Author: wpscanteam

WordPress VIP hosts many of the largest sites on the web, and as such these sites are likely targets of cyber attacks. Sites hosted by WordPress VIP can’t afford to have a vulnerability live for a single minute. That’s a tough ask for site managers given that there are more than 38,000 known WordPress vulnerabilities, More

A brute force attack is a type of cyberattack where the attacker uses an automated system to try different combinations of username and password until they find the correct combination. This can be done by using a dictionary of common words or by using a list of common passwords. The attacker will keep trying different More

If you’re a security researcher looking for a thorough testing method, black box testing should be at the top of your list. Involving an outside perspective to test an application’s or system’s core functionality and security, black box testing is becoming increasingly popular among organizations that need to ensure their infrastructure can withstand any breach attempt. More

WordPress VIP, Automattic’s managed WordPress hosting platform for enterprise and large‑scale websites, is excited to announce they have incorporated WPScan into the WordPress VIP Codebase Manager. WPScan’s market‑leading security technology brings enhanced, proactive protection and threat detection for WordPress VIP enterprise customers, including continuous monitoring of existing plugins and alerts for potential vulnerabilities. Improved security empowers customers More

If you own a WordPress website, then chances are you’ve heard of SQL injections in WordPress. These malicious attacks can wreak havoc on your website and leave it vulnerable to hackers. Fortunately, there are steps you can take to protect your website from the threat of a WordPress SQL injection attack. Let’s explore what is More

We have been hearing questions from WPScan clients about a long‑standing vulnerability that has been present in the WordPress software for some time, but we only recently added it to our threat database, so that’s why it has just appeared in results. However, the vulnerability is not new. There is not currently a fix or More

Automattic, the parent company to WPScan, hosts many of the biggest websites on the web, and security is one of our highest priorities. What follows is our checklist for security leaders.  Best Practices for Your WordPress Website Essential Tips for WordPress Plugin Security General Password Hygiene Web Security Guidelines Computer Security Recommendations Guidelines for Phones and Tablets Phew. That’s it. Did More

We’ve been alerted that certain vendors are using suboptimal secret management techniques to handle (H/T)OTP encryption keys, which leads to them not bringing any additional security value. Examples we’ve received include storing the encryption key on the database alongside the shared secret it encrypted or using the same key for all sites using the plugin. We More

We receive a non‑negligible amount of submissions every day. We model the risk they represent for site owners, figure out what kind of privilege is required to successfully exploit the issue, and forward the information to plugin and theme authors to get it fixed. This is can get pretty time-consuming, especially when we need to scavenge More

We are very excited to let you know that WPScan will be joining Automattic! WPScan has been working on improving the WordPress security ecosystem for over 10 years. During that time we released our wildly popular WordPress security scanner. We then developed and released the WordPress vulnerability database, where we triage and record hundreds of WordPress More