WP Org plugin updates being delayed up to 24 hours for AI security scanning.

When you create an Application Password the app that uses that password gets all of the capabilities of the user, even if that app only needs some limited access. Perhaps the correct approach is to create a user for each Application Password / app combination who only has the capabilities needed, instead of using your own account? That is not something I thought of before, but it makes sense. In any event, this new plugin, Mandate, adds a policy / capabilities layer onto Application Password uses. It also provides expiration dates.

LaravelMoat is not Laravel specific. It scans your Github organization and repositories to see if security best practices are in place.

Be careful clicking on Google Ads as they are frequently used in malicious campaigns. In this case, it’s ManageWP, but other companies have been targeted. In these types of ads a brand’s reputation can be leveraged.

Years ago the shared wisdom was that GoDaddy was OK for domain registration, but don’t use their hosting. Now it seems that the organization has gotten too large and disorganized. This is not the first time I’ve heard of this type of issue with GoDaddy.

This is an attempt to limit the reach that traditional WordPress plugins have, and maybe it is a response to EmDash. It is a framework for WordPress apps that run alongside of sites instead of as plugins.

This is a very scary analysis of a sophisticated supply chain attack in the WowShipping Pro plugin. We still don’t have the full story, possibly other WPXPO plugins could have been compromised, but if you are using WowShipping Pro then you need to take action.

Bad actors purchased popular plugins hosted on WordPress.org and added malware that was downloaded to users sites.

I imagine most of us are using Lets Encrypt SSL certificates and so this might not apply, but to those managing SSL certs for clients this might be something to plan for.