WordPress 6.5 Enhances SEO With ‘Lastmod’ Support via @sejournal, @MattGSouthern

WordPress has rolled out an update with version 6.5, introducing native support for the lastmod element in sitemaps.

This move streamlines search engine crawl efficiency, potentially enhancing website visibility.

The announcement comes from Gary Illyes, a member of Google’s Search Relations team, who took to LinkedIn to commend the WordPress developer community for their efforts.

The Lastmod Element: A Key Signal for Crawlers

The lastmod metadata tag indicates the last significant modification date of a webpage, enabling search engine crawlers to prioritize and schedule crawls.

In Illyes’ words:

“The lastmod element in sitemaps is a signal that can help crawlers figure out how often to crawl your pages.”

By natively populating the lastmod field, WordPress 6.5 lets websites improve SEO efforts without additional manual configuration.

Illyes emphasizes that a “significant” change refers to updates that might matter to users and, consequently, to the website’s performance.

WordPress Community Collaboration

Lastmod support in WordPress 6.5 is possible due to the collaborative efforts of the developer community, spearheaded by Pascal Birchler.

Illyes acknowledged and praised their contributions, stating,

“If you’re on WordPress, since version 6.5, you have this field natively populated for you thanks to Pascal Birchler and the WordPress developer community.”

While applauding the new feature, Illyes urges website owners to upgrade their WordPress installations to take advantage of the lastmod support.

He adds:

“If you’re holding back on upgrading your WordPress installation, please bite the bullet and just do it (maybe once there are no plugin conflicts).”

As WordPress evolves, this update displays the platform’s commitment to complying with SEO best practices and providing users with needed tools.


What is the significance of the lastmod element in sitemaps?

The lastmod metadata tag signifies the most recent modification date of a webpage. This information allows search engine crawlers to prioritize and schedule page crawls efficiently.

By indicating the latest updates, the lastmod tag helps search engines focus on the most current content, potentially improving a site’s visibility in search results.

How does WordPress 6.5 support the lastmod element?

With the release of WordPress 6.5, native support for the lastmod element in sitemaps is now available. This means that WordPress automatically includes this metadata in sitemaps without requiring additional manual configuration by the user.

This enhancement helps website owners improve their SEO efforts seamlessly by ensuring search engines receive accurate and updated information about their webpages.

Why should website owners upgrade to WordPress 6.5?

Website owners are encouraged to upgrade to WordPress 6.5 to use native lastmod support.

Upgrading ensures compatibility with the latest SEO practices and tools, providing users with a more effective and user-friendly platform. However, it is recommended to ensure no plugin conflicts before upgrading.

Featured Image: photosince/Shutterstock

Top 15 Ways To Secure A WordPress Site via @sejournal, @inmotionhosting

Thankfully, there are plenty of steps you can take to protect your WordPress website.

Easy WordPress Security Basics

When setting up your WordPress site security, there are some basic things you can do to beef up your protection.

Below, we will take a look at some of the first things you should do to help protect your website.

1. Implement SSL Certificates

Secure Sockets Layer (SSL) certificates are a standard technology that establishes an encrypted connection between a web server (host) and a web browser (client). This connection ensures all data passed between the two remains private and intrinsic.

SSL certificates are an industry-standard used by millions of websites to protect their online transactions with their customers, and obtaining one should be one of the first steps you take to secure your website.

2. Require & Use Strong Passwords

Along with obtaining an SSL certificate, one of the very first things you can do to protect your site is use strong passwords for all your logins.

It might be tempting to create or reuse a familiar or easy-to-remember password, but doing so puts both you and your website at risk. Improving your password strength and security decreases your chances of being hacked. The stronger your password, the less likely you are to be a victim of a cyberattack.

When creating a password, there are some general password best practices you should follow.

If you aren’t sure if you are using a strong enough password, you check the strength of one by using a free tool like this helpful Password Strength Checker.

3. Install A Security Plugin

WordPress plugins are a great way to quickly add useful features to your website, and there are several great security plugins available.

Installing a security plugin can add some extra layers of protection to your website without requiring much effort.

To get you started, check out this list of recommended WordPress security plugins.

4. Keep WordPress Core Files Updated

As of 2024, there are an estimated 1.09 billion total websites on the web with more than 810 million of those sites using WordPress.

Because of its popularity, WordPress websites are oftentimes a target for hackers, malware attacks, and data thieves.

Keeping your WordPress installation up to date at all times is critical to maintain the security and stability of your site.

Every time a WordPress security vulnerability is reported, the core team starts working to release an update that fixes the issue.

If you aren’t updating your WordPress website, then you are likely using a version of WordPress that has known vulnerabilities.

There is especially no excuse for using an outdated version of WordPress since the introduction of automatic updates.

Don’t leave yourself open to attack by using an old version of WordPress. Turn on auto updates and forget about it.

If you would like an even easier way to handle updates, consider a Managed WordPress solution that has auto updates built in.

5. Pay Attention To Themes & Plugins

Keeping WordPress updated ensures your core files are in check, but there are other areas where WordPress is vulnerable that core updates might not protect such as your themes and plugins.

For starters, only ever install plugins and themes from trusted developers. If a plugin or theme wasn’t developed by a credible source, you are probably safer not using it.

On top of that, make sure to update WordPress plugins and themes. Just like an outdated version of WordPress, using outdated plugins and themes makes your website more vulnerable to attack.

6. Run Frequent Website Backups

One way to protect your WordPress website is to always have a current backup of your site and important files.

The last thing you want is for something to happen to your site and you do not have a backup.

Backup your site, and do so often. That way if something does happen to your website, you can quickly restore a previous version of it and quickly get back up and running.

Intermediate WordPress Security Measures That Add More Protection

If you’ve completed all the basics but you still want to do more to protect your website, there are some more advanced steps you can take to bolster your security.

Let’s take a look at what you should do next.

7. Never Use The “Admin” Username

Never use the “admin” username. Doing so makes you susceptible to brute force attacks and social engineering scams.

Because “admin” is such a common username, it is easily-guessed and makes things much easier for scammers to trick people into giving away their login credentials.

Much like having a strong password, using a unique username for your logins is a good idea because it makes it much harder for hackers to crack your login info.

If you are currently using the “admin” username, change your WordPress admin username.

8. Hide Your WP Admin Login Page

On top of using a unique username another thing you can do to protect your login credentials is hide your WordPress admin login page with a plugin like WPS Hide Login.

By default, a majority of WordPress login pages can be accessed by adding “/wp-admin” or “/wp-login.php” to the end of a URL. Once a hacker or scammer has identified your login page, they can then attempt to guess your username and password in order to access your Admin Dashboard.

Hiding your WordPress login page is a good way to make you a less easy target.

9. Disable XML-RPC

WordPress uses an implementation of the XML-RPC protocol to extend functionality to software clients.

Most users don’t need WordPress XML-RPC functionality, and it’s one of the most common vulnerabilities that opens users up for exploits.

That’s why it’s a good idea to disable it. Thanks to the Wordfence Security plugin, it is really easy to do just that.

10. Harden wp-config.php File

The process of adding extra security features to your WordPress site is sometimes known as “hardening” because you are essentially giving your site some extra armor against hackers.

You can “harden” your website by protecting your wp-config.php file via your .htaccess file. Your WordPress wp-config.php file contains very sensitive information about your WordPress installation including your WordPress security keys and the WordPress database connection details, which is exactly why you don’t want it to be easy to access.

11. Run A Security Scanning Tool

Sometimes your WordPress website might have a vulnerability that you had no idea existed. That’s why it’s wise to use some tools that can find vulnerabilities and even fix them for you.

The WPScan plugin scans for known vulnerabilities in WordPress core files, plugins and themes. The plugin also notifies you by email when new security vulnerabilities are found.

Strengthen Your Server-Side Security

So you have taken all the above measures to protect your website but you still want to know if there is more you can do to make it as secure as possible.

The remaining actions you can take to beef up your security will need to be done on the server side of your website.

12. Look For A Hosting Company That Does This

One of the best things you can do to protect your site from the very get-go is to choose the right hosting company to host your WordPress website.

When looking for a hosting company, you want to find one that is fast, reliable, and secure, and will support you with great customer service.

That means they should have good, powerful resources, maintain an uptime of at least 99.5%, and use server-level security tactics.

If a host can’t check those basic boxes, they are not worth your time or money.

13. Use The Latest PHP Version

Like old versions of WordPress, outdated versions of PHP are no longer safe to use.

If you aren’t on the latest version of PHP, upgrade your PHP version to protect yourself from attack.

14. Host On A Fully-Isolated Server

Fully-isolated virtual private servers have a lot of advantages and one of those advantages is increased security.

The physical isolation offered from a cloud-based VPS is inherently secure, protecting your website against cross-infection from other customers. Combined with robust firewalls and DDoS protection, your data remains secure against potential threats and vulnerabilities.

Looking for the perfect cloud environment for your WordPress website? Look no further.

With InMotion Hosting’s Platform i, you receive unparalleled security features including managed server updates, real-time security patching, web application firewalls, and DDoS prevention, along with purpose-built high-availability servers optimized for fast and reliable WordPress sites.

15. Use A Web Application Firewall

One of the final things you can do to add extra security measures to your WordPress website is use a web application firewall (WAF).

A WAF is usually a cloud-based security system that offers another layer of protection around your site. Think of it as a gateway for your site. It blocks all hacking attempts and filters out other malicious types of traffic like distributed denial-of-service (DDoS) attacks or spammers.

WAFs usually require monthly subscription fees, but adding one is worth the cost if you place a premium on your WordPress website security.

Make Sure Your Website & Business Is Safe & Secure

If your website is not secure, you could be leaving yourself open to a cyber attack.

Thankfully, securing a WordPress site doesn’t require too much technical knowledge as long as you have the right tools and hosting plan to fit your needs.

Instead of waiting to respond to threats once they happen, you should proactively secure your website to prevent security issues.

That way if someone does target your website, you are prepared to mitigate the risk and go about your business as usual instead of scrambling to locate a recent backup.

Get Managed WordPress Hosting featuring robust security measures on high-performance servers, complete with free SSL, dedicated IP address, automatic server updates, DDoS protection, and included WAF.

Learn more about how Managed WordPress Hosting can help protect your website and valuable data from exposure to hackers and scammers.

What To Know About Medium-Level WordPress Vulnerabilities via @sejournal, @martinibuster

The majority of WordPress vulnerabilities, about 67% of them discovered in 2023, are rated as medium level. Because of they’re the most common, it makes sense to understand what they are and when they represent an actual security threat. These are the facts about those kinds of vulnerabilities what you should know about them.

What Is A Medium Level Vulnerability?

A spokesperson from WPScan, a WordPress Security Scanning company owned by Automattic, explained that they use the Common Vulnerability Scoring System (CVSS Scores) to rate the severity of a threat. The scores are based on a numbering system from 1 – 10 and ratings from low, medium, high, and critical.

The WPScan spokesperson explained:

“We don’t flag levels as the chance of happening, but the severity of the vulnerability based on FIRST’s CVSS framework. Speaking broadly, a medium-level severity score means either the vulnerability is hard to exploit (e.g., SQL Injection that requires a highly privileged account) or the attacker doesn’t gain much from a successful attack (e.g., an unauthenticated user can get the content of private blog posts).

We generally don’t see them being used as much in large-scale attacks because they are less useful than higher severity vulnerabilities and harder to automate. However, they could be useful in more targeted attacks, for example, when a privileged user account has already been compromised, or an attacker knows that some private content contains sensitive information that is useful to them.

We would always recommend upgrading vulnerable extensions as soon as possible. Still, if the severity is medium, then there is less urgency to do so, as the site is less likely to be the victim of a large-scale automated attack.

An untrained user may find the report a bit hard to digest. We did our best to make it as suitable as possible for all audiences, but I understand it’d be impossible to cover everyone without making it too boring or long. And the same can happen to the reported vulnerability. The user consuming the feed would need some basic knowledge of their website setup to consider which vulnerability needs immediate attention and which one can be handled by the WAF, for example.

If the user knows, for example, that their site doesn’t allow users to subscribe to it. All reports of subscriber+ vulnerabilities, independent of the severity level, can be reconsidered. Assuming that the user maintains a constant review of the site’s user base.

The same goes for contributor+ reports or even administrator levels. If the person maintains a small network of WordPress sites, the admin+ vulnerabilities are interesting for them since a compromised administrator of one of the sites can be used to attack the super admin.”

Contributor-Level Vulnerabilities

Many medium severity vulnerabilities require a contributor-level access. A contributor is an access role that gives that registered user the ability to write and submit content, although in general they don’t have the ability to publish them.

Most websites don’t have to worry about security threats that require contributor level authentication because most sites don’t offer that level of access.

Chloe Chamberland – Threat Intelligence Lead at Wordfence explained that most site owners shouldn’t worry about medium level severity vulnerabilities that require a contributor-level access in order to exploit them because most WordPress sites don’t offer that permission level. She also noted that these kinds of vulnerabilities are hard to scale because exploiting them is difficult to automate.

Chloe explained:

“For most site owners, vulnerabilities that require contributor-level access and above to exploit are something they do not need to worry about. This is because most sites do not allow contributor-level registration and most sites do not have contributors on their site.

In addition, most WordPress attacks are automated and are looking for easy to exploit high value returns so vulnerabilities like this are unlikely to be targeted by most WordPress threat actors.”

Website Publishers That Should Worry

Chloe also said that publishers who do offer contributor-level permissions may have several reasons to be concerned about these kinds of exploits:

“The concern with exploits that require contributor-level access to exploit arises when site owners allow contributor-level registration, have contributors with weak passwords, or the site has another plugin/theme installed with a vulnerability that allows contributor-level access in some way and the attacker really wants in on your website.

If an attacker can get their hands on one of these accounts, and a contributor-level vulnerability exists, then they may be provided with the opportunity to escalate their privileges and do real damage to the victim. Let’s take a contributor-level Cross-Site Scripting vulnerability for example.

Due to the nature of contributor-level access, an administrator would be highly likely to preview the post for review at which point any injected JavaScript would execute – this means the attacker would have a relatively high chance of success due to the admin previewing the post for publication.

As with any Cross-Site Scripting vulnerability, this can be leveraged to add a new administrative user account, inject backdoors, and essentially do anything a site administrator could do. If a serious attacker has access to a contributor-level account and no other trivial way to elevate their privileges, then they’d likely leverage that contributor-level Cross-Site Scripting to gain further access. As previously mentioned, you likely won’t see that level of sophistication targeting the vast majority of WordPress sites, so it’s really high value sites that need to be concerned with these issues.

In conclusion, while I don’t think a vast majority of site owners need to worry about contributor-level vulnerabilities, it’s still important to take them seriously if you allow user registration at that level on your site, you don’t enforce unique strong user passwords, and/or you have a high value WordPress website.”

Be Aware Of Vulnerabilities

While the many of the medium level vulnerabilities may not be something to worry about it’s still a good idea to stay informed of them. Security Scanners like the free version of WPScan can give a warning when a plugin or theme becomes vulnerable. It’s a good way to have a warning system in place to keep on top of vulnerabilities.

WordPress security plugins like Wordfence offer a proactive security stance that actively blocks automated hacking attacks and can be further tuned by advanced users to block specific bots and user agents. The free version of Wordfence offers significant protection in the form of a firewall and a malware scanner. The paid version offers protection for all vulnerabilities as soon as they’re discovered and before the vulnerability is patched. I use Wordfence on all of my websites and can’t imagine setting up a website without it.

Security is generally not regarded as an SEO issue but it should be considered as one because failure to secure a site can undo all the hard word done to make a site rank well.

Featured Image by Shutterstock/Juan villa torres

WordPress on Your Desktop: Studio By WordPress & Other Free Tools via @sejournal, @martinibuster

WordPress announced the rollout of Studio by WordPress, a new local development tool that makes it easy for publishers to not just develop and update websites locally on their desktop or laptop but is also useful for learning how to use WordPress. Learn about Studio and other platforms that are make it easy to develop websites with WordPress right on your desktop.

Local Development Environments

Local Environments are like web hosting spaces on the desktop that can be used to set up a WordPress site. They’re a fantastic way to try out new WordPress themes and plugins to learn how they work without messing up a live website or publishing something to the web that might get accidentally indexed by Google. They are also useful for testing if an updated plugin causes a conflict with other plugins on a website, which is useful for testing updated plugins offline before committing to updating the plugins on a live website.

Studio joins a list of popular local development environments that are specific for WordPress and more advanced platforms that are that can be used for WordPress on the desktop but have greater flexibility and options but may be harder to use for non-developers.

Desktop WordPress Development Environments

There are currently a few local environments that are specific to WordPress. The advantages of using a dedicated WordPress environment is that they make it easy to start creating  with WordPress for those who only need to work with WordPress sites and nothing more complicated than that.

Studio By WordPress.com

Studio is an open source project that allows developers and publishers to set up a WordPress site on their desktop in order to design, test or learn how to use WordPress.

According to the WordPress announcement:

“Say goodbye to manual tool configuration, slow site setup, and clunky local development workflows, and say hello to Studio by WordPress.com, our new, free, open source local WordPress development environment.

Once you have a local site running, you can access WP Admin, the Site Editor, global styles, and patterns, all with just one click—and without needing to remember and enter a username or password.”

The goal of Studio is to be a simple and fast way to create WordPress sites on the desktop. It’s currently available for use on a Mac and a Windows version is coming soon.

Download the Mac version here.

Other Popular WordPress Local Development Environments


DevKinsta, developed by Kinsta managed web host, is another development environment that’s specifically dedicated for quickly designing and testing WordPress sites on the desktop. It’s a popular choice that many developers endorse.

That makes it a great tool for publishers, SEOs and developers who just want a tool to do one thing, create WordPress sites. This makes DevKinsta a solid consideration for anyone who is serious about developing WordPress sites or just wants to learn how to use WordPress, especially the latest Gutenberg Blocks environment.

Download  DevKinsta for free here.

Local WP

Local WP is a popular desktop development environment specifically made for WordPress users by WP Engine, a managed WordPress hosting provider.

Useful Features of Local WP

Local WP has multiple features that make it useful beyond simply developing and testing WordPress websites.

  • Image Optimizer
    It features a free image optimizer add-on that optimizes images on your desktop which should be popular for those who are unable to optimize images on their own.
  • Upload Backups
    Another handy feature is the ability to upload backups to Dropbox and Google Drive.
  • Link Checker
    The tool has a built-in link checker that scans your local version of the website to identify broken links. This is a great way to check a site offline without using server resources and potentially slowing down your live site.
  • Import & Export Sites
    This has the super-handy ability to import WordPress website files and export them so that you can work on your current WordPress site on your desktop, test out new plugins or themes and if you’re ready you can upload the files to your website.

Advanced Local Development Environments

There are other local development environments that are not specific for WordPress but are nonetheless useful for designing and testing WordPress sites on the desktop. These tools are more advanced and are popular with developers who appreciate the freedom and options available in these platforms.

DDEV with Docker

An open source app that makes it easy to use the Docker software containerization to quickly install a content management system and start working, without having to deal with the Docker learning curve.

Download DDEV With Docker here.


Laragon is a free local development environment that was recommended to me by someone who is an advanced coder because they said that it’s easy to use and fairly intuitive. They were right. I’ve used it and have had good experiences with it. It’s not a WordPress-specific tool so that must be kept in mind.

Laragon describes itself as an easy to use alternative to XXAMPP and WAMP.

Download DDEV here.


Mamp is a local development platform that’s popular with advanced coders and is available for Mac and Windows.

David McCan (Facebook profile), a WordPress trainer who writes about advanced WordPress topics on WebTNG shared his experience with MAMP.

“MAMP is pretty easy to setup and it provides a full range of features. I currently have 51 local sites which are development versions of my production sites, that I use for testing plugins, and periodically use for new beta versions of WordPress core. It is easy to clone sites also. I haven’t noticed any system slowdown or lag.”


WAMP is a Windows only development environment that’s popular with developers and WordPress theme and plugin publishers.

XAMPP is a PHP development platform that can be used on Linux, Mac, and Windows desktops.

Download Wamp here.

Download XAMPP here.

So Many Local Development Platforms

Studio by WordPress.com is an exciting new local development platform and I’m looking forward to trying it out. But it’s not the only one so it may be useful to try out different solutions to see which one works best for you.

Read more about Studio by WordPress:

Meet Studio by WordPress.com—a fast, free way to develop locally with WordPress

Featured Image by Shutterstock/Wpadington

2024 WordPress Vulnerability Report Shows Errors Sites Keep Making via @sejournal, @martinibuster

WordPress security scanner WPScan’s 2024 WordPress vulnerability report calls attention to WordPress vulnerability trends and suggests the kinds of things website publishers (and SEOs) should be looking out for.

Some of the key findings from the report were that just over 20% of vulnerabilities were rated as high or critical level threats, with medium severity threats, at 67% of reported vulnerabilities, making up the majority. Many regard medium level vulnerabilities as if they are low-level threats but they’re not and should be regarded as deserving attention.

The WPScan report advised:

“While severity doesn’t translate directly to the risk of exploitation, it’s an important guideline for website owners to make an educated decision about when to disable or update the extension.”

WordPress Vulnerability Severity Distribution

Critical level vulnerabilities, the highest level of threat, represented only 2.38% of vulnerabilities, which is (essentially good news for WordPress publishers. Yet as mentioned earlier, when combined with the percentages of high level threats (17.68%) the number or concerning vulnerabilities rises to almost 20%.

Here are the percentages by severity ratings:

  • Critical 2.38%
  • Low 12.83%
  • High 17.68%
  • Medium 67.12%

Authenticated Versus Unauthenticated

Authenticated vulnerabilities are those that require an attacker to first attain user credentials and their accompanying permission levels in order to exploit a particular vulnerbility. Exploits that require subscriber-level authentication are the most exploitable of the authenticated exploits and those that require administrator level access present the least risk (although not always a low risk for a variety of reasons).

Unauthenticated attacks are generally the easiest to exploit because anyone can launch an attack without having to first acquire a user credential.

The WPScan vulnerability report found that about 22% of reported vulnerabilities required subscriber level or no authentication at all, representing the most exploitable vulnerabilities. On the other end of the scale of the exploitability are vulnerabilities requiring admin permission levels representing a total of 30.71% of reported vulnerabilities.

Permission Levels Required For Exploits

Vulnerabilities requiring administrator level credentials represented the highest percentage of exploits, followed by Cross Site Request Forgery (CSRF) with 24.74% of vulnerabilities. This is interesting because CSRF is an attack that uses social engineering to get a victim to click a link from which the user’s permission levels are acquired. If they can trick an admin level user to follow a link then they will be able to assume that level of privileges to the WordPress website.

The following is the percentages of exploits ordered by roles necessary to launch an attack.

Ascending Order Of User Roles For Vulnerabilities

  • Author 2.19%
  • Subscriber 10.4%
  • Unauthenticated 12.35%
  • Contributor 19.62%
  • CSRF 24.74%
  • Admin 30.71%

Most Common Vulnerability Types Requiring Minimal Authentication

Broken Access Control in the context of WordPress refers to a security failure that can allow an attacker without necessary permission credentials to gain access to higher credential permissions.

In the section of the report that looks at the occurrences and vulnerabilities underlying unauthenticated or subscriber level vulnerabilities reported (Occurrence vs Vulnerability on Unauthenticated or Subscriber+ reports), WPScan breaks down the percentages for each vulnerability type that is most common for exploits that are the easiest to launch (because they require minimal to no user credential authentication).

The WPScan threat report noted that Broken Access Control represents a whopping 84.99% followed by SQL injection (20.64%).

The Open Worldwide Application Security Project (OWASP) defines Broken Access Control as:

“Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others. These checks are performed after authentication, and govern what ‘authorized’ users are allowed to do.

Access control sounds like a simple problem but is insidiously difficult to implement correctly. A web application’s access control model is closely tied to the content and functions that the site provides. In addition, the users may fall into a number of groups or roles with different abilities or privileges.”

SQL injection, at 20.64% represents the second most prevalent type of vulnerability, which WPScan referred to as both “high severity and risk” in the context of vulnerabilities requiring minimal authentication levels because attackers can access and/or tamper with the database which is the heart of every WordPress website.

These are the percentages:

  • Broken Access Control 84.99%
  • SQL Injection 20.64%
  • Cross-Site Scripting 9.4%
  • Unauthenticated Arbitrary File Upload 5.28%
  • Sensitive Data Disclosure 4.59%
  • Insecure Direct Object Reference (IDOR) 3.67%
  • Remote Code Execution 2.52%
  • Other 14.45%

Vulnerabilities In The WordPress Core Itself

The overwhelming majority of vulnerability issues were reported in third-party plugins and themes. However, there were in 2023 a total of 13 vulnerabilities reported in the WordPress core itself. Out of the thirteen vulnerabilities only one of them was rated as a high severity threat, which is the second highest level, with Critical being the highest level vulnerability threat, a rating scoring system maintained by the Common Vulnerability Scoring System (CVSS).

The WordPress core platform itself is held to the highest standards and benefits from a worldwide community that is vigilant in discovering and patching vulnerabilities.

Website Security Should Be Considered As Technical SEO

Site audits don’t normally cover website security but in my opinion every responsible audit should at least talk about security headers. As I’ve been saying for years, website security quickly becomes an SEO issue once a website’s ranking start disappearing from the search engine results pages (SERPs) due to being compromised by a vulnerability. That’s why it’s critical to be proactive about website security.

According to the WPScan report, the main point of entry for hacked websites were leaked credentials and weak passwords. Ensuring strong password standards plus two-factor authentication is an important part of every website’s security stance.

Using security headers is another way to help protect against Cross-Site Scripting and other kinds of vulnerabilities.

Lastly, a WordPress firewall and website hardening are also useful proactive approaches to website security. I once added a forum to a brand new website I created and it was immediately under attack within minutes. Believe it or not, virtually every website worldwide is under attack 24 hours a day by bots scanning for vulnerabilities.

Read the WPScan Report:

WPScan 2024 Website Threat Report

Featured Image by Shutterstock/Ljupco Smokovski

WordPress Releases A Performance Plugin For “Near-Instant Load Times” via @sejournal, @martinibuster

WordPress released an official plugin that adds support for a cutting edge technology called speculative loading that can help boost site performance and improve the user experience for site visitors.

Speculative Loading

Speculative loading is a technique that fetches pages or resources before a user clicks a link to navigate to another webpage.

The official WordPress page about this new functionality describes it:

“The Speculation Rules API is a new web API… It allows defining rules to dynamically prefetch and/or prerender URLs of certain structure based on user interaction, in JSON syntax—or in other words, speculatively preload those URLs before the navigation.

This API can be used, for example, to prerender any links on a page whenever the user hovers over them. Also, with the Speculation Rules API, “prerender” actually means to prerender the entire page, including running JavaScript. This can lead to near-instant load times once the user clicks on the link as the page would have most likely already been loaded in its entirety. However that is only one of the possible configurations.”

The new WordPress plugin adds support for the Speculation Rules API. The Mozilla developer pages, a great resource for HTML technical understanding describes it like this:

“The Speculation Rules API is designed to improve performance for future navigations. It targets document URLs rather than specific resource files, and so makes sense for multi-page applications (MPAs) rather than single-page applications (SPAs).

The Speculation Rules API provides an alternative to the widely-available feature and is designed to supersede the Chrome-only deprecated feature. It provides many improvements over these technologies, along with a more expressive, configurable syntax for specifying which documents should be prefetched or prerendered.”

Performance Lab Plugin

The new plugin was developed by the official WordPress performance team which occasionally rolls out new plugins for users to test ahead of possible inclusion into the actual WordPress core. So it’s a good opportunity to be first to try out new performance technologies.

The new WordPress plugin is by default set to prerender “WordPress frontend URLs” which are pages, posts, and archive pages. How it works can be fine-tuned under the settings:

Settings > Reading > Speculative Loading

Browser Compatibility

The Speculative API is supported by Chrome 108 however the specific rules used by the new plugin require Chrome 121 or higher. Chrome 121 was released in early 2024.

Browsers that do not support will simply ignore the plugin and will have no effect on the user experience.

Check out the new Speculative Loading WordPress plugin developed by the official core WordPress performance team.

Speculative Loading By WordPress Performance Team

WordPress Discovers XSS Vulnerability – Recommends Updating To 6.5.2 via @sejournal, @martinibuster

WordPress announced the 6.5.2 Maintenance and Security Release update that patches a store cross site scripting vulnerability and fixes over a dozen bugs in the core and the block editor.

The same vulnerability affects both the WordPress core and the Gutenberg plugin.

Cross Site Scripting (XSS)

An XSS vulnerability was discovered in WordPress that could allow an attacker to inject scripts into a website that then attacks site visitors to those pages.

There are three kinds of XSS vulnerabilities but the most commonly discovered in WordPress plugins, themes and WordPress itself are reflected XSS and stored XSS.

Reflected XSS requires a victim to click a link, an extra step that makes this kind of attack harder to launch.

A stored XSS is the more worrisome variant because it exploits a flaw that allows the attacker to upload a script into the vulnerable site that can then launch attacks against site visitors. The vulnerability discovered in WordPress is a stored XSS.

The threat itself is mitigated to a certain degree because this is an authenticated stored XSS, which means that the attacker needs to first acquire at least a contributor level permissions in order to exploit the website flaw that makes the vulnerability possible.

This vulnerability is rated as a medium level threat, receiving a Common Vulnerability Scoring System (CVSS) score of 6.4 on a scale of 1 – 10.

Wordfence describes the vulnerability:

“WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

WordPress.org Recommends Updating Immediately

The official WordPress announcement recommended that users update their installations, writing:

“Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 6.1 and later.”

Read the Wordfence advisories:

WordPress Core < 6.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block

Gutenberg 12.9.0 – 18.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block

Read the official WordPress.org announcement:

WordPress 6.5.2 Maintenance and Security Release

Featured Image by Shutterstock/ivan_kislitsin

XSS Vulnerability Affects Beaver Builder WordPress Page Builder via @sejournal, @martinibuster

The popular Beaver Builder WordPress Page Builder was found to contain an XSS vulnerability that can allow an attacker to inject scripts into the website that will run when a user visits a webpage.

Beaver Builder

Beaver Builder is a popular plugin that allows anyone to create a professional looking website using an easy to use drag and drop interface. Users can start with a predesigned template or create a website from scratch.

Stored Cross Site Scripting (XSS) Vulnerability

Security researchers at Wordfence published an advisory about an XSS vulnerability affecting the page builder plugin. An XSS vulnerability is typically found in a part of a theme or plugin that allows user input. The flaw arises when there is insufficient filtering of what can be input (a process called input sanitization). Another flaw that leads to an XSS is insufficient output escaping, which is a security measure on the output of a plugin that prevents harmful scripts from passing to a website browser.

This specific vulnerability is called a Stored XSS. Stored means that an attacker is able to inject a script directly onto the webs server. This is different from a reflected XSS which requires a victim to click a link to the attacked website in order to execute a malicious script. A stored XSS (as affects the Beaver Builder), is generally considered to be more dangerous than a reflected XSS.

The security flaws that gave rise to an XSS vulnerability in the Beaver Builder were due to insufficient input sanitization and output escaping.

Wordfence described the vulnerability:

“The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Button Widget in all versions up to, and including, due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

The vulnerability is rated 6.4, a medium level threat. Attackers must gain at least contributor-level permission levels in order to be able to launch an attack, which makes this vulnerability a little harder to exploit.

The official Beaver Builder changelog, which documents what’s contained in an update, notes that a patch was issued in version

The changelog notes:

“Fix XSS issue in Button & Button Group Modules when using lightbox”

Recommended action: It’s generally a good practice to update and patch a vulnerability before an attacker is able to exploit it. It’s a best-practice to stage the site first before pushing an update live in case that the updated plugin conflicts with another plugin or theme.

Read the Wordfence advisory:

Beaver Builder – WordPress Page Builder <= – Authenticated (Contributor+) Stored Cross-Site Scripting via Button

See also:

Featured Image by Shutterstock/Prostock-studio

Data Confirms A Surge In WordPress Vulnerabilities via @sejournal, @martinibuster

WordPress security researchers at Patchstack published their annual State of WordPress Security whitepaper that showed an increase of high and critical severity vulnerabilities, highlighting the importance of security for all websites on the WordPress platform.

XSS Is Top WordPress Vulnerability Of 2023

There are many kinds of vulnerabilities but the most common by far was cross site scripting (XSS) vulnerabilities, accounting for 53.3% of all new WordPress security vulnerabilities.

XSS vulnerabilities generally occur due to insufficient “sanitization” of user inputs, which includes blocking any inputs that do not conform to what is expected. Patchstack shared that the Freemius framework, a third-party managed eCommerce platform, accounted for over 1,200 of all XSS vulnerabilities, representing 21% of all new XSS vulnerabilities discovered in 2023.

The Freemius Software Development Kit (SDK) is used as a component of over 1,200 plugins which in turn is installed in over 7 million WordPress sites. This highlights the problem of supply chain vulnerabilities where a component is used as a part of a WordPress plugin which subsequently increases the scope of a vulnerability beyond just one plugin.

Patchstack’s report explained:

“This year we saw once again how a single cross-site scripting vulnerability in the Freemius framework resulted in 1,248 plugins inheriting the security vulnerability, exposing their users to risk.

21% of all new vulnerabilities discovered in 2023 can be traced back to this one flaw. It’s vital for developers to choose their stack carefully and promptly apply security updates when these become available.”

More Vulnerabilities Rated High Or Critical

Vulnerabilities are assigned a severity score that corresponds to how disruptive a discovered flaw is. The ratings range from low, medium, high and critical.

In 2022 13% of new vulnerabilities were classified as high or critical. That percentage skyrocketed in 2023 to 42.9%, meaning that there were more destructive vulnerabilities in 2023 that in the previous year.

Authenticated Versus Unauthenticated Vulnerabilities

Another metric that pops out in the report is the percentage of vulnerabilities that require no authentication (unauthenticated), meaning the attacker does not need any user permission level in order to launch an attack.

Flaws that require an attacker to have a subscriber level to admin level permissions have a higher bar for attackers to overcome. Unauthenticated vulnerabilities do not require that the attacker first obtain a permission level, which makes those kinds of vulnerabilities more concerning because they can be exploited through automatic attacks like with bots that probe a site for the vulnerability then automatically launch attacks.

Patchstack found that 58.9% of all new vulnerabilities required no authentication at all.

Abandoned Plugins Spike As a Risk Factor

Another significant cause for vulnerabilities is the large amount of abandoned plugins. In 2022 Patchstack reported 147 abandoned plugins and themes to WordPress.org and out of those 87 were removed and the remainder were patched.

In 2023 the number of abandoned plugins exploded from 147 in 2022 to 827 plugins and themes in 2023. Whereas 87 vulnerable abandoned plugins were removed in 2022, 481 were removed in 2023.

Patchstack noted:

“We reported 404 of those plugins in a single day to draw attention to the “zombie plugin pandemic” in WordPress. Such “zombie” plugins are components that seem safe and up-to-date at first glance, but may contain unpatched security issues. Furthermore, such plugins remain active on user sites even if they are removed from the WordPress plugins repository.”

Most Popular Plugins With Vulnerabilities

As mentioned earlier, severity ratings range from low, medium, high and critical. Patchstack compiled a list of the most popular plugins with vulnerabilities.

In 2022 there were 11 popular plugins with over a million active installations that contained vulnerabilities. In 2023 Patchstack lowered the bar on installations from a million to over 100,000 installations. Yet despite making it easier to get on the list, there were only 9 popular plugins that were found to have a vulnerability, far less than in 2022.

In 2022 only five out of 11 of the most popular plugins with vulnerabilities contained a high severity vulnerability, none contained a critical level vulnerability and the rest were medium level severity.

Those numbers became significantly worse in 2023. Despite lowering the threshold of what’s considered a popular plugin, all nine plugins on the list contained critical level vulnerabilities, all of them. The overwhelming majority of the plugins on that list, six out of nine, contained unauthenticated vulnerabilities, meaning in that exploiting them is easy to scale with automation. The remaining three that required authentication only required a subscriber level access, which is the easiest permission level to acquire, just sign up, verify the email and they’re in. That too can be scaled with automation.

List Of Most Popular Plugins With Vulnerabilities

  1. Essential Addons for Elementor  1M+ installations (severity rating 9.8)
  2. WP Fastest Cache 1M+ installations (severity rating 9.3)
  3. Gravity Forms 940k installations (severity rating 8.3)
  4. Fusion Builder 900k  installations (severity rating 8.5)
  5. Flatsome (Theme) 618k installations (severity rating 8.3)
  6. WP Statistics 600k installations (severity rating 9.9)
  7. Forminator 400k installations (severity rating 9.8)
  8. WPvivid Backup and Migration 30ok installations (severity rating 8.8)
  9. JetElements For Elementor 30ok installations  (severity rating 8.2)

State Of WordPress Security Is Worse

If you feel like there are more vulnerabilities lately than ever before, now you know the reason, the statistics speak for themselves. There are more vulnerabilities in 2023 and a greater percentage are at high and critical levels which can be exploited with automation at scale.

This means that all publishers need to improve their security and make sure that someone is taking responsibility for auditing their plugins and themes on a regular basis to make sure they are all updated and actively maintained.

SEOs should take notice because security quickly becomes a ranking problem when Google drops a hacked site from the search results. Many SEOs who perform site audits don’t do even the most basic security checks like verifying if the security headers are in place, which is something that I do as a part of every audit I perform. Always make sure to have a discussion with clients about their security to make sure they are aware of the risks.

Patchstack is an example of a service that automatically protects WordPress sites against vulnerabilities even before the plugin issues a patch to fix the vulnerability. Those kinds of services are important in order to create a defense against getting hacked and losing search visibility and earnings.

Read the Patchstack report:

State of WordPress Security In 2023

Featured Image by Shutterstock/Iurii Stepanov

15 Vulnerabilities In 11 Elementor Addons Hit +3M WordPress Sites via @sejournal, @martinibuster

Researchers have issued advisories for eleven separate Elementor add-on plugins with 15 vulnerabilities that can make it possible for hackers to upload malicious files. One of them is rated as a high threat vulnerability because it can allow hackers to bypass access controls, execute scripts and obtain sensitive data.

Two Different Kinds Of Vulnerabilities

The majority of the vulnerabilities are Stored Cross Site Scripting (XSS). Three of them are Local File Inclusion.

XSS vulnerabilities are among the most common form of vulnerability found in WordPress plugins and themes. They generally arise from flaws in how input data is secured (input sanitization) and also how output data is locked down (output escaping).

A Local File Inclusion vulnerability is one that exploits an unsecured user input area that allows an attacker to “include” a file into the input. Include is a coding term. In plain English a file inclusion is a scripting thing (a statement) that tells the website to add a specific code from file, like a PHP file. I have used includes in PHP to bring in data from one file (like the title of a webpage) and stick it into the meta description, that’s an example of an include.

This kind of vulnerability can be a serious threat because it allows an attacker to “include” a wide range of code which in turn can lead to the ability to bypass any restrictions on actions that can be carried out on the website and/or allow access to sensitive data that is normally restricted.

The Open Web Application Security Project (OWASP) defines a Local File Inclusion vulnerability:

“The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a “dynamic file inclusion” mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

This can lead to something as outputting the contents of the file, but depending on the severity, it can also lead to:

Code execution on the web server

Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS)

Denial of Service (DoS)

Sensitive Information Disclosure”

List Of Vulnerable Elementor Add-On Plugins

There are eleven total Elementor add-on plugins that have vulnerability advisories, two of which were issued today (March 29th), two of which were issued on March 28th. The remaining seven were issued within the past few days.

Some of the plugins have more than one vulnerability so that there are a total of 15 vulnerabilities in eleven of the plugins.

Out of the eleven plugins one is rated as a High Severity vulnerability and the rest are Medium Severity.

Here is the list of plugins listed in descending order of the most recent to the earliest. The numbers next to the vulnerabilities denote if they have more than one vulnerability.

List of Vulnerable Elementor Add-Ons

  1. ElementsKit Elementor addons (x2)
  2. Unlimited Elements For Elementor
  3. 140+ Widgets | Best Addons For Elementor
  4. Better Elementor Addons
  5. Elementor Addon Elements (x2)
  6. Master Addons for Elementor
  7. The Plus Addons for Elementor (x2)
  8. Essential Addons for Elementor (x2)
  9. Element Pack Elementor Addons
  10. Prime Slider – Addons For Elementor
  11. Move Addons for Elementor

High Severity Vulnerability

The High Severity vulnerability is found in the ElementsKit Elementor Addons plugin for WordPress is especially concerning because it can put over a million websites in danger. This vulnerability is rated 8.8 on a scale of 1- 10.

What accounts for its popularity is the all-in-one nature of the plugin that allows users to easily modify virtually any on-page design feature in the headers, footers, and menus. It also includes a vast template library and 85 widgets that add extra functionality to webpages created with the Elementor website building platform.

The Wordfence security researchers described the vulnerability threat:

“The ElementsKit Elementor addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.0.6 via the render_raw function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.”

Millions of WordPress Sites Affected

The vulnerabilities may affect over 3 million websites. Just two of the plugins have a total of three million active installations. Websites tend to use just one of these plugins because there is a certain amount of overlap between the features. The all-in-one nature of some of these plugins means that only one plugin is needed in order to access important widgets for adding sliders, menus and other on-page elements.

List of Vulnerable Plugins By Number Of Installations

  1. Essential Addons for Elementor – 2 Million
  2. ElementsKit Elementor addons – 1 Million
  3. Unlimited Elements For Elementor – 200k
  4. Elementor Addon Elements – 100k
  5. The Plus Addons for Elementor – 100k
  6. Element Pack Elementor Addons – 100k
  7. Prime Slider – Addons For Elementor – 100k
  8. Master Addons for Elementor – 40k
  9. 140+ Widgets | Best Addons For Elementor – 10k
  10. Move Addons for Elementor – 3k
  11. Better Elementor Addons – Unknown – Closed By WordPress

Recommended Action

Although many of the medium level severity vulnerabilities require hackers to obtain contributor level authentication in order to launch an attack, it’s best not to underestimate the risk posed by other plugins or installed themes that might grant the attacker the ability to launch these specific attacks.

It’s generally prudent to test updated themes before pushing updates to a live site.

Read the official Wordfence advisories (with CVE numbers):

A. 03/29 ElementsKit Elementor addons <= 3.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-1238

B. 03/29 ElementsKit Elementor addons <= 3.0.6 – Authenticated (Contributor+) Local File Inclusion in render_raw CVE-2024-2047 8.8 HIGH THREAT

03/29 Unlimited Elements For Elementor <= 1.5.96 – Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Link CVE-2024-0367

3/28 140+ Widgets | Best Addons For Elementor – FREE <= 1.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-2250

3/28 Better Elementor Addons <= 1.4.1 – Authenticated(Contributor+) Stored Cross-Site Scripting via widget links CVE-2024-2280

A. Elementor Addon Elements <= 1.13.1 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-2091

B. Elementor Addon Elements <= 1.13.2 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via ‘Text Separator’ and ‘Image Compare’ Widget CVE-2024-2792

Master Addons for Elementor <= – Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget CVE-2024-2139

A. The Plus Addons for Elementor <= 5.4.1 – Authenticated (Contributor+) Local File Inclusion via Team Member Listing CVE-2024-2210

B. The Plus Addons for Elementor <= 5.4.1 – Authenticated (Contributor+) Local File Inclusion via Clients Widget CVE-2024-2203

A. Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting ( via the countdown widget’s message parameter) CVE-2024-2623

B. Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting (via the alignment parameter in the Woo Product Carousel widget) CVE-2024-2650

Element Pack Elementor Addons <= 5.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via link CVE-2024-30185

Prime Slider – Addons For Elementor <= 3.13.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via title CVE-2024-30186

Move Addons for Elementor <= 1.2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-2131

Featured Image by Shutterstock/Andrey Myagkov