabilities reported in plugins won’t get patched, people have …

In the previous two issues of Security Weekly we’ve talked about the importance of WordPress maintenance plans and why the essential maintenance and security plan has to come with every professionally built …

When it comes to security, maintenance is essential. When ever a company or a person reaches out to an agency or a freelancer to get a website designed and built for them …

We talked about security responsibilities in the 11th issue of Security Weekly. This week, let’s take a closer look into how the security responsibility should be communicated to the website owners, so …

In March 2024, WordPress 6.5 introduced a feature called plugin dependencies. As you may know, there are many plugins which are essentially add-ons for other plugins. The plugin dependencies feature of WordPress …

As we recently published the annual Patchstack report about WordPress security (and also covered it in the last TAB security weekly), we shared some insight into what are the most commonly found …

This week is a little different. In the beginning of each year, we take a look at how the ecosystem has evolved and what the data shows about the current state of …

There have been a lot of discussions about how plugin developers should communicate security fixes to the users. In the past, it has been their decision to choose wether they want to …

Security compliance and regulations are topics that are not often discussed in the context of WordPress, but this is going to change significantly in the coming years. GDPR was one of the …

Whenever most people discuss WordPress security, the conversation typically revolves around which security solutions to use, where to host the website, and how to keep it secure. Something that often seems missing …

As we’ve covered the basics of WordPress security, it’s time to address some common myths and misconceptions. The internet is brimming with SEO content offering various security tips. While some advice is …

Once you have your server ready, you’ll need to set up the application that you wish to host there. This application in our case is the WordPress and all of the different …

Last week we talked about WordPress security on the network layer (with Cloudflare as an example). This week, we’ll look into what will happen once the traffic gets passed to the server. …

In the last post, we covered different layers of the WordPress attack surface. Security should always be applied on multiple layers. Today, we will be covering what you can (and should) do …

Before you can start setting up any security measures, you should have a clear understanding where security is even needed. To do that, you’ll first need to start mapping your attack surface. …

We now know why the hackers are after websites and how they are targeting them (if you missed this, check out the previous episodes). You’ve probably also noticed that I’ve intentionally avoided …

In the past 2 issues, we’ve talked about the different ways websites are taken over by compromising privileged accounts and by exploiting security vulnerabilities in the WordPress core, plugins and themes. Sometimes …

Last week, we covered the different methods hackers use to compromise WordPress websites by taking over administrator accounts. This week, we’ll cover the second most common attack vector (which in some months …

Last week we talked about what motivates cyber criminals to automate attacks against websites to gain unauthorised access. Now, as we know what their motivations are, let’s look into how they do …