One of the reasons I’m always so happy to attend conferences and technical events (the real ones – not the flashy, sponsor-driven ones designed just to sell products or services) is because I get to meet amazing people and always come away having learned something new.
I’ve been using WordPress since 2006 and have been managing hundreds of installations from a sysadmin perspective. Over time, I’ve noticed a clear pattern: most hacks and compromises happen through plugins or outdated installations. And often, these installations (and plugins) become outdated because they’ve been patched together so messily that updating them becomes nearly impossible – especially when the PHP version changes.
In March 2025, I attended a fantastic conference: OSDay 2025. I gave a talk on why I believe it makes perfect sense to consider the BSDs in 2025, but many of the other talks were truly eye-opening.
To mark the launch of the BSD Cafe Journal, I’d like to share the link to a particularly interesting talk by Maciek Palmowski: “How we closed almost 1k plugins in a month — the biggest WordPress bug bounty hunt.”
What struck me right away was how much his analysis of WordPress security aligned with what I’ve seen over the years: WordPress, out of the box, is reasonably secure. It’s the plugins – often old, unmaintained, or poorly written – that make it vulnerable.
I highly recommend watching his talk. It’s definitely worth your time.
James Seward
@stefano@journal.bsd.cafe @stefano@bsd.cafe When I took over operating a corporate WordPress install one of the first things I did was IP-limit access to wp-admin/ resources (there’s a few you have to allow-all for, or were back then) as a blanket mitigation for that kind of vulnerability. Not a complete defence, but it felt like a good start.
I’ve done similar for my snac instance – not that I think the code is insecure, but if you can’t reach the admin URL you can’t even try to credential-stuff it 🙂
Remote Reply
Original Comment URL
Your Profile