It’s difficult to find a topic in WordPress Security with more published misinformation than WordPress Salts. Nobody seems to have an idea how WordPress Core actually uses them & unfortunately, even the Core documentation is partially misleading.

Authentication Cookies / Sessions is easily one of the most misunderstood and badly documented topics in WordPress security. At the end of this, you’ll exactly know how the WordPress Authentication & Session Management system works and what its weaknesses are.

Introduction Malware scanning and removal have traditionally been focal points in the WordPress security ecosystem. Users have placed their trust in Malware Scanning plugins to keep sites secure. Yet, this post challenges a crucial assumption: The conventional method of plugin-based malware scanning in WordPress is flawed and conceptually impossible. Our research doesn’t aim to critique…

On May 30, 2022, we disclosed two, in our opinion, pretty serious security vulnerabilities in two popular WordPress 2FA plugins through the WPScan platform. Our initial disclosure was very detailed, and WPScan promptly assigned it a provisional CVE. Fast forward three months, there were still no fixes on the horizon, and ultimately WPScan decided to…