Login

Tag Archives: ClassicPress

4 Jun 2021

Our First Check of the Security of ClassicPress Plugins Found a Minor Vulnerability

One way we help to improve the security of WordPress plugins, not just for our customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. We have now brought similar monitoring to the Plugin Directory for the WordPress fork ClassicPress. That directory includes both plugins developed for ClassicPress and some plugins directly from the WordPress Plugin Directory.

The structure of ClassicPress’ directory is different, so instead of checking over the changes being made as we can do with WordPress, we check over all the plugins we can download at regular intervals. At this point we can not process them all in an automated way because of a couple of issues with easily getting access to the download links (those might be in the process of being resolved), but we were able to check a significant number of them earlier this week and none of them had any code that was flagged. [Read more]

17 Dec 2018

Yes, We Support ClassicPress (And You Can Help It While Also Protecting Against Plugin Vulnerabilities)

A month and half ago we were contacted by one of our customers to ask if we supported the fork of WordPress, ClassicPress. Since then we have been meaning to put out a post to let people know we do, but it turns out waiting allows to pair with another announcement.

When it comes to the security of WordPress plugins unfortunately the folks on the WordPress side of things seem at best highly misguided in what they are doing. For example, they have this bizarre idea that you should never warn people about unfixed vulnerabilities in plugins. That seems like odd idea if they are already publicly disclosed somewhere that hackers would already be looking (which is often the case), but you have to wonder if the team wants people to be hacked when they refuse to warn people after vulnerabilities are being exploited (and refuse to even discuss the alternative of fixing them). That is something that not only happens, but the head of team running the plugin directory explicitly stated that they think not warning people as they are being hacked is a good idea. Just to add to mess, the guy at the top of WordPress, Matt Mullenweg has claimed that unfixed vulnerabilities are only a “hypothetical issue not seen in practice“. [Read more]