The Patchstack team challenges the notion that your web host provides sufficient site security. They setup sites with known vulnerabilities on a number of hosting platforms to see how well their security profile is. It is an interesting and useful test, and they name plugins that had vulnerabilities, but the report would have been twice as useful if they listed the names of the hosting companies. They establish a general presumption that a hosting company’s security is not sufficient, but no one knows if their hosting company was one of the ones tested, and hence “maybe” their host is better or not.

Recent data on Fail2ban and Imunify360 call into question their effectiveness in fighting modern bot attacks. These 2 tools have been widely popular for a long time, and quite effective in the past. Unfortunately, the changing nature of bot attacks and increases in number of IPs they have available (some of the bot networks now have millions of IPs). These tools just aren’t designed to handle these changing conditions.

We are continuously fighting to keep hackers out of the WordPress admin. Brute force attacks on the wp-login page, remote code execution due to zero-day plugin vulnerabilities, or hacker toolkits that try to access plugin files by cycling through lists of known vulnerabilities – these types of attempts must be blocked. In this article and accompanying video I present a lockdown option for power users that works nicely for certain types of sites and would stop common hacker activity.

Interested in a deep dive into WordPress security? Group member Tai Hoang has created a WordPress Security Handbook that he would like to share. He has packed in a lot of information.

A reminder that the files in the uploads folder are publicly accessible if you know the URL … which may have been how the UK budget leaked early.

The latest version of FluentCart and noticed that they had a full security audit done by PatchStack. Way to go Fluent team! I wish more plugin developers would have a 3rd party audit.

The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the legacy chunked upload mechanism in all versions up to, and including, 2.9.21.1. This is due to the extension blacklist not including .phar files, which can be uploaded through the chunked upload mechanism. This makes it possible for unauthenticated attackers to upload executable .phar files and achieve remote code execution on the server, granted they can discover or enumerate the upload path. In order for an attacker to achieve RCE, the web server needs to be set up to process .phar file as PHP via file handler mapping or similar.

Many hosting platforms use Imunify360 AV. There is a critical vulnerability.

WordPress 6.8.3 is rolling out now. It is a security release and the core team is recommending that people update their sites now.