Run an effective website security audit. The 18 can’t-miss steps for a secure site. Tools for serious cybersecurity pros. Are you covered? Full checklist.More

Do you know all of these website security threats? How to mitigate risks & detect vulnerabilities before cybercriminals. Proven tools & security methods. More

Did you miss something? Check tasks off your list and off your mind with this 29-point WordPress security checklist designed just for professionals. More

UPDATE (2023-07-03): A new version, 2.6.7, was released this weekend, and fixes the issue. If you use Ultimate Member, update to this version as soon as possible. You can find Ultimate Member’s incident postmortem here. Recently, Automattic’s WP.cloud and Pressable.com platforms identified a trend in compromised sites, where rogue new administrator accounts kept appearing in…More

During a recent internal review of the Formidable Forms plugin, a serious security issue was detected which could potentially enable users with low privileges such as subscribers to install arbitrary plugins on vulnerable sites. The exploitation of this vulnerability could grant malicious users the power to install any plugin available on downloads.wordpress.org, which can lead…More

WordPress VIP hosts many of the largest sites on the web, and as such these sites are likely targets of cyber attacks. Sites hosted by WordPress VIP can’t afford to have a vulnerability live for a single minute. That’s a tough ask for site managers given that there are more than 38,000 known WordPress vulnerabilities,…More

During an internal audit, the WPScan team found a vulnerability in the WP Meta SEO plugin. This vulnerability allows attackers with at least Author privileges to upload and deserialize a PHAR file, leading to arbitrary PHP object deserialization. We were able to escalate this vulnerability to remote code execution, without the need for additional code…More

CASE STUDYHow WP Engine automates security for over 1.5 million customer sites with WPScan. The Hero: WP Engine The Problem “We know that there are other options out there, but given the sense of completeness and alerts for ALL relevant plugins, we never had a need to go crosscheck WPScan against anyone else.” — Brent…More

A brute force attack is a type of cyberattack where the attacker uses an automated system to try different combinations of username and password until they find the correct combination. This can be done by using a dictionary of common words or by using a list of common passwords. The attacker will keep trying different…More

During an internal audit of the Slimstat Analytics and Paid Memberships Pro plugins, The WPScan research team uncovered two SQL Injection vulnerabilities that could allow low-privileged users like subscribers to leak sensitive information from a site’s database. If exploited, the vulnerability might grant attackers access to privileged information from impacted sites’ databases, such as usernames…More