Following up on his article about authentication cookies, Calvin Alkan does a deep dive on WordPress salts. The salts keys are found in the WP Config file and people often wonder what they are and if we need to do something in relation to them. All of that and more in this technical article.

As shared here earlier, Thomas J. Raef recently released an analysis of hacked WordPress sites and found a significant number are hacked because session cookies were stolen due to the user’s computer having malware. One outcome from that research is the importance of logging out of sites and not just closing the browser.

In this article Calvin Alkan provides a deep dive into how WordPress sessions work. He found that WP session management provides good protection against Cross-Site Scripting attacks and session Fixation, but does not protect against session hijacking from local devices. Calvin’s suggestion is to decrease the lifetime of WordPress sessions to help prevent session hijacking.

The WordPress 6.5 roadmap – Kind of an interesting random mix. There is mention of a Custom Fields API, but reading on that one it seems up in the air and seat of the pants.

WordPress 6.4.2 is rolling out. It includes 7 bug fixes and 1 security update. The explanation for the security item is:

“A Remote Code Execution vulnerability that is not directly exploitable in core, however the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installs.”

This 6.4 retrospective survey had some interesting responses that gives insight into the release process and possible changes.

This article has a bit of a behind the scenes look at the creation of the Twenty Twenty-Four theme.

WordPress 6.4.1 RC 1 is available and a release is expected later today.

Proposed WordPress core release schedule for 2024. Interesting that they are considering one of the releases be reserved for fixes and polishing.

The Field Guide for WordPress 6.4 is now available. We’ve covered most of the features and changes that are coming, but here is a good summary if you haven’t been following it.