Security Weekly

WordPress Security Compliance & Regulations

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 12

Security compliance and regulations are topics that are not often discussed in the context of WordPress, but this is going to change significantly in the coming years. GDPR was one of the first regulations to make some compliance practices mainstream in the WordPress ecosystem.

At the end of this month (31st March 2024), PCI DSS v3 will retire and be replaced by PCI DSS v4, which will introduce significant changes to compliance for everyone who accepts credit card payments on their website (regardless of whether the processing is done via a third-party provider).

Then there’s also the upcoming European Cyber Resilience Act, which brings significant regulatory security requirements to the open-source software ecosystem. This is so significant that WordPress, Drupal, Joomla!, and TYPO3 joined forces to send a letter of concerns to the European Union.

Whether we want it or not, new regulations are coming.

The New PCI DSS Version 4

The first one to take effect is PCI DSS version 4 (31st March 2024), which introduces more than 50 new requirements for vendors (such as WooCommerce sites) who process payment data.

One of the most significant changes is that merchants can no longer bypass PCI requirements just because they use a third party to process payments for them. The new PCI DSS v4 specifically states that merchants need to protect the payment pages.

As mentioned, there are 50 new requirements that come with the new PCI compliance, but I would like to highlight two of them, which will probably create a significant shift in the market.

Requirement 6.3: Security vulnerabilities are identified and addressed.

Vulnerability management is no longer an option. Every website that has payment pages where a customer can enter credit card information must have an ongoing overview of security vulnerabilities present in the application, and the application needs to be protected.

Multi-Factor Authentication (MFA) Requirement

Websites that handle payment information, store it, and show it back to the user must enforce multi-factor authentication. The new PCI DSS v4 is quite clear about the fact that 2FA/MFA should essentially be deployed for everyone.

There’s a lot to unpack when it comes to PCI, but I recommend everyone who accepts credit card payments on their website or shop to look into this.

EU Cyber Resilience Act

The European Cyber Resilience Act is essentially regulating how security should be managed for software products. The CRA puts its obligations on software manufacturers, those who publish code that is available in the EU.

This actually covers anyone who publishes software on the Internet, open source or not, regardless of whether you’re in the EU or not – as you would likely have EU users.

This will directly affect all WordPress plugin developers, for example, who will be required to perform regular security audits and code reviews on what they produce, and they will need to enforce a coordinated vulnerability disclosure policy (no more hidden security fixes).

Last Tuesday, the European Parliament already approved the new cyber resilience act standards, so it’s expected to become enforced already somewhere in 2024. Every plugin/theme developer in the WordPress ecosystem should already start looking into the requirements today. As with most recent European technology regulation, non-compliance could result in significant fines: up to the higher of €15 million or 2.5% of global turnover.

Just like with PCI, there’s also a lot to unpack with the CRA. I’ll add resources for that as well.


Resources:

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Care Plan Toolkit

Save time, boost profits, and confidently manage client websites with proven tools, tips, and resources.

Bento Toolkit

More from Security Weekly

Week 49

Increased Volume of Threats During Holidays

We are just a few days away from Christmas holidays and many people have already gone …

Week 48

What Will WordPress Security Look Like in 2025?

I was thinking wether to leave this as the last security weekly, but I recon that …

Week 47

Why Use Virtual Patching for WordPress Security?

Virtual patching is a security strategy that involves applying protective measures to the WordPress application without …