WordPress sends out email sometimes, and it doesn’t encrypt any of them by default. Integration of WordPress and OpenPGP for a better security is a case study by Paweł Bulwan that examines the security implications of all of these emails. Are they leaking important information? Should WordPress site owners worry about them?
Only Limited Security Threats
Mr. Bulwan only found five potential security threats, which is pretty good news. None of them are show-stoppers. However, I believe he missed something important, which is that any information that is leaked about login credentials can cause issues. Leaked information can be used to limit an attacker’s problem space, reducing the complexity of an attack.
Mr. Bulwan’s idea of providing OpenPGP encryption for any emails that WordPress sends is a great one. In fact, if WordPress provided an OpenPGP API, it would spell the obsolescence of my OpenPGP Form Encryption for WordPress plugin.
That would be really cool.