← Back to all sparks
L

LifterLMS

EDTECH
Velocity5.0

WordPress LMS plugin for creating and selling online courses with memberships, quizzes, and certificates.

After a feature-heavy 10.0, LifterLMS settled into a steady security-hardening cadence.

lmswordpresssecurity-hardeningcourse-builderrest-apiperformance
Current state
Following the feature-rich 10.0.0 (in-builder lesson editing, focus mode, an Events tab, 'Any' engagement triggers), LifterLMS has shipped near-weekly point releases that are almost entirely security hardening—'additional checks' across quizzes, checkout, imports, REST API auth, and the Course Builder, many crediting external researchers.
Where it's heading
The product is in a post-major-release remediation phase: locking down the surfaces 10.0.0 expanded, with incremental access and validation checks rather than new capability. A lone performance win (deferring session cookies to preserve full-page caching) and AI-agent onboarding files (AGENTS.md/CLAUDE.md) are the only non-security notes.
Prediction
Expect the security-patch cadence to continue until the disclosure backlog clears, after which builder and engagement features from the 10.0 line should resume. No directional shift is visible in these entries.

Recent moves

  1. 3d ago

    Security hardening: quiz, add-ons, and REST API auth checks

    A maintenance patch: one block-editor scrolling fix for WordPress 7.0, plus hardening checks on quiz start, the add-ons screen, and REST API authentication. Continues the post-10.0 security cadence.

    View source ↗
  2. 8d ago

    Security hardening: checkout, imports, and form-data checks

    Security-only release adding validation checks to checkout order creation, user creation during course and membership imports, and account/registration form submissions—all credited to an external researcher. Pure hardening.

    View source ↗
  3. 10d ago

    Defer session cookies to keep anonymous views cacheable

    The one substantive change in this stretch: anonymous visitors no longer receive a session cookie until session data is actually written, keeping their page views eligible for full-page caching. A real performance win, bundled with the usual security checks.

    View source ↗
  4. 14d ago

    Quiz-question security check and added E2E tests

    A near-empty point release: added E2E tests and a single quiz-question update check. Maintenance only.

    View source ↗
  5. 25d ago

    Deprecate legacy quiz-question query method

    Deprecates a legacy quiz-question query method now that the Course Builder handles question search via its own AJAX flow. Internal cleanup.

    View source ↗
  6. 29d ago

    Add AGENTS.md/CLAUDE.md; REST API permission checks

    Adds AGENTS.md and CLAUDE.md to orient AI coding agents working in the repo, plus REST API permission and Course Builder save checks. The AI-onboarding files are a small forward-looking note; the rest is hardening.

    View source ↗