Last Thursday, March 27, 2025, we held another WordPress Valencia MeetUp, which I had the opportunity to organize. These meetings are part of the events hosted by the WordPress Community—a global network of people contributing to the WordPress project, an open-source CMS used by 42% of the web. In the first part, we had a talk, and in the second, we enjoyed some networking. This time, many old friends and community members joined us again to listen to a discussion on cybersecurity.
The modern world depends almost entirely on technology, and cybercriminals are aware of that. Cybersecurity is a topic that becomes increasingly important as more aspects of our lives are digitized. In one of our past MeetUps, we had Sara Martínez as a guest, and in her talk “Cybersecurity in WordPress: Risks and Protections,” she explained the importance of writing secure code and testing it to deliver a safe product to clients.
Considering all these principles is necessary, but we do not always control the code we work with, and that is the case with WordPress.org. One of its great advantages is that by adding plugins, you can transform a blog into an e-commerce site or an online course platform; however, you are using third-party code that might contain vulnerabilities. Last year, five infected plugins affected more than one million websites. Moreover, being a widely used CMS makes it an attractive and cost-effective target for attackers. Although there is growing concern about making it more secure, the question remains: How can we protect ourselves from these vulnerabilities?
In this second talk about cybersecurity, the main subject was vulnerabilities by our guest Néstor Angulo in his presentation: “From the Plantá to the Cremá: the Life Cycle of WordPress Vulnerabilities.”
Néstor is a community member who has given around thirty talks at WordCamps on this topic. He is a technology enthusiast, a computer engineer graduated from the University of Las Palmas de Gran Canaria, and a certified information systems security professional (CISSP), a highly prestigious international certification. He worked for many years at GoDaddy and Sucuri (the latter later acquired by the former). He is currently the Head of Security and Engineering at Patchstack, a cybersecurity company linked to WordPress.
He began with a key idea: “An attacker only needs to get it right once. A defender has to get it right every time.” From there, he delivered a talk explaining the two ways to understand security: a preventive approach and a reactive one. He illustrated both perspectives with examples and definitions. The first is a proactive action, and the second involves solving the problem and continually mitigating the risk; he advises not to move to the second phase (POST). As a website owner, you are responsible for the data you store, and to respect the laws that set protocols and fines in case of cyberattacks.
It was quite interesting that he compared the vulnerabilities cycle with the life cycle of the Valencian “fallas,” noting that, being from the Canary Islands, he does not fully know all the stages. The comparison is as follows:
From the defender’s point of view (PRE):
- Plantà: Discovers the vulnerability.
- Ofrenda: Shares the information with his peers, qualified individuals.
- Nit del Foc: The effect is mitigated and virtually patched.
- Cremà: The vulnerability is patched and completely eliminated.
From the attacker’s point of view (POST):
- Plantà: Discovers the vulnerability and injects malicious code.
- Ofrenda: Shares the information with peers on dark net underground networks.
- Nit del Foc: The effects become evident.
- Cremà: Total destruction of the business. Sometimes you face fines or suffer a ransomware attack.
In the following sequence, you can see some slides with a more detailed explanation of the life cycle of vulnerabilities in WordPress. This part was explained later in the talk.
Subsequently, he affirmed that the core of WordPress is secure, but everything else is delegated, he was referring to plugins, developers, administration, hosting, etc. This is a principle known as “security by default.” “In other words, if you take it out of the box and don’t modify it, it’s secure; if you customize it, then you must assume the risks.” He recommends this post to learn more about WordPress security measures: https://es.wordpress.org/about/security/
He also addressed one of the most common concerns among WordPress developers, designers, and implementers: What are the steps to infect it?
- First, a vulnerability is needed, which is the entry door to access the system and make a
- Exploit, and later
- Inyección de: código final, backdoor, spam/defacement, BotNode o código.
To understand the infection process, it is essential to define some concepts. He explains that a vulnerability is not always negative. It is an error in the code or a possibility for misuse that can be exploited to perform unauthorized actions within a computer system. Sometimes it is built for a specific function and then used for another, such as carrying out unauthorized actions on a website.
We must also understand the concept of an Exploit: it is the piece of code that is introduced through a vulnerability.
Subsequently, he lists some of the most common vulnerabilities:
- SQL Injection (SQLi): Attackers can inject and insert SQL queries.
- Cross Site Scripting (XSS): This is the most common vulnerability in WordPress plugins. It can hijack sessions or redirect users to malicious sites.
- Cross-Site Request Forgery (CSRF): Tricks users into executing unwanted actions on a website where they are authenticated. For example, a user logged into their bank clicks to view their statements, but in reality, they are instructing the bank to transfer money. The bank accepts it as authentic because the action comes from the user’s account, but the user is unaware of the deception.
- File Inclusion: Allows reading confidential files on the server or remotely (RFI), and thereby executing malicious scripts from a remote server.
- Brute Force Attacks: A trial-and-error method used to find access credentials, encryption keys, or hidden pages. If your site does not enforce a secure password policy or limit login attempt, it can be very vulnerable.
- Denial of Service (DoS): Excessive traffic is sent to a website to render it inoperable.
Another important area to consider is supply chain vulnerability. This refers to the security risks that arise along the different links in the production, distribution, and operation chain of software, hardware, and digital services. It is a critical issue because a vulnerability in any supplier or partner can compromise an entire organization’s infrastructure.
Néstor calls it “the perfect storm” because WordPress relies on many external services, and if one stops working, it compromises the entire system —“and it is nowadays the easiest thing to break,” he tells us in technical language.
To illustrate, he referred to an example from January 2022. Marak Squires, an open-source developer, sabotaged two of his own Node.js packages —colors.js and faker.js— in protest of not receiving financial compensation for his work. These packages were widely used in the development community, with millions of monthly downloads and dependencies in numerous projects1. These actions affected countless projects, interrupting their operations and highlighting the inherent vulnerability in the open-source software supply chain.
He also highlighted the example of Freemius, which in 2012 was affected by an XSS. As a result, more than 1,200 plugins inherited the vulnerability, not because their own code was vulnerable, but because they used a library that was.
These incidents underline the importance of proper dependency management in software projects and raise questions about the sustainability and financial support of open-source projects.
From his position as “guardian of information,” as he defined himself at the beginning of the talk, he insists on applying protective measures such as:
- “Sanitize”: Clean, filter, and validate the inputs and outputs of your code.
- Zero Trust: A concept based on the principle “Never trust, always verify.” No user, device, or application should be trusted by default, whether inside or outside the corporate network.
- Security by Design and Security by Default
- Least Privilege Principle
- Monitoring
- Backups
- HTTPS
- Strong Passwords
- 2FA
- …among others.
Regarding updates, he is always asked, “Do I have to update?” His answer: “Yes! Always—don’t even hesitate.” He recommends checking if there are security patches in the new version’s Changelog, updating the staging environment and the production site, and, of course, having a backup. This topic warrants another talk.
He also emphasizes the importance of using a WAF, because it filters all traffic, protects against XSS and DDoS, patches known software vulnerabilities, and—if it includes a CDN—improves site speed and performance. It also serves as a forensic analysis tool and allows for manual access blocking. He explains that the WAF acts like a watchdog, reminding him of a dog’s bark—a very interesting mnemonic to remember its importance.
To conclude, he told us about the new Cyber Resilient Act (CRA). Issued by the European Union, it mandates a minimum set of cybersecurity standards to protect citizens. It is expected to come into effect in June 2026. Some of its requirements include:
- Separate updates: security and features
- A separate Changelog for security, reflecting the vulnerabilities
- Software Bill of Materials (SBOM)
- No vulnerabilities in production
- Vulnerability Disclosure Program (VDP)
Final
This is a summary of a very comprehensive talk filled with a wealth of information. Now, we face the challenge of putting all this knowledge into practice and applying it to our projects. The audience was very satisfied with all the explanations. I invite you to watch the session—below you can find the link to the video. The speaker received Raiola’s delicious cookie. This was a very special moment because guests are always surprised and delighted with the detail and the message “Pato La Vida.” Thank you, Raiola, for this gesture. The audience even commented that “they were amazing.” Since we ran out of time, we moved the Q&A session to the “beerworking” moment. We were joined by some “celebrities” from the WordPress Valencia community. I call them that respectfully, because they have been collaborating with the community for many years
Amidst conversation after conversation, Néstor Angulo and Borja López mentioned that they are members of the ISC2 Spain Chapter, founded in 2023 and based in Madrid. This is a local community of professionals dedicated to promoting and advancing the field of information security and cybersecurity in Spain. As an official chapter of ISC2—an international non-profit association for cybersecurity professionals—its objectives include driving security initiatives at the national level, educating the community on how to protect themselves against cyber threats, and collaborating with companies and governments to develop certifications that meet market needs.
Over some beers, a little wine, snacks, olives, and peanuts, we continued discussing security, new projects, and WordPress. Later, we went out for dinner.
Many thanks to Wayco for allowing us to use their installations for the WordPress Valencia MeetUp and to Raiola for sponsoring the beers at the end. See you at the next one!
You can watch the talk here:
Quote:
- Julien Maury. Open Source Sabotage Incident Hits Software Supply Chain. January 13, 2022. E Security Planet. https://www.esecurityplanet.com/applications/open-source-sabotage-incident-hits-software-supply-chain/?
Fuente:
Julien Maury. Open Source Sabotage Incident Hits Software Supply Chain. January 13, 2022. E Security Planet. https://www.esecurityplanet.com/applications/open-source-sabotage-incident-hits-software-supply-chain/?
