snicco

Taking the pain out of enterprise WordPress development

Calvin Alkan

  • Final Milestones on the Path to v1.0.0: Fortress CLI, Unlimited Config Environments & More

    Fortress’s v1.0.0 is purely symbolic at this point. Plenty of sites are running it in production without a hitch, and frankly, I’d bet a decent amount of money that Fortress is already among the most reliable and heavily tested software in the WordPress ecosystem. That said, we’ve released two of the remaining big milestones that,…

  • Fortress Code Freeze – Reap the Security Benefits of “Immutable WordPress” without the Complexity

    Recent research from WeWatchYourWebsite based on data from millions of WordPress sites has shown that 67% of all WordPress compromises are caused by either session cookie hijacking or stolen credentials. Additionally, plugin vulnerabilities related to privilege-escalation are consistently among the most mass-exploited: Regardless of how an admin account is compromised, for the vast majority of…

  • How WordPress Uses Salts and Why You Should Not Rotate Them: A Technical Deep-Dive

    It’s difficult to find a topic in WordPress Security with more published misinformation than WordPress Salts. Nobody seems to have an idea how WordPress Core actually uses them & unfortunately, even the Core documentation is partially misleading.

  • How WordPress uses Authentication Cookies & Sessions: A technical Deep-Dive

    Authentication Cookies / Sessions is easily one of the most misunderstood and badly documented topics in WordPress security. At the end of this, you’ll exactly know how the WordPress Authentication & Session Management system works and what its weaknesses are.

  • New in Fortress: Redefining Reliability with Unbreakable Config Validation

    This past month we’ve been busy. Not with flashy features but with rigorous under-the-hood improvements. Reliability isn’t just a phrase we sprinkle on marketing pages; it’s the essence of how we design software at Snicco. Before we wrote a single line of code for Fortress, we dedicated four months to building a robust, containerized testing…

  • FREE: Secure Your EDD Stripe Keys – Fortress Vaults & Pillars in Practice

    Introduction In this guide, we’ll walk you through the process of securing your Easy Digital Downloads Stripe keys using Fortress Vaults & Pillars. By the end of this tutorial, your sensitive Stripe keys will be securely encrypted, and the risk of malicious access will be significantly reduced. We will be using the following Software versions:…

  • FREE: Secure Your Gravity Forms Stripe Keys – Fortress Vaults & Pillars in Practice

    Introduction In this guide, we’ll walk you through the process of securing your Gravity Forms Stripe keys using Fortress Vaults & Pillars. By the end of this tutorial, your sensitive Stripe keys will be securely encrypted, and the risk of malicious access will be significantly reduced. We will be using the following Software versions: The…

  • Solving WordPress’s Pathological Plaintext Problem: Introducing Fortress Vaults&Pillars

    We solved WordPress’s Plaintext Problems. And you can get FREE access.

  • Malware Madness 1/2: Why everything you know about your WordPress Malware Scanner is wrong

    Introduction Malware scanning and removal have traditionally been focal points in the WordPress security ecosystem. Users have placed their trust in Malware Scanning plugins to keep sites secure. Yet, this post challenges a crucial assumption: The conventional method of plugin-based malware scanning in WordPress is flawed and conceptually impossible. Our research doesn’t aim to critique…

  • The state of WordPress security plugins in 2022

    On May 30, 2022, we disclosed two, in our opinion, pretty serious security vulnerabilities in two popular WordPress 2FA plugins through the WPScan platform. Our initial disclosure was very detailed, and WPScan promptly assigned it a provisional CVE. Fast forward three months, there were still no fixes on the horizon, and ultimately WPScan decided to…