This is the final episode of the Patchstack Weekly podcast. All things come to an end - so it's only fitting to dedicate the last episode to software end-of-life, and how developers and website owners should handle sunsetting their projects.

We also want to thank our host, Robert, for sharing lessons on WordPress security (and beyond) over these past 68 episodes!

Forking is a fundamental part of open-source software - it offers anyone the opportunity to lead an existing project in a new direction. But forking also means that the owners of the new fork are taking over the responsibility for the security of their new project.

This week's knowledge share is about a rare but serious security bug that can be found in any PHP application. Luckily it is easy to avoid, and WordPress has a built-in function that developers can utilize to help secure against it. In vulnerability news we'll cover three vulnerabilities, including one PHP Object Injection bug in the popular Advanced Custom Fields plugin.

Closed-source software has one vulnerability open-source software will never face - source code leaks. This episode is all about embracing people who review open-source software, and consequently make it safer.

We'll also cover the recent Elementor Pro vulnerability that is, unfortunately, being actively exploited by attackers.

When you see a security fix available for your website, you should of course update the affected component. But should you drop everything and apply the update immediately? Or can you at least finish your coffee first? Or is it OK to deal with it when you get a break? That depends on the bug.

Also in this episode, we'll cover the recent critical WooCommerce security bug which was, luckily, fixed with a rare forced update by the WordPress team.

Abandoned plugins with security bugs in them are a silent risk for WordPress site owners - but there's an easy way to spot plugins that have been out of date for a while straight from your WordPress admin page. This episode is a quick tutorial on that!

We've just released our annual State of WordPress Security report, chock full of security stats and trends from the WordPress ecosystem.

Last year we saw 328% more reported security bugs added to our vulnerability database compared to 2021. This is actually a positive sign of the ecosystem becoming more secure, as more bugs are being caught (and patched). On the downside, the trend of critical vulnerabilities being left unpatched persists.

Today's episode is a sort of a tl;dr, as we dive into some of the bigger findings from the whitepaper and explain what they mean for the community.

This week's knowledge share is an introduction to headless CMS's and WordPress. Robert will dive into what a headless CMS is, how WordPress can be used as one, and the security concerns that go along with it.

A static website is basically just some HTML files sitting on a server. It's very fast, cheap and secure - and it's rare to have all three.

This week's episode is all about the benefits of static sites, and when should you consider using them.

Regular software updates are essential for security - but they are not enough. Even if you make it a habit to regularly update your WordPress components or use auto-updates, sometimes developers won't release security updates. In fact in 2022, a quarter of critical vulnerabilities found in WordPress plugins did not receive a fix.

This is where "virtual patching" comes in - tune in to learn more about this handy extra security layer.

Security.txt is a new proposed standard to encourage website owners to adopt a more proactive approach to security.

The file is an easy way to quickly communicate your vulnerability disclosure program to security researchers. Big companies like Google, Slack, Github and Automattic are already using it - should you?

The practice of security is boundless, with infinite context about what constitutes danger. Today's episode looks into how you can practice security to better your resume, services, business, and life.

This week's vulnerability roundup will share details on three security bugs that were patched last month in a popular Learning plugin for WordPress.

This week's knowledge share is for developers and site owners alike. Robert will be discussing all about how open-source projects (or really any code project) can show, not just tell, their users that their project's code is secure and safe to use.

This week's vulnerability roundup will share details about three high-risk security bugs in WordPress components - of which two received patches and one went without.

The security of your web hosting provider is just as important as the security of your WordPress site. So in this episode Robert talks about how you can check for some important security features your hosting provider may or may not be offering.

This week's security news will cover two critical vulnerabilities - one that received a patch, and one that did not.

Join Robert on his second episode of new year's security resolutions - this time, he'll be running you through the checklist for ensuring the plugins on your site are safe to use.

He'll also be talking about the recent Doctor Web report about a botnet targeting specific outdated WordPress plugins - which is a great reminder to always keep all your components up-to-date!

In this episode we want to say two things: 1) Happy new year and 2) rotate your passwords!

Rotating your passwords regularly is a key security practice. We feel it's important to stress this in light of the latest news from the LastPass security breach - we now know that attackers did gain access to encrypted customer data, including password vaults.

Granted, this doesn't mean they got their hands on passwords and emails in plain text, but if you've used LastPass then it's high time to change all your passwords now.

Last week we confirmed that ChatGPT can write basic WordPress plugins - but should you let it? Does AI write safe code? Can it detect vulnerabilities?

Tune in to this year's last episode of Patchstack Weekly to find out what the recent advances in AI mean for the future of web development.

This week's knowledge share is about a recent influx of patched security bugs affecting a single vendor. Don't panic though - the bugs are low-risk. 

The noteworthy part is the number of products affected by the same bug. Stay tuned for this weekly knowledge share where Robert explains why one vendor has multiple products affected by the same bug, and what this has to do with the software supply chain.

Recently LastPass reported a secondary security incident that occurred months after an initial break-in. We applaud their honesty and transparency in handling the matter - this is a great example of how to handle any security incident!

LastPass team's investigation concluded that this recent issue - of unexpected access to a third party service - was likely made by someone with information leaked from an incident that happened months ago in August.

So in this week's knowledge share, Robert will discuss the topic of lingering threats from old hacks.

Knowing where to look is the key to finding what you're looking for. For security bugs, it is essential.

In this week's knowledge share, Robert will teach you the basic process of finding security bugs using static code analysis - also known as SAST.