As soon as WordPress launch a new version they publish a changelog on their website where you can find what has been changed, including all security vulnerabilities that have been patched. Disabling the WordPress auto-update feature can open up your website to attackers that first check the changelog and then look for sites that haven’t been updated.
The eighth vulnerability on the list is Cross-site Request Forgery (CSRF), a vulnerability that allows an attacker to make requests on behalf of a user. CSRF can lead to a wide range of state-changing requests such as changing credentials, transferring funds, and modifying settings being executed on the user’s behalf.
Missing SPF records are a common and long-standing security issue that puts sensitive information at risk. To get a better idea of just how widespread the problem is, the Detectify team decided to scan the 500 top-ranked Alexa sites for it. We found that less than half of those domains have configured email authentication correctly to prevent spoofed emails being sent from their domains, which means that users are at risk of receiving false emails appearing to come from domains that they trust. To prevent spoofed emails, all systems must be manually configured correctly to the highest standard of authentication. Unfortunately, the process is complicated, and often servers are misconfigured. The Detectify team has put together an extensive guide to help you check if your domain is at risk of forced spoofed emails, and also give you the tools to configure the authentication correctly.
The fifth vulnerability category on the list is called Security Misconfiguration. If a component is susceptible to attack due to an insecure configuration it would classify as security misconfiguration. This is considered the same vulnerability regardless if the misconfiguration happens in the web server, database or, for that matter, custom code.