This week in WordPress

Excess XSS

It's been a hectic week for the team at Wordfence. "We're scrambling a bit this evening to mitigate a highly active attack on #wordpress. Details on the Wordfence blog tomorrow morning. Interesting situation," Mark Maunder, CEO of Defiant, the company behind Wordfence, tweeted yesterday.

Friday morning: Nearly a Million WP Sites Targeted in Large-Scale Attacks. Or as ZDNet put it: A hacker group tried to hijack 900,000 WordPress sites over the last week.

According to QA engineer Ram Gall, Wordfence started tracking a sudden increase in attacks targeting Cross-Site Scripting(XSS) vulnerabilities against several plugins, including Easy2Map, BlogDesign, and WP GDPR Compliance, on 28 April. The attacks peaked on 3 May when the hacker group launched over 20 million exploitation attempts against half a million domains — about 30x the normal volume Wordfence typically sees in its attack data.

In other security news — again from Wordfence — Combined Attack on Elementor Pro and Ultimate Addons for Elementor Puts 1 Million Sites at Risk. Threat analyst Chloe Chamberland says Elementor Pro (not the free plugin available from WordPress.org) was the subject of a zero day vulnerability. The Elementor team has been quick to release a patch, Wordfence today tweeting: "An update: @elemntor has released Pro version 2.9.4, and our threat intelligence team has verified it fixes the authenticated file upload vulnerability. Please ensure you update your Elementor Pro plugins to 2.9.4. Kudos to Elementor for the fast fix."

Time to change your passwords

"Oh dear - GoDaddy users might want to read this," tweets computer scientist and cyber security researcher Alan Woodward. He links to Forbes' article GoDaddy Confirms Data Breach: What Customers Need To Know. The web host has admitted a hacker tampered with an SSH file on its servers, leading to the theft of 28,000 users' SSH credentials.

"Now might be a good time to change your passwords, folks," writes journalist Gareth Corfield in GoDaddy hack: Miscreant goes AWOL with 28,000 users' SSH login creds after vandalizing server-side file for The Register. He says GoDaddy immediately reset the affected usernames and passwords, which were used only by customers for accessing remotely hosted servers, rather than their main customer accounts. GoDaddy has committed to providing a complimentary years' worth of security and malware removal services for customers affected by the breach.

Between a block and a hard place

Don't like reading about the block editor at WP Tavern? You're out of luck, according to Justin Tadlock, who "felt the need to address a recent request that we stop covering the block editor" and wrote The Future of WordPress: The Block Editor Is Here to Stay.

"It is inevitable that when we publish a story on the Tavern that is remotely related to the block editor or the Gutenberg project, we receive negative comments," he writes. "Despite sprinting along in its second year as part of core WordPress, there are still those who liken posts on the editor to Soviet-style mind manipulation and propaganda for certain unnamed companies."

Surprise — many of the 65 comments below the article (at the time of writing this) are negative. But there's also a lot of love for the block editor. "When Gutenberg came out, it seemed very strange to me… Now I and my editors love to write with the block editor… Last week we switched to the classic to try and we found it strange we saw the classic editor with nostalgia but at the same time as something outdated," comments developer Lenin Zapata.

But some readers, like developer Denis Žoljom, say they're not happy with the block editor because "… the decision making is in Automattic hands completely. All we outsiders can do is make suggestions, and do a QA for the editor in the hope it will be improved."

WordPress 💪🏼❤️

"My music career begins ... https://wpstrong.org," tweets LifterLMS CEO Chris Badgett, who lends his voice to WordPress Strong, a fun musical project led by Zack Katz of Gravity View.

Nineteen WordPress folks sing and play along to the song, which was composed by "Song-a-day man" Jonathan Mann, with Tracy Apps, the owner of tracy apps design, on drums.

In Need to Smile Today? Stay WordPress Strong, Katz tells Justin Tadlock at WP Tavern that in the midst of the uncertainty of the pandemic, he feels lucky to be part of the WordPress community, "doing what we do, working on an open and thriving platform, with a culture of people who are kind to each other and support each other."

"This is now an ear worm. 🤪 Such a catchy tune! Nice work #WordPress people. ✊" tweets GoDaddy global field marketing senior manager Adam Warner. "The #WordPressStrong video is cool, but it's no WordPress Rap by @jason_coleman," tweets Penske Media director of editorial technology Aaron Jorbin, linking to WordPress Rap.

Meanwhile, if you need another reason to smile… GoWP tweets: "See you tomorrow at our favorite event of the week! 🤗 The #GoWPVirtualHappinessHour exists to connect with agency owners, friends and experts - like you! Join the group and see you tomorrow at 3 PM!"

In other news...

– Props to all the contributors named in WordPress executive director Josepha Haden's Quarterly Updates summary of projects underway at WordPress.org during the first quarter of 2020.
– WPMU DEV has upped the ante with its hosting, adding email hosting to its "all-in-one" WordPress platform. Nathanael Fakes and James Farmer share the lowdown in You've Got Mail: WPMU DEV Hosting, now with Free Email! Also: WPMU DEV has released a cool collection of superhero colouring pages, which are usually shared at the company's WordCamp booths.
– The call for speakers for WordCamp US has been extended to 31 May. Thinking about applying? "Be a part of this year's amazing event... get some training, answers & tips THEN apply to speak at WordCamp US!" tweets WordCamp US, highlighting an interactive office hours session happening on Slack on 9 May.
– The BuddyPress 6.0 release candidate is out. The full release is set for release on 14 May.
– WP Engine Launches Genesis Pro Add-On for Customers, More Features in the Works, writes Justin Tadlock for WP Tavern. "‘Beyond just being "compatible," Genesis will play a big role in being Gutenberg-First'… Thank you @asmartbear! Great move by @wpengine," tweets WordPress co-founder Matt Mullenweg.
– The third annual JavaScript for WordPress Conference is on from 8-10 July. Organizer Zac Gordon is working to put together a diverse speaker lineup for the free event. Interested? Justin Tadlock has more in Apply to Speak at the JavaScript for WordPress Conference.

Not subscribed? Join the most conversational weekly email
in the WordPress community!

SUBSCRIBE →

SHARE THIS ISSUE IN A TWEET →

Unsubscribe | Manage subscription

A weekly newsletter for the WordPress community by Words by Birds and MailPoet.
Thanks also to the friendly folks at Kinsta, our awesome web hosting sponsor.