We have a duo of Twitter articles. First is the news about needing to sign in:
Twitter now forces you to sign in to view tweets
It’s what it says. Notably:
Apparently when Twitter locked things down, it caused some users to get stuck in a repeated login loop. The article recounts some other recent changes at Twitter.
On to WordPress! Every semester we features at least one WordPress security issue.
200,000 WordPress Sites Exposed to Attacks Exploiting Flaw in ‘Ultimate Member’ Plugin
It’s WordPress again. Well, it’s the first time this semester I’ve brought WordPress up. Much maligned, WordPress core is secure, just make sure to stay on the latest version. They do patch previous versions but they only guarantee patches on the latest version.
The WordPress problem gets a lot of fanfare. Everyone loves to hate WordPress, but something like 35% of websites (that report what they run on) run on WordPress. It’s all over, and if you’re building a personal site, chances are you’re using WordPress.
Like I said, WordPress itself is pretty secure, and the plugins listed in their official directory are usually not the ones that show up in security alerts. A normal WordPress scare, at least the last two I’ve covered here, have been plugins “in the wild.” That means they are not listed on the WordPress directory. That also means they don’t provide support through the official WordPress support mechanism.
In this case, however, it’s a membership management plugin with 200,000 known installations that’s at risk. This one is really bad, though it doesn’t seem to affect many people:
“… has allowed attackers to register user accounts with the administrator role, and at least two site owners have observed and reported the suspicious activity.“
While I generally defend WordPress against its bad security reputation, and this time I will point out the issue is not with WordPress core, people using this plugin simply have to disable it while the developers work on a fix. There’s been a couple patches but the problem is not yet fixed.
Meanwhile, if you do use WordPress, the lesson here is to only use plugins that are from reputable sources on the WordPress directory.