Our new WordPress plugin search tool provide more relevant results enriched with security insights. Start Searching
Login
17 Jan 2025

Two-Factor Authentication (2FA) Won’t Stop an Attacker From Using Their Own WordPress Account to Engage in Malicious Activity

Two-Factor Authentication (2FA) Won’t Stop an Attacker From Using Their Own WordPress Account to Engage in Malicious ActivityTwo-factor authentication (2FA) can be useful for securing WordPress websites in certain circumstances, but it is often touted as being useful for things it isn’t needed for or capable of helping with. We often see it claimed that people should use it to protect against brute-force attacks against WordPress admin passwords. That is, despite those attacks continuing to not happen. Using a 2FA when you don’t need to can even create vulnerabilities that would allow an attacker access to your website, so understanding what it can and can’t do is important.

Another place 2FA isn’t the solution for is when an attacker is using their own WordPress account. That was part of the advice with a recent claim of a malware campaign against WordPress websites. The source for that was claiming that the hacker would cause a new WordPress account with the Administrator role to be created. They did that by causing someone already logged in as Administrator to make that happen without them taking any action. The source was then suggesting implementing 2FA to stop the attacker. [Read more]

16 Jan 2025

1+ Million Install WordPress Plugin Has Been Using an Outdated Known Insecure Version of a Library For Nearly 3 Years

Last year we created the Plugin Security Scorecard tool to help the WordPress community to have a better understanding of the security of plugins and hopefully to get better practices more widely implemented. As part of our work on that, we have been continuing to expand its capability to identify when plugins are using outdated and known insecure/vulnerable third-party libraries. That capability either doesn’t exist elsewhere in the community or isn’t being used. That is highlighted with a plugin that was checked through the plugin today.

The plugin checked was the 1+ million install plugin SVG Support, which had several issues identified: [Read more]

16 Jan 2025

How Not to Defend Yourself Against the Latest WordPress Malware Attack

Yesterday, as part of an odd series of stories about a malware campaign claimed to be connected to WordPress, the news outlet Make Use Of, which is included in Google News, ran a story titled “How to Defend Yourself Against the Latest WordPress Malware Attack.” It was an odd title since the original source of the claims about this has admitted they don’t know how the malware is getting on the websites. The story started this way:

As one of the most popular website builders in the world, WordPress has yet again become a target for malware. Though security researchers are still trying to work out how certain sites became infected, there are ways to check if your WordPress site is one of the victims, and to defend against any imminent attacks. [Read more]

16 Jan 2025

Developer of 1+ Million Install WordPress Plugin Hasn’t Addressed All Known Vulnerabilities Despite Making That Claim

We release advisories warning about WordPress plugin developers who have a repeated track record of failing to handle security well. A reasonable question to ask is if a backward-looking determination is helpful or if past is not prologue with that. We ran across an example where the problem with a developer has continued. It also suggests that a developer who isn’t making sure to mark their plugins compatible might have additional issues. And finally, the situation is a reminder that you can’t rely on plugin developers to give you accurate information on the security of their plugin.

A post from earlier this month on the support forum of the 1+ million install plugin WP File Manager was asking about compatibility with WordPress 6.7. The plugin had not been marked to be compatible with that version despite it being released in November. Someone from the developer responded that “Although the documentation currently lists compatibility up to WordPress 6.6.2, rest assured that the plugin has been tested and is fully functional with newer releases, including WordPress 6.7.1.” WordPress sends out an email ahead of new releases asking for developers to test and then mark their plugins compatible. So the failure to do that is somewhat concerning. [Read more]

15 Jan 2025

WordPress Security Header Plugins Still Claiming to Provide Protection With Headers That Web Browsers Long Ago Stopped Supporting

In looking into complaints about the search functionality of the WordPress Plugin Directory recently, a common complaint we saw is that new plugins don’t get promoted. As part of an alternative search functionality we have been putting together, we decided to try to address that in part by including a new plugin after the first ten results for queries. When doing a search on “security,” that currently highlights a security headers plugin:

[Read more]

15 Jan 2025

Audrey Capital Employee Samuel “Otto” Woods Closed Discussion About WordPress Not Promoting Automattic’s Jetpack Plugin

Last week Automattic, the company from the head of WordPress Matt Mullenweg, announced they were going to contribute less to WordPress. In doing that, they complained that “we’ve observed an imbalance in how contributions to WordPress are distributed across the ecosystem, and it’s time to address this.” The credited author of the post is the Executive Director of WordPress.org. What was left unsaid was how Automattic benefits from WordPress over other companies because of its level of control over the project. We just ran into an instance where an attempt to address that wasn’t allowed predating the current situation with WordPress.

Last week, we wrote about how an Automattic employee who had access to non-public data on what top search terms for the WordPress Plugin Directory and their admission to changing the search algorithm for that to promote Automatic’s Jetpack plugin. That isn’t the only way that Jetpack is promoted in the WordPress Plugin Directory. From the admin interface of WordPress, going to the page to add a new plugin brings up a set of Featured plugins: [Read more]

14 Jan 2025

Journalists Once Again Focus on WordPress While Ignoring That Sucuri Failed to Protect and Secure Their Customers’ Websites

While WordPress has very real security problems, often news coverage related to hacked WordPress websites involves a focus on WordPress, while ignoring the more pertinent problem, security companies are scamming their customers. Yesterday, a story ran in one security “news outlet” titled “WordPress Skimmers Evade Detection by Injecting Themselves into Database Tables.” Again, that was yesterday. For those familiar with hacked WordPress websites or hacked website using other software, this is a bizarre headline. Malware stored in a database isn’t a new phenomenon, nor was what they are describing something that should evade detection. Several other “news outlets” included in Google News ran similar stories. The sole source for all those stories was a blog post by Sucuri.

It was fairly standard for Sucuri, they once again admitting that one of their customers got hacked. That is despite claiming that their service protects websites from being hacked: [Read more]

14 Jan 2025

Matt Mullenweg Will Again Be “Community Member” Ultimately Responsible for WordPress Release With Version 6.8

Recently the head of WordPress, Matt Mullenweg, was complaining about the time and energy he was having to expend on the project. If this wasn’t performative, you would reasonably expect that he would hand off work to others. One place that could happen is with the Release Lead role for next release of WordPress. That role is supposed to be the “community member ultimately responsible for” a release of WordPress. But in reality, going back through the last 15 releases, he had that role 12 times. Two employees of his company, Automattic, handled the other two. On Friday afternoon, though, it was announced that he again would be taking on that role.

From a security perspective, having a new release lead would be an opportunity for someone who might allow known security issues with WordPress and fairly easy to implement security improvements to finally be implemented. That unfortunately hasn’t been of interest to Matt Mullenweg and those other Automattic employees. Hopefully, not because of the business interest in Automattic selling security solutions. [Read more]

13 Jan 2025

New Executive Director of WordPress.org Now Credited as Author of Automattic’s Post Announcing Company’s Reduction in WordPress Contributions

Last week, Automattic announced that they would be reducing how many hours they claim to contribute to the WordPress project under the Five for the Future program. (The accuracy of the Five for the Future pledges in general seem highly suspect.) At the time, the post didn’t have an author shown, but ended “– The Automattic Team.” Since then, the design of Automattic’s website has been updated, causing the credited author of the post to be displayed. You can now see it is listed as Mary Hubbard:

[Read more]

10 Jan 2025

The New Executive Director of WordPress.org is Now Claiming to Only Spend 5 Hours a Week on WordPress

When it comes to the security problems with WordPress plugins, as well as many other problems with WordPress, the project’s lack of proper governance is a key problem. In addition to Matt Mullenweg, the only person that appears to have an oversight role for the project has been the Executive Director of WordPress. That hasn’t produced good results.

While not disclosed by Matt Mullenweg when he announced the position, the first holder of the position was the head of the open source division of Automattic, Matt Mullenweg’s company. The obvious conflict of interest might explain why that person never released the conflict of interest policy they promised for over a year. That person held the position from 2019 until September, when Matt Mullenweg’s offered a buyout to Automattic employees after his extortion campaign against WP Engine went public. They unsurprisingly operated largely in line with what you would expect from someone that is an employee of Automattic who happens to hold that title. [Read more]