320 – Javier Casares on WP Vulnerability, the API / project for WordPress vulnerabilities

Interview with Javier Casares and Nathan Wrigley.

Today, it’s all about WordPress security and what you can do with the WP Vulnerability API / project.

WP Builds is brought to you by...



GoDaddy Pro

In the podcast you’re going to meet the wonderful Javier, and I thought that I’d let him take over the show notes, as he wrote such wonderful notes prior to our chat. So… over to Javier…

Hello, I’m Javier, and I’m around the Internet since 1994. In 1997, I created my first website, and in 2005, I created my first WordPress (with WordPress 1.5).

I’ve been around the Spanish community since then, but started hard in 2013, after some professional projects, going to WordPress Day and WordCamp, and co-creating in 2014 the WordPress Barcelona Meetup (now with more than 5,000 WordPressers).

I’m participating primarily in the WordPress Hosting Team, as a Team Rep, but also in the Community Team. For example, with the Meetup Recovery Project, or in the Documentation Team with the new / future Advanced Admin Handbook, the most technical documentation about WordPress.

Want to get your product or service on our 'viewed quite a lot' Black Friday Page? Fill out the form...

At this moment, I have some personal projects about WordPress:

  • WPSysAdmin, with sysadmin documentation.
  • The WP-Config.PRO project, a WP-Config.php file generator.
  • The WPAutoTranslate, a plugin complementary to MultilingualPress to translate automatically the contents in a MultiSite.
  • The WordPress Podcast (in Spanish), a weekly, 10 minutes (max) podcast with all the Community news.
  • I co-host WordPress Radio, a weekly magazine with news and a weekly topic (usually technical from my part).

But, today we are talking about WPVulnerability.com, a project focused on democratizing WordPress security information.

This project is a 100% open and free API, for access by any WordPress user, with the sole purpose of improving the security of a site, thanks to this information.

Actually has around 11,000 vulnerabilities from 5,000 plugins, and 1,000 vulnerabilities from 600 themes. Also, all the WordPress Core ones.

Although is an API, with some colleagues, we created the WPVulnerability plugin, that checks your site looking for vulnerabilities and showing them in the Site Health section.

The API is free and open, there’s no API key required, and returns a JSON with all the information. Some examples:

It shows the list of vulnerabilities published for a Plugin or Theme, and if there is information, the exploitability, severity information, and the sources.

This project has some sources:

Why am I creating a project like this? Multiple reasons:

  • There is no full database with all the vulnerabilities. I’m trying to create one. I think the actual one has around the 90% information (it’s close to be completed).
  • The CVE and JVN have the most critical vulnerabilities, or by plugins that exist, but not the closed or without a lot of installations.
  • The Patchstack database is great, but the free API is limited, and the plugin sends the information to their servers, so there are some privacy concerns there.
  • The WPScan is great, but since Automattic bought the project, the access to the information is not available for most users unless you use the JetPack service.

So, privacy concerns, not free information for users… WPVulnerability was created.

Also, there is a big difference from the other projects: all the databases are vulnerability-centric (one vulnerability may have a lot of plugins / theme related) but the WPVulnerability is product-centric, so there is the plugin or theme, and around them, all the vulnerabilities.

Furthermore, not fully working, but in process, I’m trying to delete duplicated vulnerabilities, so one plugin has one vulnerability from one or more sources. All the information is attributed to the sources, although I don’t use any of that information.

The WP Builds podcast is brought to you this week by…


Omnisend is the top-rated email and SMS marketing platform for WordPress. More than a hundred thousand merchants use Omnisend every day to grow their audience and sales. Ready to start building campaigns that really sell? Find out more at www.omnisend.com

GoDaddy Pro

The home of Managed WordPress hosting that includes free domain, SSL, and 24/7 support. Bundle that with the Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients, and get 30% off new purchases! Find out more at go.me/wpbuilds.

The WP Builds Deals Page

It’s like Black Friday, but everyday of the year! Search and Filter WordPress Deals! Check out the deals now

Transcript (if available)

These transcripts are created using software, so apologies if there are errors in them.

Read Full Transcript

[00:00:00] Nathan Wrigley: Welcome to the WP Builds podcast, bringing you the latest news from the worth Rest community. Now welcome your hosts, David Waumsley and Nathan Wrigley.

Hello there and welcome to the WP Builds podcast once again, you've reached episode number 320 entitled Javier Casares on WP Vulnerability, the API slash project for WordPress Vulnerabilities. It was published on Thursday, the 30th of March, 2020. My name's Nathan Wrigley. I'm just a couple of bits of housekeeping before we get stuck into the podcast.

The first thing is to mention, if you're into WP Builds, please head over to our subscribe page, make use of the links over there, join our email list, and so on. WP Builds.com/subscribe. We'd very much welcome your participation if you feel like sharing, do so over on Twitter, but also why not join our master on install WP Builds dot.

Yep. That's a URL. WP Builds.social and join a community of specific WordPress master Dons. If you are in the space for some WordPress deals, we've got a page for you. It's a bit like Black Friday, but every single day of the week, WP Builds.com forward slash deals. Go there and search and filter all of your favorite WordPress plugins.

You never know, you might find a few dollars off with a coupon. And also, if you're feeling favorable about this podcast, why not give us a review over on your podcast Player of Choice? Typically, apple Podcast seems to have the best reach, and I'd love it if you felt like heading over there and giving us a review. That would be extremely nice.

The WP Builds podcast is brought to you today by GoDaddy Pro. GoDaddy Pro the home of managed WordPress hosting that includes free domain, ssl and 24 7 support. Bundle that with The Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients and get 30% off new purchases. Find out more by going to go.me/WPBuilds. Once more, that's go.me/WPBuilds. And sincere thanks for GoDaddy's continuing support of the WP Builds podcast.

Okay. What have we got for you today? As I said, we've got Javier Casares. He's here today to talk about WP Vulnerability. Now, Javier, I've gotta say, seems to be one of the most inspiring people.

He really is giving up more or less, all of his life, as far as I can see to the Word Press project. You're gonna find that out in the introduction. All of the different things that he's involved in. So many. Utterly wonderful, but then we move on to talk about the project at hand. It's a security well solution, I guess is the right way, really.

It's an open and free API with which you can pull and find out all about different vulnerabilities, which may be on your WordPress website. I guess the key there is that it's open and free. It's growing. Javier seems to be giving up a great deal of. Into this project and he explains how it works, how he can make it open and free, where he is getting the database from, and really how you can access that data to secure your or your client's WordPress websites.

Fabulous episode and I hope that you enjoy it. I am joined on the podcast today by Javier Casares. Hello, Javier. Hello. Hello, I'm sorry if I've butchered your name. I tried a couple of times before we clicked record and that's probably as I'm as good as I'm going to get we're on the podcast today.

We're gonna talk about security, which is a topic that we cover from time to time. Not too often. But before we get into that Javier, I wonder if you wouldn't mind spending a little bit of time just explaining your background, because I think security's one of those, one of those topics where you really do have to know your stuff.

You have to be capable you have to be trustworthy, reliable, and probably have a little bit of history in the security space. And for that reason, if you wouldn't mind just telling us about your relationship with WordPress and

[00:04:26] Javier Casares: all. I started in 94 in the internet. And then in 97 I created my first website in local, because , I didn't have internet in, in, in my house.

Yep. . So I was with one floppy DS with Internet Explorer in the other one, the website. So I was showing the website to my friends in their computers. And then in oh five, I created my first war press with I think it was War Press 1.5. Wow. Okay. It was just release because. I think I did the test with 1.4.

And then just when I was preparing the production site I, there was the new release. . I remember that, that version because this thing, and then you said I, I started in the Spanish community in that, around the, that time, but I was an. Very with the people, the events and anything of that.

But in, in 13 I started to go into to the event, to WordPress Day to war camps, to and then in. at in, in February 14, I think we started the meet up in Barcelona. Now he ha it has 5,000 war pressers. Wow. So I, and I don't know if it is the biggest in Spain, but probably with Madrid.

Madrid I think it has the more or less the same. So they are the two biggest one in Spain. And then I, and I'm. I'm one of the team reps in, in the war press hosting team right now. Okay. Since I think two year, two, three years ago I don't remember because the pandemic I think it re resets the time.

Yeah. for everybody. But also I contribute in the community team. I'm Prep, I'm working with some colleagues to, to start some maps things. I think in the next month we will see things coming out. Okay. So I think. We will see in probably in, in the state of the world and in the work Europe next year.

So I, I think we, we can see if everything goes right. And then I'm also working in the mid recovery project because the pandemic has a stop. A lot of meet ups and I'm helping. Mainly with the Spanish community, because I knew, I know everybody here. And then some, we started also the South America one, and right now I'm working also in the Advantage Admin Handbook.

It's a new documentation section in WordPress. It's not right now, a section, it will be one the most technical one because. Everything, a minimal technical in the user hub, in the, in the health hub and also in the developer hub where the plannings and everything is documentation.

Is there Everything around systems hosting like the HD access and gxs databases, eh, workers multisite. So the avan. The advance things around WordPress will be in the, in, in a new section. Yeah. And I'm working with the documentation team in creating the base of that. In the last some days ago, there was the documentation contributor day, and I finish all my all my work, so I hope in.

in the film. Next month we will see this new handbook. So yeah it's and this is the community part. And also I have a lot of projects outside the community, like w ps admin is, She admin documentation. It's in Spanish, but I have an, like an English part. But usually the technical people can see the code and can copy and pay because Yeah we work with that.

I, I also have the WP. Pro Project is a WP config, eh, file creator. Also the WP Auto Translate plugin. It's a compliment to multilingual press that multi translates automatically. The workers multisites and. I don't know. I have a couple of podcasts. The WordPress podcast is like a 10 minute because it's, it is only news.

The community news. I have also the, I'm co-hosting the WordPress radio in Spanish, and the main project we are talking today is the WP vulnerability. It's a project focused on democratizing the WordPress security information. It's more, more or less this. Yeah. So I was gonna say, you're

[00:10:23] Nathan Wrigley: Not

[00:10:23] Javier Casares: very busy then.

Are you? ? Yeah, , I'm 24 7. Yeah. It's amazing. I've always,

[00:10:29] Nathan Wrigley: I'm gonna, I'm gonna put, because Javier has actually written some really excellent show notes to help me get through this episode because security, whilst I've got a, a familiarity with it there's a lot of technical weeds to go through and so he's spent quite a lot of time putting some show notes together and all of the different projects that he's mentioned and the things that he's in.

I will be sure to. Copy and paste into our show notes today so that everybody can have access to those. By the way I went to both of the sites. I went to your WordPress systems administration page, and to the podcast on WordPress page, the WordPress radio page and Google Translate immediately did a fabulous job of of turning them into something that at least I could comprehend.

So all is not lost if you don't speak Spanish and don't read Spanish. Google is your best friend in this case, and you can still access all that great content. Okay, so the topic of today's podcast is all about a project a pretty big project. I would say actually that Javier's involved in it's called WP Vulnerability.

They've managed to get the best domain name for that. Of all, it's WP Vulnerability dot. Com. As you'd imagine the spelling is typically what you'd expect. So again, it'll be in the show notes, and you described it as a project, which is focusing on democratizing WordPress security information. What does that mean?

What I, what was undemocratic about it before I suppose?

[00:11:54] Javier Casares: Yeah. So in the last the word security information is this dispersing the internet. So and like 10 years ago, you. Couldn't find easily the information about security the core security. So the WordPress software like that the security is always published in the wordpress.org site.

So there is no nothing there that we cannot expect. In this part, Everything is secure and WordPress is secure and everything is published and everything is fine, so no problem there. But there is a lack of information in the themes and the plugin part because the people working in the WordPress project doesn't have.

Any control of this part of the software? . WordPress has the plugin directory, the theme directory, but the responsibility in those in those fifth files is from the developers, but not all the developers. Always focus in those projects. A lot of people started to publishing the information in some forums and everywhere in the internet and some projects started.

To retrieve all the information like pass, stack and w p s scan. This is the new names, because they were named, they had another names before I, I don't remember them, used to be called Web.

[00:13:47] Nathan Wrigley: But

[00:13:48] Javier Casares: WP Scan, like WP Scan I think it was like WP eh, bull DB or something like that. , it's like the WP Vulnerability database.

Yep. Eh, and then it was a w p scan and they launched the software because w p S can really is a software that you can launch in any site, external site. For example if you want to see what the hackers can see in your site, you can use the W ps scan software. It's in Linux one Python, I think it's called in Python.

And you can do W ps scan the website, and you can see the versions. All the headers it, it tries to check. What plugins are you using? What themes are you using? The list of users and everything, so it's a great tool to use. It's open source. You can check the code and everything.

And also they just started the data, the database with the vulnerabilities. And yeah, also there is there, there are like four big sources. Right now past stack, w ps can are the biggest one. But there are like officials, one, like the CBE is the common vulnerabilities and exposure. It is like the biggest in the world.

And not only for war press, but for any kind of software.

[00:15:32] Nathan Wrigley: Yeah, it's everything. Isn't it? Have windows. Everything.


[00:15:35] Javier Casares: And then the GBN is like the CV is like the United States database, right? And the GB is the Japanese one is the same, but for example, in WordPress, the JB N usually published the most Japanese, not only Japanese software, but used by Japanese.

So because I saw some CB and GBN and are the same. The information usually is the same. But GB GV N only published like the most. Affected plugins or themes in the, in Japan. So yeah it's not the biggest one. They have a hundred vulnerabilities, but it's very useful for Japanese people.

So it's, it is one sourced, it's important as the others.

[00:16:38] Nathan Wrigley: So there's all sorts of information out there on the internet that people have discovered. They've found a vulnerability somewhere. They've reported it, but it certainly, in your experience for the WordPress side of things, there seem to be four different places where that data could end up being displayed.

So the public, so there's the C cve, the Common Vulnerabilities and Exposures website is a place where you can go and find those things. But as you said, it cover. Everything, not just WordPress, really everything. Then there's the Japanese vulnerability notes, the JV as you described, which tends to focus on the software that's being utilized by people in Japan.

Then WordPress specific patch stack. Their vulnerability database and also WP Scans vulnerability database. So is the intention of your project, wp vulnerability.com, let's just say that we driller into people's heads they'll end up going there, which would be good. Is the idea that your sifting through those four different places and trying to.

Find unique examples and put them into your database and try to get rid of things that overlap and things where there's duplicates and essentially have one place where you can find everything just for WordPress.

[00:17:57] Javier Casares: . Yes, because, eh, usually all the, all these databases, eh, are focus in the vulnerability.

So there is one vulnerability, but one vulnerability can affect some plugging, some some themes. The core so my project has another. Point of view yeah I think it's, is the best way to explain that. Yep. Because I'm not vulnerability focused, but plugging or theme focused. So my focus is not to publish.

The vulnerability per se, but eh to look up a pluggin or theme or the core version and then eh, check the vulnerabilities and then the sources. My focus is, I have this plugin. What persons are insecure or what problems can I have using that persons or everything because there is another problem in the problem.

Not a problem, not a real problem. But usually when a plugin disappears from the repository, or if you have a premium plugin, , it stops, eh, working, eh, and you have it installed in your WordPress. You don't know that. You don't know. A plugging is a stop a stop publishing new versions. So another thing to have eh, in mind when we talk about security is, Having updated versions from everything and plugging, maybe a pluggin is working because, eh, maybe it's five years old, but it works because everything in workplace Yeah.

Works. I don't know how, but back to version 3.7. Yeah. So yeah it works. But that. It doesn't have new versions for the new workers version. So maybe that makes that insecure. And one of the things in the WP vulnerability database. Is trying to mark that a plugin or a theme is not updated.

So it is not only the vulnerability ones, but or having or not having patches from the developer, but also having. plugins without update. This is one of the, I think it's the most scary thing having because usually people enters the plugin list sees that there is some updated plugins.

Eh, they put, they, they click on the update . Yep. And. The oldest one doesn't have eh, updates. And one of the things I tried to add in the API in the WP vulnerability database is that information. The oldest one because the, for me, that is the scary one because if you have an, I don't know, the 1.2 version and there is a vulnerability, but there is a 1.3 version, you update that and you fix the vulnerability, that's great.

But if you have applying with no. , yeah. Installed. Yeah, that's a problem. So that was one of the things I try, I think when. And that was one of the reasons, eh, to add in the database because I think that's the most scary one. Yeah. In the world security. World.

[00:22:09] Nathan Wrigley: Yeah. Okay. So the, anybody visiting wp vulnerability.com what are they gonna find there?

Everybody. Excuse me, everybody who's interested in this, at some point they'll go over there and click on the links and what have you. How do people interact with this? It's, obviously, it's a database. It's, you can pull it for the data, but how would somebody like me.

Go about interacting with that and find out whether this site that I've got over here has got some known vulnerabilities or not. How do I actually get the WP vulnerability site to give me information back?

[00:22:49] Javier Casares: Yeah. The website has the API information. This is a database. Like that. I have my database in my site.

You, you there is a, an api. So you have I, we can give some examples. For example the one corver or the, I don't know, the Akismet Pluggin or anything you. check that and you can see the information. But it's Jason is one kind of type, it's like a CVS or an Excel or a Word file.

Yeah. It is one kind of, of document and yeah, that, that's probably Nobody understand that yeah, because. Yeah, because this is a language for the machines. Yeah. When I started the database I started and I started to add some information. I talk with a friend he's the developer a plugin developer.

And I explained the project, I created part of the plugin because the, like the reader , because the API has the information, but it needs to be read. I created the PHP code to read the information and put in the plugin. And then he started the plugging around and developed the how.

It will be showed in the, in your WordPress? Yeah, because this is the real information. The real information is in your WordPress, so you can see in the site health, like three new checks, one for the co, one for the plugin, one for the. The themes and you can see if everything is secure or nothing is secure, but you have that information.

And also we added in the plugin section. Essentially we. Because that's where the most vulnerabilities are usually the themes and the co the, there are not a lot of vulnerabilities in the themes and the co. You need to have that always updated. So it's like a roll so you don't have diabetes there If you enter in the, in, in the plugin list, be below any plugin with any vulnerability, you will see that because it's like a red flag, big part, right?

That's all the Yeah, that's exactly what you need to see. It's . Yeah. It's I in Spanish we have like a word. It is like a, is like a scary old people or something like, like that. I don't know the translation, but it is it is something. It was. We think you need to enter the plugin list and see clearly that you have a vulnerability.

So usually above that you usually have the update button. So you update that and the vulnerability disappears. But sometimes it says there is no fix for. . So you need to delete this plugin and replace it. Replace it with a new one. So this is also, this is the other scary part, because eh, if there are no, no fixes, eh, you have a problem.

A big problem. Yeah. We want to, this the plugin is WP vulnerability you can find in the official worker repository. And right now I think we check 11,000 vulnerabilities only for the plugins. Wow. Yeah. I think I think because the CO has the wrong way, but I I think it's.

11,000 vulnerabilities in the plugins and like 1000 in the themes. Yeah. There, there is a lot of plugins involved. Like 5,000, 5,000 plugins. Right now in the directory, I think there, there are like 60,000. 5,000 is a lot of plugins with vulnerabilities and Yeah, it is. Yeah. And the most are fixed.

No problem, , but I usually want to scare people, so Yes. Yes. I think it's should. Bonk.

[00:27:48] Nathan Wrigley: It is a scary subject. So the, so it's an api. If you go to the website, wp vulnerability.com you are gonna be pre presented with technical details about how you how you would actually get information out and what the respons will look like and.

As you described, it's json so it's readable, but it's also not particularly human readable. If you're a machine, it's gonna read it a lot better. But the fact of the matter is, if you are a developer and that's the way you wish to approach this, that can be done. Alternatively, if you are a, a regular human being who just likes to read text, you can achieve the exact same result, but with the plugin.

And then the plugin's purpose is to alert you inside of the WordPress ui. And there's some nice screenshots as you'd expect of the plugin in use and how it looks. So it's polling it's polling plugins, it's polling themes, and it's. Sucking information out the database. Now this, I suppose that this is an important point to make and you did make it just now, to be fair, this is not, we're not talking about a firewall or anything like that here.

This is not gonna fix your problems for you. There's no conception of that. Simply this is this is a way of alerting you to the fact that something is out there. People know about it, you may not know about it. And so it's a helpful, handy way. Just alerting you but no fixes here.

And as you've said, if you find a fix, either get an update or disable it, delete it, and then maybe reinstall it once you hear about an update from the source itself. But that's right, isn't it? We're not fixing anything, triaging anything. This is simply information. . .


[00:29:30] Javier Casares: That's the way for me I know I don't want to create, like a business around this project because it's not my goal. I have my own business with other things. This is only information because and that's the reason. I created the database and not the plugin. The plugin is not like mine.

I, I part, I participate in this basic I participate in this basic plugin. But for me the idea is I know there are people working with the API right now. I. One of the biggest security plugins working in that They will do that work, fixing things, and I don't know what they want to do.

So it's the, their business. And also, I know they are the, there are some hosting companies that they are implementing it in their panel. Not the C panel or place or anything like that, but in their hosting panel. I think this is I think they are doing that. I don't know if this is very exact, but they can check all the installations in their hostings, right?

And then you can access, eh, from outside. So their panels, and I think they will send you an email or whatever and outside, eh, your WordPress, eh, you can see the security information. I think it's a great approach. Because if you have, for example, plak, you have this this kind of information but it's only in place if you are not using Plak.

You don't have the system. So I think there are some hosting companies that are working on that. Maybe I will do. Part of the code, and I'm open source it to simplify that part. Yeah. To whoever wants to, like the reader from the api. Also the API doesn't have any kind of user password or whatever.

I don't have any kind of statistics or anything because, eh, I don't want I'm. Pro privacy. So that's one of the reasons I don't like so much PASS stack because their pluggin sends the information to pass server so they know what plugins are and everything. You have. The problem with w s scan, their plugin is limited.

because they can you need an API and you need to pay for the information. My idea was too, you don't need to pay anything , I you. All the information will be always in your war, press, anything will go out outside. That was also two of my main focus when I started the project because I,

[00:33:08] Nathan Wrigley: sorry, carry on.

You finished.

[00:33:09] Javier Casares: No I love privacy. I love having projects for the WordPress community. So that was I think that was a trigger. Yeah I was trying to find some vulnerabilities and I couldn't find how, so I, I started the project because that's what I do. . I need something. Yeah. I don't have it.

So I started So

[00:33:39] Nathan Wrigley: you build it. Yeah. This is the way, isn't it? This is the word persuade. So there's no API keys, there's no sort of subscription here. There's nothing like that, you know, you. Get the information out of the database should you wish to. No fees to be paid, nothing like that.

And everything is done inside of your WordPress install, so you know, it's not phoning home and reporting to anywhere what's going on. It's just making comparisons. What have you got on your site? Here's a list of vulnerabilities that map onto that and match. Okay, so the ne , the next question you've partially answered it with, I'm not gonna ask why you are doing this.

You're doing this because you're a good person and you're deeply committed to the WordPress project, and so we all thank you for that. I've gotta ask though, what the sort of time burden. Has this turned into, you don't have to give away everything, but I'm just curious as to wonder how many hours in every month you seem to be giving over to this these days.

[00:34:39] Javier Casares: I, I think I started the project like in March, April, 2022. . So this year, at the the start of the year. I think I had I didn't have some holidays or ations or anything because I work like 24 7. But because I am this admin, so I need always to be up and. And everything, but I had a week more or less free.

I don't know how to call it, but I have a lot of hour for free, right. Between one project and the other. And like I did the databases and the readers and the panel and everything like in two weeks, like fully weeks, because I think. I think that this project was created like in a hundred hours.

Wow. Less. It's not a lot of time for a project like, like this. And then I usually work like half an hour a day. When there are vulnerabilities, because there is, there are not always all the days vulnerabilities usually. The CB usually publish everything once a week by stack, usually publish.

Like five, 10 vulnerabilities a day. And it's I have a tool, like an internal tool to check everything, to automatize everything, because it is it is, this is the thing I love the most. Could Yes. A

[00:36:25] Nathan Wrigley: long time. Everything is manually

[00:36:26] Javier Casares: doing all this. Yeah. So at this, when I started the pro, the project, There, there was a lot of work manually and I started to learn how to treat the vulnerabilities.

And right now I enter in my personal panel and the panel reads and tries to. Read to understand the vulnerability. So usually I need to check that everything is right and go to update . And so usually it's is quick. But for example, there are a lot of external plugins that, so premium plugins.

Or like the thin forest one, and that kind of plugins outside the repository. So I need to like, create the plugin in my platform. So I need the slack the url? Yeah. To check the plugin . And then and then this is, I think this is, That where I lost most of the time, but maybe it's like a minute.

So it's usually quick to maintain the project, but I need to do it every day. Sometimes I enter the panel like two times a day and in the morning there are no information and in the afternoon and there are five vulnerabilities. I enter, I approve it, and in more or less in an hour, because it is the time of the cash they are polished.

So also usually the plugin, I think it updates the information like twice a day. So usually when a vulnerability is out in. 12 hours, you have the information in the API or in your WordPress site.

[00:38:30] Nathan Wrigley: That's incredible. Really incredible. The fact that you're giving time up for this every single day is just remarkable.

I remember a little while ago, it probably, it feels like it was about two years ago, maybe it wasn't quite as much as that. There was this there was this problem in Linux with. Maybe it wasn't, I can't remember. Log four J is what's coming to mind. And essentially it was a critical piece of the architecture of an awful lot of stuff on the internet.

Really gigantic things were gonna go wrong if this wasn't patched and if memory serves, somebody reached out to whoever was maintaining that particular piece and they weren't around and everybody was scratching their heads thinking, oh, this is curious now. Now what do we do? And I do wonder a little bit about that with this, and you, I'm just wondering if you would appreciate some help or if there's do you want to keep this going all by yourself or is this the kind of thing that you would like some assistance with?

Do you have any plans to, get on board other people so that let's say at some point in the future you'll be able to take a break, even if it's just a day.

[00:39:42] Javier Casares: Yeah. Yes. The, I think in in, in my projects usually I usually want to work alone. Usually not always, but as I love the things automatic I, I usually can do it everything in, in, in less time in one hour a day. I can do, I can. All the projects I have around WordPress. But probably if there are two things. Here, for example when, if in a future I decide to close the project, not to close because but end it probably, I will polish everything, the code and the database and everything.

So if anybody wants to continue the project they. . So this is one of my great things I have in mind for this project. And also I'm working with some people creating projects around this api and they offer to send me more information. Probably I don't have. From one vulnerability because they, they want I know there are projects that they want to fix the problem automatically.

, because usually the, in, in some cases it's simple because maybe in the API it says there is a vulnerability in the plugin. And this vulnera, this vulnerability has a fix. So the new version usually? Yeah. The only thing to do is to upgrade the plugin. So I know people are working into.

Do some automatic things in your WordPress to apply the patches. Also you don't have the automatically update everything in my WordPress so you, you don't need to have the automatic thing, but the plugin will automatically fix your these vulnerability. These kind of people are sending me I need to end the api the other API that this, that, that will be a private API to receive information from outside.

Yeah. So I can add some information around and everything. The last few things I added in the api, in the database was the sever. Of the vulnerability because, oh, I only had the vulnerability. But that was information, but it's not the same simple vulnerability that a complex one. In the api, not in.

all the vulnerabilities because it is not so simple to, to calculate this, but there, there is information about the severity, like in from zero to 10. So like it's, if it's more than five, probably you need to patch this as soon as possible. Like the. The lightest WordPress version because they had it it has 16 patches.

So it's you need to update WordPress right now. Yeah. I know people. in one week in less than a week from since the 6 0 3 launches in one week, people was attack and everything was vulnerable. So if you see a WordPress update, please update because usually there is.

Reliability behind those, eh those, eh, update.

[00:44:10] Nathan Wrigley: Yeah I guess the reason I brought up blog four J was because I seem to remember that even it went even as high as like the. The Congress in the United States, people scratching their heads thinking if we've got all this infrastructure, which is based on open source software and we can't basically pick up the emergency phone line and say there's a problem, all hands on deck, fix it because it's open source.

You just can't do that. It depends on the person that's maintaining it and whether they're around or whatnot, and that, that led me to have the thought about, let's say several major hosting companies start to use this database and, that becomes the backbone of a part of their security posture.

I guess on some level. They want to know that that it's gonna be updated ev all the time. As soon as something comes out, it's gonna be something that they can rely on and that puts a certain burden on your shoulders because then, if you take, if you do take a week off or. You, like you said you decide to walk away from the project or do something else, then that causes a bit of a concern.

But there isn't really a, there isn't really a fix for that unless other people sort of chime in and, there's other boots on the ground, yeah.

[00:45:23] Javier Casares: There, there are a lot of projects maintained by one person. Yeah. For example, the, i the Look four J was like more or less like one of those projects.

That's right. But for example, yeah. But there. A big project around the world that is the time zone database. So the time in the world depends on one person, .

[00:45:49] Nathan Wrigley: So yeah. Okay.

[00:45:50] Javier Casares: Not know that, that's brilliant. Yeah. Yeah. The time zone database, the Europe slash Madrid Europe parties and everything

It depends. Yeah. And there is a lot of political pressure on this guy, but this is a really great history behind that project. You can check that in the, in Wikipedia you can check the time zone database and you will see the name of the. Of this guy and everything behind that project.

It's fascinating. Yeah I yeah. There are a lot of projects in the internet that depends on one guy usually. So yeah. Yeah. The WordPress community I think it's the best community in the world. And , I'm not biased,

[00:46:44] Nathan Wrigley: this. I'm not gonna, I'm not

[00:46:47] Javier Casares: gonna disagree with you either.

I love the people. I was some days ago in, in a work camp. I will be in like two weeks or I don't know. I usually, I'm in the, in all the work comps. I can, I we met in the work camp Europe. Yes. I was try, I, this year I was in the contributor day for the work Us and I. The hosting table from my house in Spain to all the people that were in the us in the work, in the us That's right.

Yes. Yes. I think that's the best about this project because, , any anybody in their house of I wanted to go to us. I'm trying to go next year because I love the people there. I don't know a lot of people there. I didn't meet them. I know a lot of people because they also go to work in Europe.

I recommend. I think it's the best event I've been in my life. Yeah, it was really good. Yeah, it I don't know if was the pandemic or something behind that, but I love to know a lot of people because I usually, in the work, in the war press hosting team I started to work like at the beginning in 2020,

I wanted to meet everybody in the work Europe, in the theo one in the 20, but I couldn't go there because it was suspended. And I've been working with people two years and I didn't meet them. . Amazing. And I was working every week, a lot of people. And I think there is something behind knowing somebody in person, like for two, three days, eh, talking and everything.

And then when you are. Behind the slack or the tool or whatever. Eh you can see the other people in the other side. Yes. Or listen their voice. Because for me it's so simple because I have. Podcast. I think it, it will be the same with you, but I know a lot of people that, that, that was years ago behind before I had the, my podcast.

But people that know me they told me when I read something in your blog is you are telling me that inside my. With your voice and everything. And I think there is something behind that for the community because after you met somebody in a work in whatever their relation. is improve exponentially.

, because, I don't know, everything is great. From that moment. Yeah.

[00:50:14] Nathan Wrigley: The community that we've got is a really special part of the puzzle. It's, it really is something. Very special. And you only have to attend a few of the word camp events or something similar. Your local meet up to realize that.

And I'm sure that the community would love to give you a great big thanks for the work that you've started. Let's hope you you find the energy and the resolve to keep it going over at WP Vulnerability. Having listened to this podcast, I'm sure there'll be some people that would like to either congratulate you or just get in touch with you in some way.

What's. What is the best way for people to get in touch with you? Have.

[00:50:55] Javier Casares: Usually Twitter and the Slack, the WordPress, slack. I'm Javier Kaar, is there also in my profile, my WordPress profile, you can see there. And usually Twitter. I think that's the unique social network I'm using.

I don't have WhatsApp. I don't have Facebook. I don't have Instagram. I don't have TikTok. I don't have anything but just Twitter. Yeah, Twitter. Yeah. So yeah I'm usually also I usually talk in Twitter about WordPress the new WordPress person that is working. I usually police everything there, so I think that's the best way.

Or if you want to talk, eh, the. In the WordPress Slack, so you can open me a private conversation and we can talk. Also I'm usually in the weekly hosting meeting, so if you want to talk about hosting or security or performance or anything, you can go. There. So yeah, I'm usually available for every, everybody.

People usually eat when they meet me. They say it's I think I couldn't talk to you because you were so busy or something like that. and, no, I'm here. I'm I've been here. To do a talk or whatever. So yeah, you can approach me and talk and we can talk a about anything. Yeah. Yeah it's easy.

I love talk with people about WordPress or whatever. Life is there, . Yeah, that's whatever conversation is

[00:52:42] Nathan Wrigley: Great. That's fabulous. Thank you Javier, so much for all of the work that you've been doing. Thank you. I really appreciate it. And yeah, everybody go and check out WP Vulner.

dot com. Thanks so much. You're welcome. I hope that you enjoyed that. What a fabulous episode. Really fun. Speaking to Javier, I'm sure that you got an impression of just how effervescent and committed he is to the WordPress project. It's utterly remarkable. If you've got any comments, please go to WP Builds.com, search for episode number 320, and leave us something there.

Whilst you're there, why not subscribe? You can do that On the homepage, there's a little form right at the top. WP Builds.com/subscribe as well.

The WP Builds podcast is brought to you today by GoDaddy Pro. GoDaddy Pro the home of managed WordPress hosting that includes free domain s ssl, and 24 7 support. Bundle that with The Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients and get 30% off new purchases. Find out more, go to go.me/wpbuilds. And we thank GoDaddy Pro for their ongoing support of this, the WP Builds podcast.

We will be back on Monday. We've got our live show this week in WordPress. Please join us WP Builds.com/live. That's 2:00 PM UK time. Go there and leave us a comment. It's been hotting up in the comments. We're obviously getting a little bit of a growing audience and it's really fun. We often get weather reports. Don't ask , just come and join and you'll find out all about that.

But that's a Monday. At 2:00 PM and then we'll release that as an episode the following day. But we'll also be back next week for a chat with David Wamsley and I. Until then, we've got some solo cheesy I don't really think this one's all that cheesy, to be honest. Anyway, we've got some music fading in and you have a good week.

Stay safe. Bye-bye.

Support WP Builds

We put out this content as often as we can, and we hope that you like! If you do and feel like keeping the WP Builds podcast going then...

Donate to WP Builds

Thank you!

Nathan Wrigley
Nathan Wrigley

Nathan writes posts and creates audio about WordPress on WP Builds and WP Tavern. He can also be found in the WP Builds Facebook group, and on Mastodon at wpbuilds.social. Feel free to donate to WP Builds to keep the lights on as well!

Articles: 949

Please leave a comment...

Filter Deals

Filter Deals


  • Plugin (77)
  • WordPress (42)
  • Lifetime Deal (15)
  • eCommerce (14)
  • SaaS (6)
  • Theme (5)
  • Other (4)
  • Admin (3)
  • Design (3)
  • Hosting (3)
  • Security (2)
  • Training (2)
  • Blocks (1)
  • Content (1)
  • Maintenance (1)

% discounted

% discounted

Filter Deals

Filter Deals


  • WordPress (39)
  • Plugin (33)
  • Admin (30)
  • Content (18)
  • Design (11)
  • Blocks (6)
  • Maintenance (6)
  • Security (5)
  • Hosting (4)
  • Theme (3)
  • WooCommerce (3)
  • SaaS app (2)
  • Lifetime Deal (1)
  • Not WordPress (1)
  • Training (1)

% discounted

% discounted



WP Builds WordPress Podcast



WP Builds WordPress Podcast
%d bloggers like this: