0. Status
WPscan identified 12 vulnerabilities
1. Core Updates
Updated core from 6.1.1 to 6.2.2
2. Removed plugins
- None
3 Plugin Udates (15 requested)
- Updated "Activity Log" from 2.8.6 to 2.8.6
- Updated "All In One WP Security" from 5.1.4 to 5.1.9
- Updated "Duplica pagina" from 4.5 to 4.5.2
- Updated "Easy WP SMTP" from 1.5.3 to 2.1.0
- Updated "Elementor" from 3.10.2 to 3.13.4
- Updated "Elementor Addon Elements" from 1.12 to 1.12.3
- Updated "Essential Addons for Elementor" from 5.5.3 to 5.7.4
- Updated "GDPR Cookie Compliance" from 4.10.0 to 4.12.2
- Updated "Gravity Forms Event Tracking" from 2.4.11 to 2.4.14
- Updated "Really Simple SSL" from 6.1.1 to 7.0.3
- Updated "Redirection" from 5.3.9 to 5.3.10
- Updated "Smart Slider 3" from 3.5.1.13 to 3.5.1.16
- Updated "W3 Total Cache" from 2.2.12 to 2.3.2
- Updated "Yoast SEO" from 20.1 to 20.8
N.B Gravity Form plugin can not be updated due to a licence lack
4. Themes updates (7 requested)
- Updated Twenty Twenty-Two to 1.1
- Updated "Betheme" from 26.7.2 to 27.0.7 (New licence acquired)
- Updated "Slider Revolution" from 6.56 to 6.6.9
- Updated "WPBakery Page Builder" from 6.7.0 to 6.9.0
5. Additional activities
5.1 General activities
- Changed the website administration email to s.cannillo@emeraldcommunication.com
5.2 Security activities
Onetime activities
- Using "All In One WP Security" moved the login path to a custom one (the default one now respond with 404 error)
- Using "All In One WP Security" applied a login lockout policy
- Using "All In One WP Security" set an email notification when a user is locked (notification to s.cannillo@emeraldcommunication.com)
- Using "All In One WP Security" disabled users enumeration
Recurring activities
- Renamed "xmlrpc.php" to "donotpass_xmlrpc.php" (should be done on EVERY core update)
- Removed "readme.txt" (should be done on EVERY core update)
N.B Gravity Form plugin can not be updated due tu a licence lack
5.3 Template activities
- Changed the website logo (header)
- Changed the website logo (footer)
- Changed webfonts
- Changed colors in style.css
- Changed colors and font-family
- Checked Elementor behaviors and overridden
5.4 Newsletter integration
- New Newsletter integration via js -> civicrm webform api
5.5 Performance activities using W3Total Cache:
- Enabled "Page cache - Disk: Enhanced"
- Enabled "Minify "
- Enabled "Opcode Cache"
- Enabled "Database Cache - Disk"
5.6 Matomo Updates
Matomo updated from 4.11.0 to 4.14.2
6. Notices
6.1 Too many editor are installed.
Currently on wikimedia.it wordpress website are intalled and used the following editors:
- Default "Gutenberg" default wordpress editor
- BE Editor
- Elementor
Those editors are not fully compatible and interoperable. That means that, choosing a wrong editor, there is a high risk to broke contents and to create not uniform contents.
6.2 Fragmented template elements and styles
Due to wordpress architecture and stratification of manutentive ad evolutive actions, currently styles are spread in:
- WMI wordpress theme
- Inline wordpress styles
- Editors configurations (Elementor, BE)
- Plugins configurations (Smart Slider)
This configuration makes hard to maintain end act on global styles, keeping a global aesthetic identity