We have been involved in the WordPress community and helping with security for five or six years, but many people still haven’t heard our name. So, let’s help catch you up to speed on who we are, what we do, and who we’ve helped.
We have published a list of some of the companies we’ve helped in the WordPress community, because we want you the reader to understand our goal. Unfortunately, a lot of the companies wanted to credit the person who reported the bug and not our company.
What is our goal in the WordPress security space and with all code?
Our goal is to create a more secure world of code. We want websites to be more secure, we want cars to be more secure, we want drones to be more secure. Yes, we’ve done research and communicated with teams on all those topics. Our end goal is to help people be more secure.
The problem we have with making people more secure is that a lot of developers ignore help, even when you offer it to them for free, like what happened with the WordPress plugin Redirect editor, which was pulled from the repo about 9 months ago and still no one has had an update, so we have a free version you can download of redirect editor with a ton of security fixes.
The history of the security community is long and tedious, but in short companies caused chaos for researchers, so the companies with a lot of money made a term called responsible disclosure. What does responsible disclosure mean? To most companies it means tell us about our issues, we won’t fix them and don’t you dare tell anyone else. There are some great companies to the contrary of that, but our experience over the last six years has been extremely negative. Companies can yell at us, but our goal will and always will be to help the users not be hacked by criminals.
Why is that our goal?
Without a safer web, we won’t ever be able to move forward and do more innovative things, we will continue to run into sites or servers covered in pictures of dead bodies, which is something we’ve dealt with. Without safer code, all of this will continue to happen.
When it comes to the open source community the reason code isn’t more secure from the get-go is like in other industry, lack of knowledge on the subject, but most importantly there is no budget for security, because the majority of WordPress plugin developers make products that leave your site at risk of being hacked, and for all those hacked WordPress sites wondering how this happened, it’s because you took something for free that generally has limited security added to it.
There are some projects that are quite the exception to this rule, but they almost always have a profit model, like Genesis does and is one reason we like it.
Why did we create a more secure shop of code?
This is simple, our goal is to take the products that were made and make them more secure to use for websites. We can not do major overhauls on products for free very often, because our time is valuable and we know that you also value your time and want to stay as secure as you can.
This is why we have the more secure shop, with plugins that you indeed get for free, but in our professional opinion the free versions are not as secure as ours, nor is it likely that they will get continued security updates by a company dedicated to security.
We helped out Cookies For Comments in version 0.5.5 sanitize their cookie key before utilizing it. We strongly appreciate the dedication Donncha shows to security of his products.
We helped w3 total cache fix a potential log injection and CSRF issue. The w3 total cache team is always working on making their product better, which is something we appreciate.
We helped make the most downloaded plugin on WordPress more secure, which is WordFence as is noted in version 5.2.5.
We helped Vladimir from manageWP fix an xss issue in his plugin Friendly SEO images in version 3.0.5.
We’ve reported a lot of plugins to WordPress Security.
We helped the great team at WPML with their security over multiple security audits in multiple plugins, in which we were hired to help improve their product security. It was indeed a treat to work with a GPL team who cared so much about security and we may write blog posts about their awesome products in the future. This is a team that is indeed an exception to the rule and truly cares about security. WPML is a lot like Genesis, in the sense that they both have a profit model, so their products are far more secure, unlike the majority of companies who do not have a profit model or do have a profit model and don’t want to address security.
We helped make WP book more secure.
We helped make WP-Post Ratings more secure
We helped make the great team at Mailpoet more secure and were thanked in their changelog
We helped make shortcodes ultimate more secure, and these are just a few of the plugins that we’ve helped.