20% Off My Easy-Peasy Proposal with the Coupon Code 20OFF (Now - April 30th)

Security Weekly

WordPress Security Compliance & Regulations

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 12

Security compliance and regulations are topics that are not often discussed in the context of WordPress, but this is going to change significantly in the coming years. GDPR was one of the first regulations to make some compliance practices mainstream in the WordPress ecosystem.

At the end of this month (31st March 2024), PCI DSS v3 will retire and be replaced by PCI DSS v4, which will introduce significant changes to compliance for everyone who accepts credit card payments on their website (regardless of whether the processing is done via a third-party provider).

Then there’s also the upcoming European Cyber Resilience Act, which brings significant regulatory security requirements to the open-source software ecosystem. This is so significant that WordPress, Drupal, Joomla!, and TYPO3 joined forces to send a letter of concerns to the European Union.

Whether we want it or not, new regulations are coming.

The New PCI DSS Version 4

The first one to take effect is PCI DSS version 4 (31st March 2024), which introduces more than 50 new requirements for vendors (such as WooCommerce sites) who process payment data.

One of the most significant changes is that merchants can no longer bypass PCI requirements just because they use a third party to process payments for them. The new PCI DSS v4 specifically states that merchants need to protect the payment pages.

As mentioned, there are 50 new requirements that come with the new PCI compliance, but I would like to highlight two of them, which will probably create a significant shift in the market.

Requirement 6.3: Security vulnerabilities are identified and addressed.

Vulnerability management is no longer an option. Every website that has payment pages where a customer can enter credit card information must have an ongoing overview of security vulnerabilities present in the application, and the application needs to be protected.

Multi-Factor Authentication (MFA) Requirement

Websites that handle payment information, store it, and show it back to the user must enforce multi-factor authentication. The new PCI DSS v4 is quite clear about the fact that 2FA/MFA should essentially be deployed for everyone.

There’s a lot to unpack when it comes to PCI, but I recommend everyone who accepts credit card payments on their website or shop to look into this.

EU Cyber Resilience Act

The European Cyber Resilience Act is essentially regulating how security should be managed for software products. The CRA puts its obligations on software manufacturers, those who publish code that is available in the EU.

This actually covers anyone who publishes software on the Internet, open source or not, regardless of whether you’re in the EU or not – as you would likely have EU users.

This will directly affect all WordPress plugin developers, for example, who will be required to perform regular security audits and code reviews on what they produce, and they will need to enforce a coordinated vulnerability disclosure policy (no more hidden security fixes).

Last Tuesday, the European Parliament already approved the new cyber resilience act standards, so it’s expected to become enforced already somewhere in 2024. Every plugin/theme developer in the WordPress ecosystem should already start looking into the requirements today. As with most recent European technology regulation, non-compliance could result in significant fines: up to the higher of €15 million or 2.5% of global turnover.

Just like with PCI, there’s also a lot to unpack with the CRA. I’ll add resources for that as well.


Resources:

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Come Join Us!

Join the #1 WordPress Community and dive into conversations covering every aspect of running an agency!

Kyle Van Deusen

Community Manager

More from Security Weekly

Week 16

Supply Chain Security Risks in WordPress Plugins

In March 2024, WordPress 6.5 introduced a feature called plugin dependencies. As you may know, there …

Week 15

Most Dangerous Vulnerabilities in WordPress Plugins

As we recently published the annual Patchstack report about WordPress security (and also covered it in …

Week 14

State of WordPress Security – 2024 Report

This week is a little different. In the beginning of each year, we take a look …