39. Security Alert

·

Various attacks on WordPress user accounts have led to several plugins being compromised, allowing access to thousands of sites.

Remember that you can listen to this program from Pocket Casts, Spotify, and Apple Podcasts or subscribe to the feed directly.

Program transcript

Hello, I’m Javier Casares, and you’re listening to WordPress Podcast, bringing the weekly news from the WordPress Community.

In this program, you’ll find the information from June 24 to 30, 2024.

Is WordPress secure? The answer is clear and simple: yes. However, the users or individuals behind the entire Community are often the weakest link when it comes to IT security.

Earlier this week, some users experienced an attack on their accounts using usernames and passwords previously published in data breaches. At least five plugin developer accounts were compromised due to using the same password as on other hacked sites.

It’s important to note that in April 2021, the Release Confirmation system was launched. This system sends an email each time a change is attempted in the plugin’s repository data, which must be visited and confirmed for the new version to be released.

Additionally, for over six months and following an extended testing period, the option to activate two-factor authentication has been available to users. This means that even if passwords are leaked, a temporary second factor will always be required.

As an additional security measure, an email has been sent to all developers prompting them to “reset their password” when attempting to access WordPress, as passwords have been reset for security reasons.

Regardless of whether you are a developer or not, given the current situation, the best option is to visit login.wordpress.org, click on recover password, follow the process, and change it to a new one you have not used before. If you haven’t already, visit the edit your profile section where you can activate 2FA.

And speaking of security, WordPress 6.5.5 is the headliner for minor versions ranging from WordPress 4.1 to 6.5, addressing up to three vulnerabilities.

It’s important to remember that minor version updates do not change or break the functionalities of that WordPress version, so updating is crucial for the well-being of your site.

Speaking of new versions, the first release candidate for WordPress 6.6 is now available. This version should include all the final features of this release, so it is highly recommended to start testing to validate the compatibility of your site, plugins, and themes with a version scheduled to be released on July 16. This release also freezes text strings for translation and opens the WordPress 6.7 working branch.

With the arrival of this release candidate, the WordPress 6.6 Field Guide has also been released, a document that includes all the technical changes in the version. This version includes many changes in the editor and themes, unlike the previous version which was more focused on performance.

The Core team presents a proposal to introduce block variation aliases. This initiative aims to improve flexibility and consistency in creating and managing block variations within the editor.

Variation aliases would allow the reuse of settings and styles from existing variations, thus simplifying the development and customization process for blocks for both developers and users.

The Design team has presented several proposals they are working on, such as integrating background image editing tools in the editor.

Another important element, still in conceptual mode, could be the possibility of adding new columns to the Data View, with information coming from custom fields. For example, in the user list, being able to include the phone number in the listing, a piece of data that WordPress does not have by default.

The Polyglots team has issued a reminder that the translation of pending strings for WordPress 6.6 is now available.

WordPress 6.6 includes about 300 new strings, many of them coming from the Gutenberg plugin, which should be incorporated into the language pack before the release date, in addition to those from the Twenty Twenty-Four, Twenty Three, and Twenty Two themes.

The Training team is about to begin testing and reviewing GatherPress, a tool designed to facilitate the organization and management of community events in WordPress. They will explore GatherPress functionalities, including the ability to manage event calendars, register attendees, and facilitate communication between organizers and participants.

Regarding the Thread Content project, phase 1 of the content maintenance process update has begun, focused on improving the structure and organization of educational content within WordPress, with the goal of making it more accessible and easier to maintain, ensuring its relevance and accuracy.

The Community team is reopening the project to reactivate inactive Meetups. As was done a couple of years ago, the goal is to identify Meetup groups that have not held events in recent months and contact the organizers and members to try to revive activity.

Additionally, after several previous attempts, and the news that Slack will delete all messages older than 1 year irretrievably, there is a proposal that all local communities with Slack join the global Community Slack Enterprise, allowing access to all the benefits available in this version, providing a centralized communication place for each community.

BuddyPress will allow the recovery of a lost functionality in the new version 14.0: being able to rename elements as you wish. Thanks to the functionality introduced in WordPress 6.5, it will now be possible to change the name of Groups, for example, to Teams. This can even lead to renaming all blocks natively, without installing any external plugins.

In conclusion, a working channel has been opened to address the need to improve collaboration between teams and manage overlapping initiatives within the community, highlighting the importance of aligning efforts to avoid duplication and maximize available resources.

Due to the growth of the community and the diversity of projects, there has been an increase in initiatives that often overlap, which can lead to fragmentation and inefficient use of resources.

One improvement is the need for clearer and more transparent communication between teams, ensuring that everyone is aware of ongoing projects and can collaborate effectively. Additionally, a more organized structure is being promoted to manage and prioritize initiatives, using tools and practices that facilitate coordination and minimize planning conflicts.

In any case, the focus should remain on WordPress’s long-term strategic goals, ensuring that all initiatives contribute significantly to the overall vision of the project, with the need for clear and effective governance to guide team coordination and ensure that each initiative aligns with the community’s values and goals.

And finally, this podcast is distributed under a Creative Commons license as a derivative version of the WordPress Podcast in Spanish; you can find all the links for more information at WordPress Podcast .org.

You can follow the content in CatalanGermanEsperantoSpanish, and French.

Thanks for listening, and until the next episode!

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *