This week: WP Rocket plugin, WordCamp Europe 2021, proprietary Gutenberg, serverless and WooCommerce blocks, and much more …
Leonardo Losoviz is an open source developer and technical writer, working at the intersection between GraphQL and WordPress. He is the creator of the GraphQL API for WordPress, one of the two available GraphQL servers for WordPress.
This week was an interesting one concerning security: The git.php.net server, which hosts the PHP source code, was compromised. The attacker(s) attempted to introduce backdoors, to execute arbitrary code via a special header.
Fortunately, maintainers noticed the attack and thwarted it immediately. To beef up security from now on, they have made GitHub the new canonical repository (to which all changes are pushed to), and started requiring accounts to enable two-factor authentication (2FA) in order to contribute to the repo.
Cyberattacks are proliferating, and we need to take security seriously. This involves not only tackling technical considerations in our architecture (WordPress, PHP, MySQL, Apache, Linux, and so on) but, equally important, the creation of a security culture within the team, making sure that everyone understands why security is important, and how to contribute to it continually.
Keeping our WordPress sites secure is not difficult. Simple measures, such as using strong passwords, keeping the themes and plugins always up-to-date, and enabling two-factor authentication, will already eliminate most of the attack vectors.
Secure software requires maintainers, who can devote their time and energy not only to fix vulnerabilities but, more importantly, to prevent them in first place. As open source increasingly powers our digital products and services, providing financial support to open source maintainers becomes critical, making it a win-win situation for everyone.
To understand the bigger picture of cybersecurity, I recommend reading book This is how they tell me the world ends. It is terrifying. It shows how nation states create cyber weapons to infiltrate each other, and how these weapons may be stolen and used by cybercriminals. A cyber weapons market is currently thriving, with hackers freely selling their exploits to anyone willing to pay for them.