WordPress Plugin Development (2) WordPress Security (3)

  • The state of WordPress security plugins in 2022

    On May 30, 2022, we disclosed two, in our opinion, pretty serious security vulnerabilities in two popular WordPress 2FA plugins through the WPScan platform. Our initial disclosure was very detailed, and WPScan promptly assigned it a provisional CVE. Fast forward three months, there were still no fixes on the horizon, and ultimately WPScan decided to […]

  • Stop the prefixing

    The WordPress codex still lists the following advice to avoid naming collision on your plugin: A naming collision happens when your plugin is using the same name for a variable, function or a class as another plugin. Luckily, you can avoid naming collisions by using the methods below. WordPress Codex This might have been helpful […]

  • How to safely get the IP address of the current user in a WordPress plugin

    This article is based on outstanding research done in The perils of the “real” client IP. If you are creating a WordPress plugin that relies in any way or shape on getting the real IP of the current user visiting the site you need to be extremely careful. If you are getting this wrong (and […]