As shared here earlier, Thomas J. Raef recently released an analysis of hacked WordPress sites and found a significant number are hacked because session cookies were stolen due to the user’s computer having malware. One outcome from that research is the importance of logging out of sites and not just closing the browser.

In this article Calvin Alkan provides a deep dive into how WordPress sessions work. He found that WP session management provides good protection against Cross-Site Scripting attacks and session Fixation, but does not protect against session hijacking from local devices. Calvin’s suggestion is to decrease the lifetime of WordPress sessions to help prevent session hijacking.

I was looking at Jerry Gamblin’s compiled stats about vulnerability reporting in 2023 across all software (the report is not WP specific). It was interesting to note that PatchStack was the top reporting agency. Congrats to Oliver Sild and his team.

This is an interesting 2023 retrospective by Thomas J. Raef looking at hacks by vector. One of the take-aways is to get in the habit of logging out of your sites and not just closing the browser window.

Here is a podcast interview with Calvin Alkan and Remkus de Vries on the current state of WordPress security.

WordPress 6.4.2 is rolling out. It includes 7 bug fixes and 1 security update. The explanation for the security item is:

“A Remote Code Execution vulnerability that is not directly exploitable in core, however the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installs.”

Patchstack released a major update today with performance enhancements, better hardening, simplified rules module, and more.

WordFence launches a bug bounty program to reward researchers within the program’s parameters. This competes with Patchstack which already has a program. Unfortunately, the WordFence CEO takes a swipe at Patchstack … I prefer when WordPress companies seek to cooperate.

Patchstack has a new feature, Patchstack Priority. What I gather from the announcement is that it is another rating system in addition to the CVSS score. The Patchstack Priority is meant to indicate how likely the immediate threat is and how quickly you should respond.

I always update vulnerable plugins immediately, so I’m not sure how helpful this will be for me, though it is good to know if there are active exploits.

You have probably been prompted to setup passkeys and thought it would be a good idea to research it. This interesting article discussing passkeys is worth a read before you start using this new security feature.