Today’s WordPress 6.4.3 update contained security patches for two minor issues in core.
WordPress 6.4.3 Security Update
Ram Gall @ wordfence.com • 8 months ago
Wordfence CLI Adds Remediation Feature
Matt Barry @ wordfence.com • 8 months ago
Wordfence is adding features to their command line interface. Now in addition to malware scanning, they are starting to add automatic remediation.
ACF Security Release
Liam Gladdy @ advancedcustomfields.com • 8 months ago
Advanced Custom Fields version 6.2.5 is now available. This release is a security fix release containing an important change you need to be aware of before you update. From ACF 6.2.5, use of the ACF Shortcode to output an ACF field will be escaped by the WordPress HTML escaping function wp_kses.
Patchstack Adjusts Pricing for Individuals and Small Agencies
• 8 months ago
Good news from Patchstack for individuals and small agencies. Based on community feedback they have now updated their Community Plan options and pricing. The Community Plan used to include only up to 10 sites for vulnerability detection, but no real time protection. Real time protection used to cost $9 per month a site additional.
Now real time protection is only $5 per month per site additional. So to add real time protection for a single site is only $60 a year.
Also, if you need more than 10 sites in the Community Plan you can pay $49 a month to extend that to 50 sites (still with an additional $5 per site per month for real time protection).
These changes fill the gap between the Community Plan and the higher number of sites / real time protection included Developer Plan.
By the way, this makes Patchstack less expensive for vPatching real time protection than Wordfence.
All About WordPress Salts
Calvin Alkan @ snicco.io • 8 months ago
Following up on his article about authentication cookies, Calvin Alkan does a deep dive on WordPress salts. The salts keys are found in the WP Config file and people often wonder what they are and if we need to do something in relation to them. All of that and more in this technical article.
Deep Dive Into WordPress Session Management
Calvin Alkan @ snicco.io • 8 months ago
As shared here earlier, Thomas J. Raef recently released an analysis of hacked WordPress sites and found a significant number are hacked because session cookies were stolen due to the user’s computer having malware. One outcome from that research is the importance of logging out of sites and not just closing the browser.
In this article Calvin Alkan provides a deep dive into how WordPress sessions work. He found that WP session management provides good protection against Cross-Site Scripting attacks and session Fixation, but does not protect against session hijacking from local devices. Calvin’s suggestion is to decrease the lifetime of WordPress sessions to help prevent session hijacking.
Vulnerability Reporting Stats for 2023
Jerry Gamblin @ jerrygamblin.com • 9 months ago
I was looking at Jerry Gamblin’s compiled stats about vulnerability reporting in 2023 across all software (the report is not WP specific). It was interesting to note that PatchStack was the top reporting agency. Congrats to Oliver Sild and his team.
Analysis of WordPress Hacks 2023
Thomas Raef @ wewatchyourwebsite.com • 9 months ago
This is an interesting 2023 retrospective by Thomas J. Raef looking at hacks by vector. One of the take-aways is to get in the habit of logging out of your sites and not just closing the browser window.
Understanding WordPress Security Layers
Remkus de Vries @ remkusdevries.com • 9 months ago
Here is a podcast interview with Calvin Alkan and Remkus de Vries on the current state of WordPress security.