Last month I discovered a critical SQL injection vulnerability in the no-longer-developed yet still actively used Cart66 Pro plugin for WordPress. Here are the details …
One of the first things on any security auditor’s list is checking to see if a site is vulnerable to cross-site scripting (XSS).
There have been a handful of discussions lately surrounding WordPress and usernames – particularly whether or not exposing usernames is a security risk.
The consensus appears to be “no.” I beg to differ.
Even if your site is browsed over HTTPS, it can be insecure if any assets (images, scripts, styles) are transferred over an HTTP connection. This will trigger a “mixed content” warning in the browser that many will brush off as unimportant. The warning can be a major issue for some sites, though, and I want to explain why.