WordPress Version Control Files

What are version control files?

When developers write code they often use version control software, such as SVN or Git, to help manage their work.

When version control software is used, it often uses a hidden folder to store data about the source code being written. As this folder is hidden, it often can’t be viewed and therefore inadvertently ends up on your website.


WordPress SSL/TLS HTTPS Encryption

What is SSL/TLS HTTPS Encryption?

Not so long ago the web’s communications were mostly un-encrypted, allowing anyone who could eavesdrop on the traffic to read them. In recent years, the web has seen a dramatic change from mostly being un-encrypted to encrypted.

When your website has HTTPS enabled all communication traffic from your user’s computers to your website are encrypted. This prevents any attackers, whether they be in a coffee shop trying to steal payment details, or nation state governments, from reading your user’s communications.

Not only does HTTPS offer your users more security, search engines like Google also rank websites that use HTTPS higher than those that don’t, resulting in more traffic from Google and others.


WordPress Secret Keys

What are WordPress Secret Keys?

WordPress secret keys are random long bits of text that are stored in the wp-config.php file. They help with encrypting and hashing important data within WordPress. They are used to help secure your authentication cookies and to create secure numbers to protect against attacks.

WordPress have their own WordPress Secret Key Generator that will output random secret keys for you, like the ones below:


WordPress Debug Log Files

What are debug log files?

When WordPress developers are working on coding a theme or plugin, it is often useful for them to log important data to a file, such as error messages, so that they can view and fix any problems. In WordPress, the debug log file is created with a known file name, debug.log, and usually stored in the publicly accessible /wp-content/ directory.

To enable debug logging in WordPress, the developer has to set the following constants in the wp-config.php file:


Vulnerability in Zebra_Form PHP Library Affects Multiple WordPress Plugins

The WPScan security research team identified an Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability within the Zebra_Form PHP library, which is used by multiple WordPress plugins.

While investigating a dubious advisory related to a Cross-Site Scripting (XSS) vulnerability in the wp-ticket plugin, the Zebra_Form library was found to be responsible for the issue. At the time of writing, despite contacting the vendor multiple times, the latest version of Zebra_Form, version 2.9.8, is still affected.

Fortunately, the affected WordPress plugins were no longer maintained, or had a small number of active installations. Nevertheless, we wanted to make the public aware of the vulnerability affecting Zebra_Form in case it is used elsewhere.


Is WordPress XMLRPC a security problem?

What is WordPress XMLRPC?

WordPress XMLRPC allows other websites and software to interact with your WordPress website. Also known as an API. Some examples include creating new posts, adding comments, deleting pages and probably most commonly used in WordPress, pingbacks.

As the name suggests, XMLRPC works by sending and receiving XML data. In WordPress, the file responsible for XMLRPC is called xmlrpc.php. This is the file that will receive XML data, process it and return the response, also in XML.


Important changes to WPScan API subscription plans

API Subscription Plan Changes

We are making important changes to our subscription plans that we think you should know about.

From February 1st we will be making the following changes to the WPScan WordPress Vulnerability Database subscription plans:

  • Free plan: Lowering the API calls from 50 to 25.
  • Starter plan: Increasing the API calls from 50 to 75.
  • Professional plan: Increasing the API calls from 250 to 300.

We will not be changing any of our subscription plan pricing, we are only making changes to the number of API calls each plan can make.


WPScan authorized as a CVE Numbering Authority by the CVE Program

Bayonne, France, January 12th 2021, WordPress security company, WPScan, has announced that it has been named a Common Vulnerability and Exposures Numbering Authority authorized by the CVE Program to assign CVE IDs to vulnerabilities in Wordpress.

With 75 million users, WordPress is the most popular content management platform in the world and powers 39.6% of all websites, including the New York Times, Forbes, The White House and CNN. WordPress online retail platform, WooCommerce, is used by 27% of the ecommerce market.

Because it is the most popular CMS platform, WordPress also attracts the attention of cyber criminals. To help keep a third of the world’s websites protected against hackers, botnet operators and malware merchants, an international army of enthusiasts and cyber security experts constantly check for vulnerabilities that could be exploited. New vulnerabilities are assigned an identification number and added to the Common Vulnerability and Exposures (CVE) List, which is overseen by CVE Numbering Authorities (CNAs).


WordPress Security Roundup November 2020

It’s that time of year again where we donate 2% of our profits to a charity that positively impacts climate change, and this year we chose Sea Shepherd France again. We do this every year as part of our Hack the Planet pledge.

We launched several new versions of our WPScan WordPress security plugin, which now contains additional security checks, rather than just the API checks. This included the following checks:


November 2020 Monthly Vulnerability Roundup

WordPress Plugin Vulnerabilities