Digimuuri has been in development for about a year now, and the starting point has always been the same: when it comes to WordPress website security, it is not enough to detect and block attacks while they are already underway. A better solution is to prevent the most common attacks before they happen — so that the browser does not even have the technical ability to execute malicious code.

This philosophy has guided the entire development process. Because WordPress is such a widely used platform, it is constantly being researched and tested. JavaScript-based attacks in particular, such as XSS, have been a persistent problem for the WordPress ecosystem. They are relatively easy to carry out and target the user’s browser directly.

This is precisely the problem that Digimuuri addresses in a significant way.

After a year of development, we have reached an extremely strong outcome: at its strictest, Digimuuri blocks nearly all JavaScript-based attacks automatically, without separate rules or signatures. When untrusted code execution methods can be disabled, the browser simply refuses to run anything extraneous. In practice, this means that XSS attempts and similar attacks never even get started.

This does not, of course, happen as a single uniform setting across the entire site. WordPress has many different components, themes, and plugins, and some require more flexibility than others. That is why Digimuuri automatically evaluates which parts of the site can use the strictest rules and where compatibility needs to be handled separately. The end result is that the public-facing side of the site receives very strong protection, while the admin panel remains fully functional.

The goal is not to make WordPress complicated or restrictive. On the contrary: Digimuuri aims to ensure that site administrators do not need to put in any extra effort. Protection works in the background, and the vast majority of attacks typically aimed at WordPress sites are blocked at the browser level.

Looking at the progress made over the past year, it is fair to say that we have come very close to the goal: a WordPress site whose JavaScript-based attack vectors are effectively closed off. This does not make the site invulnerable, but it eliminates one of the most common and easily exploited weaknesses in WordPress.