From across Automattic.
Updates from all of Automattic’s business units.
-
Interview with a WordPress Hacker: m0ze
Over the past 10 years that WPScan have been cataloging WordPress vulnerabilities, we have had many hundreds of independent security researchers contribute to our WordPress vulnerability database. Today, we talk to m0ze, a long time WPScan vulnerability database contributor, who shares his thoughts on the state of WordPress security today. Please introduce yourself.My name is…
-
.blog Featured Site: foodandmood.blog
Foodies everywhere will be inspired by this week’s featured dotblogger, foodandmood.blog. You may have heard that “a picture paints a thousand words”. This blogger does a breathtaking job in communicating her love of recipes and food through words and photography.
-
WordPress 5.7.1 Security and Maintenance Release
<!– wp:paragraph –> <p>Today, April 15th, 2021, WordPress released version 5.7.1, a security and maintenance release that reportedly patches two security vulnerabilities.</p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>The <a href="https://wordpress.org/news/2021/04/wordpress-5-7-1-security-and-maintenance-release/">WordPress release announcement</a> lists the following two security vulnerabilities as being patched in version 5.7.1:</p> <!– /wp:paragraph –> <!– wp:quote –> <blockquote class="wp-block-quote"><p>Thank you <a href="https://www.sonarsource.com/">SonarSource</a> for reporting an XXE vulnerability within the media library affecting PHP 8. Thanks <a href="https://mikaelkorpela.fi/">Mikael Korpela</a> for reporting a data exposure vulnerability within the REST API.</p></blockquote> <!– /wp:quote –> <!– wp:paragraph –> <p>Let’s take a closer look at these vulnerabilities and see what other information we can find out about them.</p> <!– /wp:paragraph –>
-
Zerodium Offers $300,000 for WordPress Exploits
<!– wp:paragraph –> <p><a href="https://zerodium.com/">Zerodium</a>, a company that buys security exploits to then resell to government entities, tripled its price for WordPress Remote Command Execution (RCE) exploits.</p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>In a tweet sent out on Friday, April 9th, Zerodium announced that they had temporarily tripled the price they pay out to security researchers for WordPress RCE exploits. Increasing the payout from $100,000 to $300,000.</p> <!– /wp:paragraph –>
-
Covid Test Centres Leak Personal Information via WordPress API
<!– wp:paragraph –> <p>Over 14,000 covid test patients were affected by a <a href="https://www.golem.de/news/coronapandemie-neues-datenleck-bei-corona-testzentren-2104-155604.html">data leak</a> in Germany this week. This was due to the testing centre software using incremental identifiers in their custom WordPress REST API endpoint.</p> <!– /wp:paragraph –> <!– wp:image –> <figure class="wp-block-image"><img src="https://wpscan-production.mystagingwebsite.com/assets/posts/covid-leak/covid-wordpress.jpg" alt="Loginizer Plugin" /></figure> <!– /wp:image –>
-
WooCommerce Customers Manager WordPress Plugin – Multiple Security Vulnerabilities
<!– wp:paragraph –> <p>A member of the WPScan research team discovered two security vulnerabilities within the premium <a href="https://codecanyon.net/item/woocommerce-customers-manager/10965432">WooCommerce Customers Manager</a> WordPress plugin, versions less than 26.6.</p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>The following two vulnerabilities were identified and added to our <a href="https://wpscan.com/">WordPress vulnerability database</a>:</p> <!– /wp:paragraph –> <!– wp:list –> <ul><li><a href="https://wpscan.com/vulnerability/ad9dd88c-7ae8-41ac-a0d7-469e146f7817">Authenticated Reflected Cross-Site Scripting</a> – CVSS: <a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L">7.1 (High)</a></li><li><a href="https://wpscan.com/vulnerability/10e2cb9d-7285-4d85-923b-bc1ba97bd51a">Arbitrary User Account Creation/Update via CSRF</a> – CVSS: <a href="https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H">8.8 (High)</a></li></ul> <!– /wp:list –>
-
WordPress Configuration File Backups
<!– wp:heading {"level":3} –> <h3 id="what-are-configuration-file-backups">What are Configuration File Backups?</h3> <!– /wp:heading –> <!– wp:paragraph –> <p>WordPress has a special file named <a href="https://wordpress.org/support/article/editing-wp-config-php/">wp-config.php</a> that stores sensitive configuration information for your website.</p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>By default, the <code>wp-config.php</code> file stores the following information:</p> <!– /wp:paragraph –> <!– wp:list –> <ul><li>MySQL settings</li><li>Secret keys</li><li>Database table prefix</li><li>ABSPATH</li></ul> <!– /wp:list –> <!– wp:paragraph –> <p>Developers can also store other sensitive information in the file.</p> <!– /wp:paragraph –>
-
WordPress Version Control Files
<!– wp:heading {"level":3} –> <h3 id="what-are-version-control-files">What are version control files?</h3> <!– /wp:heading –> <!– wp:paragraph –> <p>When developers write code they often use version control software, such as <a href="https://subversion.apache.org/">SVN</a> or <a href="https://git-scm.com/">Git</a>, to help manage their work.</p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>When version control software is used, it often uses a hidden folder to store data about the source code being written. As this folder is hidden, it often can’t be viewed and therefore inadvertently ends up on your website.</p> <!– /wp:paragraph –>
-
WordPress SSL/TLS HTTPS Encryption
<!– wp:heading {"level":3} –> <h3 id="what-is-ssltls-https-encryption">What is SSL/TLS HTTPS Encryption?</h3> <!– /wp:heading –> <!– wp:paragraph –> <p>Not so long ago the web’s communications were mostly un-encrypted, allowing anyone who could eavesdrop on the traffic to read them. In recent years, the web has seen a dramatic change from mostly being un-encrypted to encrypted.</p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>When your website has HTTPS enabled all communication traffic from your user’s computers to your website are encrypted. This prevents any attackers, whether they be in a coffee shop trying to steal payment details, or nation state governments, from reading your user’s communications.</p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>Not only does HTTPS offer your users more security, search engines like <a href="https://developers.google.com/search/blog/2014/08/https-as-ranking-signal">Google also rank websites</a> that use HTTPS higher than those that don’t, resulting in more traffic from Google and others.</p> <!– /wp:paragraph –>
-
WordPress Secret Keys
<!– wp:heading {"level":3} –> <h3 id="what-are-wordpress-secret-keys">What are WordPress Secret Keys?</h3> <!– /wp:heading –> <!– wp:paragraph –> <p>WordPress secret keys are random long bits of text that are stored in the <code>wp-config.php</code> file. They help with encrypting and hashing important data within WordPress. They are used to help secure your authentication cookies and to create secure numbers to protect against attacks.</p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>WordPress have their own <a href="https://api.wordpress.org/secret-key/1.1/salt/">WordPress Secret Key Generator</a> that will output random secret keys for you, like the ones below:</p> <!– /wp:paragraph –>
-
WordPress Debug Log Files
<!– wp:heading {"level":3} –> <h3 id="what-are-debug-log-files">What are debug log files?</h3> <!– /wp:heading –> <!– wp:paragraph –> <p>When WordPress developers are working on coding a theme or plugin, it is often useful for them to log important data to a file, such as error messages, so that they can view and fix any problems. In WordPress, the debug log file is created with a known file name, <code>debug.log</code>, and usually stored in the publicly accessible <code>/wp-content/</code> directory.</p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>To enable debug logging in WordPress, the developer has to set the following constants in the <code>wp-config.php</code> file:</p> <!– /wp:paragraph –>
-
Vulnerability in Zebra_Form PHP Library Affects Multiple WordPress Plugins
<!– wp:paragraph –> <p>The WPScan security research team identified an Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability within the <a href="https://github.com/stefangabos/Zebra_Form/">Zebra_Form</a> PHP library, which is used by multiple WordPress plugins.</p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>While investigating a <a href="https://cxsecurity.com/issue/WLB-2021010104">dubious advisory</a> related to a Cross-Site Scripting (XSS) vulnerability in the wp-ticket plugin, the Zebra_Form library was found to be responsible for the issue. At the time of writing, despite contacting the vendor multiple times, the latest version of Zebra_Form, version 2.9.8, is still affected.</p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>Fortunately, the affected WordPress plugins were no longer maintained, or had a small number of active installations. Nevertheless, we wanted to make the public aware of the vulnerability affecting Zebra_Form in case it is used elsewhere.</p> <!– /wp:paragraph –>
-
Is WordPress XMLRPC a security problem?
<!– wp:heading {"level":3} –> <h3 id="what-is-wordpress-xmlrpc">What is WordPress XMLRPC?</h3> <!– /wp:heading –> <!– wp:paragraph –> <p>WordPress XMLRPC allows other websites and software to interact with your WordPress website. Also known as an API. Some examples include creating new posts, adding comments, deleting pages and probably most commonly used in WordPress, pingbacks.</p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>As the name suggests, XMLRPC works by sending and receiving XML data. In WordPress, the file responsible for XMLRPC is called xmlrpc.php. This is the file that will receive XML data, process it and return the response, also in XML.</p> <!– /wp:paragraph –>
-
WPScan authorized as a CVE Numbering Authority by the CVE Program
<!– wp:paragraph –> <p>Bayonne, France, January 12th 2021, WordPress security company, WPScan, has announced that it has been named a <a href="https://cve.mitre.org/cve/cna.html">Common Vulnerability and Exposures Numbering Authority</a> authorized by the CVE Program to assign CVE IDs to vulnerabilities in Wordpress.</p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>With 75 million users, WordPress is the most popular content management platform in the world and powers 39.6% of all websites, including the New York Times, Forbes, The White House and CNN. WordPress online retail platform, WooCommerce, is used by 27% of the ecommerce market.</p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>Because it is the most popular CMS platform, WordPress also attracts the attention of cyber criminals. To help keep a third of the world’s websites protected against hackers, botnet operators and malware merchants, an international army of enthusiasts and cyber security experts constantly check for vulnerabilities that could be exploited. New vulnerabilities are assigned an identification number and added to the Common Vulnerability and Exposures (CVE) List, which is overseen by CVE Numbering Authorities (CNAs).</p> <!– /wp:paragraph –>
-
WordPress Security Roundup November 2020
<!– wp:paragraph –> <p>It’s that time of year again where we donate 2% of our profits to a charity that positively impacts climate change, and this year we chose <a href="https://www.seashepherd.fr/">Sea Shepherd France</a> again. We do this every year as part of our Hack the Planet pledge.</p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>We launched several new versions of our WPScan <a href="https://wordpress.org/plugins/wpscan/">WordPress security plugin</a>, which now contains additional security checks, rather than just the API checks. This included the following checks:</p> <!– /wp:paragraph –>
-
November 2020 Monthly Vulnerability Roundup
<!– wp:heading {"level":3} –> <h3 id="wordpress-plugin-vulnerabilities">WordPress Plugin Vulnerabilities</h3> <!– /wp:heading –> <!– wp:list –> <ul><li><a href="https://wpscan.com/vulnerability/10485">BuddyPress < 6.4.0 – Lack of Capability Check on Profile Page</a></li><li><a href="https://wpscan.com/vulnerability/10484">WP Google Map Plugin <= 4.1.3 – Authenticated SQL Injection</a></li><li><a href="https://wpscan.com/vulnerability/10482">WPJobBoard < 5.7.0 – Unauthenticated SQL Injection</a></li><li><a href="https://wpscan.com/vulnerability/10481">WPJobBoard < 5.7.0 – Unauthenticated Reflected XSS & XFS</a></li><li><a href="https://wpscan.com/vulnerability/10480">Media Library Assistant < 2.90 – Authenticated Blind SQL Injection</a></li><li><a href="https://wpscan.com/vulnerability/10478">Secure File Manager – Authenticated Remote Command Execution</a></li><li><a href="https://wpscan.com/vulnerability/10479">WooCommerce Anti-Fraud <= 3.2 – Unauthenticated Order Status Manipulation</a></li><li><a href="https://wpscan.com/vulnerability/10477">Anti-Spam by CleanTalk < 5.149 – Multiple Authenticated SQL Injections</a></li><li><a href="https://wpscan.com/vulnerability/10476">Weforms <= 1.4.7 – CSV Injection</a></li><li><a href="https://wpscan.com/vulnerability/10475">Easy Registration Forms <= 2.0.6 – CSV Injection</a></li><li><a href="https://wpscan.com/vulnerability/10474">Import and export users and customers < 1.16.3.6 – CSV Injection</a></li><li><a href="https://wpscan.com/vulnerability/10473">Contextual Related Posts < 2.9.4 – CSRF Nonce Validation Bypass</a></li><li><a href="https://wpscan.com/vulnerability/10472">Fancy Product Designer < 4.5.1 – Unauthenticated Stored Cross-Site Scripting</a></li><li><a href="https://wpscan.com/vulnerability/10471">[0day] AIT CSV Import / Export <= 3.0.3 – Unauthenticated Arbitrary File Upload</a></li><li><a href="https://wpscan.com/vulnerability/10470">BA Book Everything < 1.3.25 – Unauthenticated Reflected XSS & XFS</a></li><li><a href="https://wpscan.com/vulnerability/10467">Good LMS < 2.1.5 – Unauthenticated SQL Injection</a></li><li><a href="https://wpscan.com/vulnerability/10466">Ultimate Reviews < 2.1.33 – Unauthenticated PHP Object Injection</a></li><li><a href="https://wpscan.com/vulnerability/10465">Ultimate Member < 2.1.12 – Unauthenticated Privilege Escalation via User Meta</a></li><li><a href="https://wpscan.com/vulnerability/10464">Ultimate Member < 2.1.12 – Authenticated Privilege Escalation via Profile Update</a></li><li><a href="https://wpscan.com/vulnerability/10463">Ultimate Member < 2.1.12 – Unauthenticated Privilege Escalation via User Roles</a></li><li><a href="https://wpscan.com/vulnerability/10461">Abandoned Cart Lite for WooCommerce < 5.8.3 – Unauthenticated SQL Injection</a></li><li><a href="https://wpscan.com/vulnerability/10460">WooCommerce Blocks < 3.7.1 – Guest Account Creation</a></li><li><a href="https://wpscan.com/vulnerability/10459">WooCommerce < 4.6.2 – Guest Account Creation</a></li><li><a href="https://wpscan.com/vulnerability/10458">Welcart e-Commerce < 1.9.36 – Authenticated PHP Object Injection</a></li><li><a href="https://wpscan.com/vulnerability/10457">Augmented Reality <= 1.2.0 – Unauthenticated PHP File Upload leading to RCE</a></li><li><a href="https://wpscan.com/vulnerability/10456">GDPR CCPA Compliance Support < 2.4 – Unauthenticated PHP Object Injection</a></li><li><a href="https://wpscan.com/vulnerability/10462">WP Activity Log < 4.1.5 – SQL Injection in External Database Module</a></li><li><a href="https://wpscan.com/vulnerability/10455">AccessPress Social Icons < 1.8.1 – Authenticated SQL Injection</a></li></ul> <!– /wp:list –>
-
WordPress Security Roundup for October 2020
<!– wp:paragraph –> <p>Here at WPScan we launched <a href="https://wpscan-production.mystagingwebsite.com/we-have-a-new-website">our brand new website</a>, which we’re super happy with, and feedback so far has been overwhelmingly positive!</p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>We released three new versions of our WPScan <a href="https://github.com/wpscanteam/wpscan">WordPress security scanner</a>, adding the <code>login-uri</code> option to specify the <code>wp-login.php</code> file location.</p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>We also released two new versions of our <a href="https://wordpress.org/plugins/wpscan/">WordPress security plugin</a>, implementing new features such as the ability to configure the scan time.</p> <!– /wp:paragraph –>
-
WordPress 5.5.2 Security Release
WordPress 5.5.2 was released on October 30th 2020, reportedly fixing 10 security vulnerabilities. Below are the vulnerabilities that were mentioned in the release notes and that have been added to the WPScan WordPress Vulnerability Database so far, including one from our very own security researcher, Erwan.
-
We have a new website!
<!– wp:paragraph –> <p>After several months work we have launched our brand new website for the <a href="https://wpscan.com/">WPScan WordPress Vulnerability Database</a>:</p> <!– /wp:paragraph –> <!– wp:image –> <figure class="wp-block-image"><img src="https://wpscan-production.mystagingwebsite.com/assets/posts/new-website/wpscan-vulnerability-database.png" alt="WPScan WordPress Vulnerability Database" /></figure> <!– /wp:image –>
-
September 2020 Monthly Vulnerability Roundup
<!– wp:heading {"level":3} –> <h3 id="wordpress-plugin-vulnerabilities">WordPress Plugin Vulnerabilities</h3> <!– /wp:heading –> <!– wp:list –> <ul><li><a href="https://wpscan.com/vulnerability/10416">Slider by 10Web < 1.2.36 – Multiple Authenticated SQL Injection</a></li><li><a href="https://wpscan.com/vulnerability/10415">WP Courses < 2.0.29 – Broken Access Controls leading to Courses Content Disclosure</a></li><li><a href="https://wpscan.com/vulnerability/10414">Simple:Press < 6.6.1 – Broken Access Control leading to RCE</a></li><li><a href="https://wpscan.com/vulnerability/10413">XCloner Backup and Restore < 4.2.153 – Cross-Site Request Forgery</a></li><li><a href="https://wpscan.com/vulnerability/10412">XCloner Backup and Restore 4.2.1 – 4.2.12 – Unprotected AJAX Action</a></li><li><a href="https://wpscan.com/vulnerability/10411">Drag and Drop Multiple File Upload – Contact Form 7 < 1.3.5.5 – Unauthenticated Remote Code Execution</a></li><li><a href="https://wpscan.com/vulnerability/10409">Discount Rules for WooCommerce < 2.2.1 – Multiple Authorization Bypass</a></li><li><a href="https://wpscan.com/vulnerability/10408">MetaSlider < 3.17.2 – Authenticated Stored Cross-Site Scripting (XSS)</a></li><li><a href="https://wpscan.com/vulnerability/10407">Multiple Plugins/Themes – Cross-Site Request Forgery (CSRF)</a></li><li><a href="https://wpscan.com/vulnerability/10405">Affiliate Manager < 2.7.8 – Unauthenticated Stored Cross-Site Scripting (XSS)</a></li><li><a href="https://wpscan.com/vulnerability/10404">10Web Social Post Feed < 1.1.27 – Authenticated SQL Injection</a></li><li><a href="https://wpscan.com/vulnerability/10403">Email Subscribers & Newsletters < 4.5.6 – Unauthenticated email forgery/spoofing</a></li><li><a href="https://wpscan.com/vulnerability/10402">Sticky Menu, Sticky Header (or anything!) on Scroll < 2.21 – CSRF & XSS</a></li><li><a href="https://wpscan.com/vulnerability/10401">LearnPress < 3.2.7.3 – CSRF & XSS</a></li><li><a href="https://wpscan.com/vulnerability/10400">Elementor Addon Elements < 1.6.4 – CSRF & XSS</a></li><li><a href="https://wpscan.com/vulnerability/10399">Cookiebot < 3.6.1 – CSRF & XSS</a></li><li><a href="https://wpscan.com/vulnerability/10398">Asset CleanUp: Page Speed Booster < 1.3.6.7 – CSRF & XSS</a></li><li><a href="https://wpscan.com/vulnerability/10397">All In One WP Security & Firewall < 4.4.4 – CSRF & XSS</a></li><li><a href="https://wpscan.com/vulnerability/10396">Absolutely Glamorous Custom Admin < 6.5.5 – CSRF & XSS</a></li><li><a href="https://wpscan.com/vulnerability/10394">Advanced Database Cleaner < 3.0.2 – Authenticated SQL injection</a></li><li><a href="https://wpscan.com/vulnerability/10393">ActiveCampaign < 8.0.2 – Cross-Site Request Forgery in Settings</a></li><li><a href="https://wpscan.com/vulnerability/10392">Constant Contact Forms < 1.8.8 – Multiple Authenticated Stored XSS</a></li><li><a href="https://wpscan.com/vulnerability/10390">NextScripts: Social Networks Auto-Poster < 4.3.18 – Insufficient Privilege Validation</a></li><li><a href="https://wpscan.com/vulnerability/10389">File Manager < 6.9 – Arbitrary File Upload leading to RCE</a></li></ul> <!– /wp:list –>
-
On December 1st 2020 we will be closing WPScan.io (the SaaS)
<!– wp:paragraph –> <p><em>(We are <strong>not</strong> closing any of our other products or services, just the online WPScan.io SaaS!)</em></p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>WPScan.io started life in 2015 when we contracted a Rails development company to create a SaaS web front end on top of our <a href="https://wpscan.com/">WPScan CLI tool</a>. Unfortunately, at that time, we only had the budget to complete around 50% of the work, as we were still a community project making hardly any money.</p> <!– /wp:paragraph –> <!– wp:paragraph –> <p>The project sat in this half finished state for three years, until 2018, when we had a little bit more money to hire a freelance Rails developer.</p> <!– /wp:paragraph –>
-
Theme patterns for the Site Editor
Learn how to use Template Part and Query Loop patterns to provide users with more design options.
-
Meet Mike Stott: Jetpack CRM’s Eager Entrepreneur
Mike Stott’s a true entrepreneur who literally couldn’t wait to get started. His company joined Jetpack with one unique condition — read the surprising story.
-
Blogging vs Content Marketing: What's the Difference?
The best way to think about the relationship between content marketing and blogging is that blogging can be part of a content marketing strategy, but content marketing is a much broader category that includes creating and distributing different types of content to a target audience.
-
A great piece from Vicki, an Automattic engineer on rotation at Tumblr, about the ritual of…
The ritual of the deploy · Vicki Boykis A great piece from Vicki, an Automattic engineer on rotation at Tumblr, about the ritual of deploying code to production! 🚢
-
Universal themes: Some ideas
With the Full Site Editing project well underway, theme developers need to be thinking about what the future holds for themes. Why block themes? To take advantage of the Site Editor, themes need to be built out of blocks – this is why we need block themes. Block themes are an entirely new way of…
-
The Digital Services Act: Defending the Digital Single Market and the Open Internet
A coalition of technology companies consisting of Automattic, Jodel, Seznam, Twitter and Vimeo have published a joint letter titled “The Digital Services Act: Defending the Digital Single Market and the Open Internet”. The letter highlights their concerns over the potential fragmentation of the EU’s single market for the Internet as a result of national initiatives…
-
P2 Puts Easy, Flexible Project Tracking Tools In Your Hands
Improve your team's workflow and productivity with these project tracking blocks.
-
The Complete Guide to the WordPress.com Media Library
Get the most out of your images, videos, and more with this comprehensive guide to the Media Library.
-
Jetpack from Anywhere: The Mobile App is Here
What's better than world-class security & analytics tools in a single plugin? The ability to access them on the go. See the future — Jetpack's new mobile app.
-
Built-in Duotone Image Filter, Editor Navigation via Persistent List View, and Other Block Editor Improvements
The next batch of exciting updates to the block editor is live on WordPress.com. Powerful duotone image editing, a persistent list view to edit your page or post, and an update for picking table colors are all ready for you to build and improve the look of your site. Let’s take a closer look. Built-in…
-
WordPress.com Welcomes the Award-Winning Atavist Magazine to the Platform
<em>The Atavist Magazine</em>, known for its in-depth journalism and creative, elegant design, joins sister site <em>Longreads</em>, making WordPress.com a home for the web’s best longform storytelling.
-
The Best Blogging Courses to Help Grow Your Blog
Blogging is a great way to express yourself, share your passion, or grow your business. As a blogger, you’re always looking for ways to improve your blog. If you want to learn how to set up your blog, make changes, and strategize, consider taking a blogging course.
-
How to Create a Social Media Website
Discover how to connect with your users and help them connect with each other, by creating your own social media website.
-
Let’s Celebrate Pride by Supporting Nonprofits
For Pride this year, we’re highlighting queer nonprofits and charities. It’s more important than ever to support the queer community and raise awareness for those who do so all year round, long after the rainbow flags come down.
-
Day One, the Journaling App, Joins Automattic
We’re excited to welcome Day One to the Automattic team. Day One is a private journaling app that makes writing for yourself a simple pleasure. A beautifully designed user experience has earned the app prestigious awards including App Store Editor’s Choice, App of the Year, and the Apple Design Award, along with high praise from…
-
Redesigning The Atavist Magazine
The Atavist Magazine, one of Automattic’s flagship longform publications, recently relaunched on WordPress.com. In this conversation, editor in chief Seyward Darby and art director Ed Johnson talk about the history, (re)design, and future of the magazine.
-
How to Migrate a WordPress Site to a New Host (Easy Way)
Is it time to move hosts? See five reasons you should and how to do it without stress or mistakes. Get the definitive guide from the people behind WordPress.com.
-
Distributed by Default: Matt Mullenweg on The Knowledge Project
Matt Mullenweg joins Shane Parrish on The Knowledge Project podcast to talk about companies that are distributed from the beginning, and some of the benefits that means for its people. "Part of our model of distributed work also provides a fair amount of autonomy in how people get their work done," Matt said. "I like that it creates a lot more objectivity and focus around what the actual work is."
-
Vulnerabilities Found in Motor WordPress Theme < 3.1
During an audit of the Motor theme (full name "Motor – Cars, Parts, Service, Equipments and Accessories WooCommerce Store" by Stockware) for WordPress, we found a number of rather severe vulnerabilities. These vulnerabilities would allow an unauthenticated attacker complete read access to files on the file system of the site host, and would also allow them to run any PHP scripts found in the file system. We did not identify any upload vulnerabilities in the Motor theme, but paired with other vulnerable plugins this could allow for a complete takeover of the vulnerable site. We disclosed these vulnerabilities to the theme store who then contacted the theme vendor with our findings. A fixed version of the theme was released as version 3.1 on June 3, 2021. We encourage everybody using this theme to upgrade to the latest version immediately!
-
Vulnerable Kaswara Modern WPBakery Page Builder Addons Plugin Being Exploited in the Wild
Back on April 20th, 2021, our friends at WPScan reported a severe vulnerability on Kaswara Modern VC Addons, also known as Kaswara Modern WPBakery Page Builder Addons. It is not available anymore at Codecanyon/Envato, meaning that if you have this running, you must choose an alternative. This vulnerability allows unauthenticated users to upload arbitrary files to the plugin's icon directory (./wp-content/uploads/kaswara/icons). This is the first Indicator Of Compromise (IOC) our friends at WPScan shared with us in their report. The ability to upload arbitrary files to a website gives the bad actor full control over the site, which makes it hard to define the final payload of this infection; thus, we’ll show you everything we found so far (we got a little carried away on the research, so feel free to jump to the IOC section if you don't want to read through).
-
WordPress.com is the Fastest WordPress Host in Review Signal's 2021 Test
WordPress.com delivered the fastest WordPress speed test of any company in any price tier in 2021.
-
.blog Featured Site: appetiteforwine.blog
Louis Pasteur once said, "A bottle of wine contains more philosophy than all the books in the world." And that's a quote that gives you a sneak peek into our latest featured dotblogger, appetiteforwine.blog. It's a blog that focuses on the story behind the wine.
-
-
How to Publish a Website on WordPress.com
Learn how to publish a website using WordPress.com’s website builder in three steps and drive traffic to it in a sustainable way.
-
Jetpack 9.8: Engage your audience with WordPress Stories
At Jetpack, we are continuously working to develop a better product for you and your website. This month, we bring the popular Story Block to the web editor, a feature previously exclusive to mobile. We are also shipping several under the hood improvements for an enhanced Jetpack experience.
Automattic 