Monday, June 29, 2026

WordPress security just upgraded


The uncontrolled popularity of WordPress and the open source nature of the WordPress ecosystem make it a strong target for hackers. Safety It has been a major problem with WordPress for a long time. This situation may have changed recently when the commercial arm of WordPress recently acquired a security company, which may help internalize security and reduce hacking incidents.

Vulnerabilities for third-party plugins and theme developers

Common vulnerabilities such as cross-site scripting (XSS) and WordPress API vulnerabilities occur due to sloppy coding practices of third-party developers in the WordPress ecosystem.

The two most common points of failure are the inability of software coders to clean up input or upload content to the WordPress installation. This means that, for example, if a contact form expects text content to be entered, it cannot allow scripts or images to be entered, and there must be a way to block anything other than the expected content.

Another coding failure is the failure to adequately check the permission levels of people interacting with the WordPress site, which leads to the so-called permission escalation vulnerability, in which an attacker with the lowest access level can obtain the highest permission level.

advertise

Keep reading below

Every vulnerability found is entered into a manually curated database called the WPScan Vulnerability Database. The database serves as a resource for the WordPress security community and as an alert system for newly discovered vulnerabilities.

The database now belongs to the commercial division of WordPress.

WordPress acquires WordPress security company

Jetpack, a division of Automattic, the WordPress business unit, announced that it is acquiring the popular WPScan WordPress security suite company. The resources provided by WPScan enable WordPress and the WordPress security ecosystem to quickly counter security issues. Jetpack is a set of WordPress tools, which also includes a security component.

WordPress security This is an important area of ​​WordPress because competitors see it as a weakness of WordPress. Therefore, at this level, it makes sense for Jetpack to acquire a company with a positive attitude towards WordPress security.

Jetpack promises to make the product free for non-commercial use, and also pointed out that some of the features of WPScan will be absorbed into the security products in the Jetpack tool suite.

advertise

Keep reading below

Why WPScan is important

WPScan is a vulnerability database.

WPScan also provides:

  • API used to access the database
  • WPScan security scanner, a command line interface (Command line interface) scanner
  • A WordPress security plugin

WPScan database

WPScan is first a publicly available database that records WordPress vulnerabilities and provides information through APIs.

Information about WordPress vulnerabilities is manually compiled by WPScan and contributors.

WPScan is also the official CVE Numbering Authority (CNA), which means that they can assign numbers that reference vulnerabilities in the security community.

The database can be accessed by individuals, businesses, and security researchers.

According to the number of API calls made to the database, information can be obtained for free through the API, and it also provides more database access and custom pricing for enterprise-level needs at a relatively moderate price.

WPScan WordPress Security Scanner

WPScan also provides WPScan WordPress Security Scanner, This is a command line interface scanner, free for non-commercial use, used to scan websites to find vulnerabilities recorded in the WPScan database.

Examples of additional content checked by the free WPScan WordPress security scanner:

  • “The installed version of WordPress and any related vulnerabilities
  • What plugins are installed and any related vulnerabilities
  • What themes are installed and any related vulnerabilities
  • Username enumeration
  • Password brute force cracking of users who use weak passwords
  • Backup and publicly accessible wp-config.php file
  • Publicly accessible database dump
  • If the plugin exposes the error log”

WPScan WordPress plugin

finally, WPScan provides free plugins Scan the website to determine whether there are vulnerabilities in the WordPress installation itself and/or installed themes and plugins. The plug-in uses the WPScan database API to check for vulnerabilities. It is said that the daily scan belongs to the free tier used by the API.

The plugin also scans for common weaknesses that may make the site vulnerable:

  • “Check the debug.log file
  • Check the wp-config.php backup file
  • Check if XML-RPC is enabled
  • Check code repository file
  • Check if the default key is used
  • Check the exported database file
  • Weak password
  • HTTPS is enabled”

advertise

Keep reading below

The main function of the WPScan plugin is to provide quick alerts when a site plugin, theme or WordPress itself contains vulnerabilities and releases a patch.

Why did Jetpack acquire WPScan?

Jetpack stated that the reason for acquiring WPScan is to further open up data and continue to exist as a resource for the entire WordPress ecosystem.

Jetpack announced:

“…Our goal of this acquisition is to make malware data and APIs more open source. We want to ensure that WPScan continues to be a high-quality and secure resource for the entire WordPress community. To this end, we will explore making APIs completely free for non-commercial sites method.

… WPScan will continue to operate independently in the near future, and may be integrated into Jetpack Scan in the future.

Current WPScan customers will not be affected by this acquisition in the short term, and will receive the same high-quality WordPress security services they expect. “

advertise

Keep reading below

WordPress security will be improved

As part of the final acquisition transaction, the founders of WPScan will work for Automattic.

The email sent to the WPScan community briefly describes how the WordPress community will benefit:

“Joining a company like Automattic will allow us to improve our services faster, implement new features and products, and find new ways to make our WordPress vulnerability data more open and accessible to the community.

We will also work closely with Automattic’s Jetpack Scan security team to use their expertise to make the WordPress ecosystem more secure for users. “

This acquisition puts the WordPress development community on a path of new features and improvements, which will help the entire WordPress community.

Citation

Read the Jetpack announcement acquired by WPScan:

Jetpack obtains WordPress vulnerability database WPScan

Visit the official WPScan plugin page

WPScan-WordPress security scanner plugin





Source link

Related articles

Most Popular Baby Names 2024: Top Picks

Join us as we explore the captivating world of the most popular baby names for 2024! Which name will you choose...

Most Popular Baby Names 2024: Top Picks

Join us as we explore the captivating world of the most popular baby names for 2024! Which name will you choose...

How to Settle a Colic Baby: Proven Tips

Eager to discover effective ways to calm your colicky baby? From soothing techniques to critical consultation cues, let's explore what...

What Is Colic in Babies: Key Facts Revealed

Understanding what colic in babies truly entails can be a challenge for many parents. As the evening wears on, and the baby's cries reach a crescendo, an urgent question looms in the air: what now?

The 7 Best Ways to Gain Popularity

Online searches are often not the starting point...
spot_imgspot_img