If you use the All in One Security plugin then update to the latest version and have all users create new passwords. They were writing all passwords in clear text in the plugin’s audit logs.

Security issue – MalCare, BlogVault, and WPRemote apparently store some credentials unencrypted in the database which isn’t a best practice. Reported to them about 3 months ago by Calvin Alkan. Apparently WP Umbrella had a similar issue that was fixed in a day or two.

Kathy Zant published an article that covers a number of topics, but mainly marketing and security. In it she shares how she learning successful marketing techniques by observing a hacker. The article is a good use of story telling and in it she shares a number of gems.

Calvin Akn, a security researcher, published an article looking at WordPress malware scanners. The summary of the article is that malware scanning can be helpful for detecting common malware, but more sophisticated attacks can bypass it and give you a false sense of security. Therefore, you should not rely totally on malware scanning but should have good measures in place for prevention. There are some interesting and clever step by step illustrations of the concepts described in the article.

The research in the article was done in conjunction with GridPane and Thomas J. Raef. Patchstack verified the proof of concepts discussed, as noted in the article.

There have been a number of plugins that have repeated had security issues, even among the bigger players. In this editorial I suggest that it is time for the big players to start having their plugins audited for security. When we evaluate plugins we check for a money back guarantee, that they tell about themselves on the website, that they have positive reviews, are actively providing support, and so on. Lets start politely asking about independent security audits.

A SQL injection vulnerability was reported in Tutor LMS requiring a user with student level access to execute. What is newsworthy is that the issue was reported 3 months ago and still not patched.

The JetPack API could be used by authors on a site to manipulate any files in the WordPress installation.

This article from PatchStack explains what WordPress salts are and how they are used.

There is a very bad vulnerability in the free version of Essential Addons for Elementor The plugin is the most popular Elementor addon and has more than 1 million active installs. Versions 5.4.0 to 5.7.1 are vulnerable and users are urged to upgrade to the latest version which has been patched.