WordPress 4.2.2 addresses 2 critical security issues

WordPress 4.2.2 has just been announced. It addresses a number security issues in all previous releases, of which, these 2 security issues were deemed most serious by the WordPress team: The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. (Reported by Robert Abela of Netsparker.) WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. (Reported separately by Rice Adu and Tong Shi.) The WordPress 4.2.2 release also includes hardening for a potential cross-site scripting vulnerability when using the visual editor. Earlier version of WordPress were also updated: – WordPress 3.8.8 – WordPress 3.9.6 – WordPress 4.0.5 – WordPress 4.1.5 Recommended upgrade path is to upgrade to version 4.2.2 – but if you have a number of legacy plugins or theme, then you might want to be extra cautious in case the latest version is not compatible with your plugins and/or themes. For more details – visit the official WordPress Blog... read more

WordPress O-day XSS bug discovered.

A new critical “0 day” XSS (Cross Site Scripting) vulnerability was discovered by Jouko Pynnonen that would allow an attackeradf to insert malicious scripts into your websites via the WordPress commenting system. The potential security risk in this flaw is huge – hackers could infect your website visitors with malware, inject mass-mailers/spam and possibly  insert a backdoor if the malicious script runs when the WordPress administrator logs in. The following WordPress versions are confirmed vulnerable: 4.2, 4.1.2, 4.1.1 3.9.3. Please update your WordPress version as soon as possible. Another way to protect yourself is to temporarily disable the “Comments” (“discussion) in the WordPress backend until this vulnerability has been fully addressed. Below is the video by Klikki... read more

Critical XSS Vulnerability Affecting Many WordPress Plugins

This is vulnerability is one of the more serious ones and allows anonymous users to compromise your WordPress site if it’s not patched up. This XSS vulnerability takes advantage of the incorrect usage of the add_query_arg() and remove_query_arg() functions which are widely by many plugin developers to modify the query strings to URLs within WordPress. Some of the more popular plugins that were affected are: Jetpack WordPress SEO Google Analyticcs (by Yoast) All-In-One-SEO Gravity Forms UpdraftPlus WP-E-Commerce WPTouch Download Monitor My Calendar P3 Profiler Related Posts for WordPress Broken-Link-Checker Ninja Forms Multiple iThemes plugins & themes Mulitple Plugins from Easy Digital Downloads This XSS vulnerability is serious enough for WordPress team to update the WordPress core for the previous versions – TWICE. WordPress version 3.8.x was updated to 3.8.6 and then to 3.8.7 WordPress version 3.9.x was updated to 3.9.4 and then to 3.9.5 WordPress version 4.0.1 was updated to 4.0.2 and then to 4.0.3 And WordPress 4.1.x was updated to 4.1.2 and then to 4.1.3   For more detailed/technical info about this vulnerability, please check out: https://wordpress.org/news/2015/04/wordpress-4-1-2/ https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html https://yoast.com/coordinated-security-release/  ... read more

Password Security

On September 10th, 2014,  the Time.com news portal reported that about 5 million Google emails and passwords were leaked on an underground Russian website. This in itself is not directly related to WordPress security, but knowing that many folks use the same passwords for many of their sites, emails, etc – it would be wise to change/update your passwords immediately – especially if  you are using the same Gmail password on your WordPress site. Ref: http://time.com/3318853/google-user-logins-bitcoin/   Weak Passwords Many folks use the same and “easy to remember passwords” such as a combination of their birthdates, their spouse, their anniversary or something like that. Most of these words combination are found in the dictionary which would allow any attacker to launch a brute force attack on the “wp-login.php”  via automated script. In order to avoid these automated attacks, your password should contain non-alphanumeric characters such as !)*#$^&%@  in addition to numbers and letters. But the problem of using such cryptic passwords is that nobody can remember it. So what is the solution? There are 2 possible solutions: use a long, nonsensical phrase and mix it with some numbers and symbols use a password manager such as the RoboForm (or the built-in Password manager on the browser) For example, go to this site: https://howsecureismypassword.net/ WARNING:  Never enter your real password on that site or any sites that doesn’t belong to you – you’ll never know if the site is silently capturing everything that’s entered on the form. Ok, now with that warning out of the way, let’s do this test:Enter this password:   q34#@5o8X It’s quite cryptic and looks strong enough.... read more

Wordress 4.0 aka Benny

WordPress 4.0 aka “Benny” in honor of the famous jazz clarinetist Benny Goodman on September 4th, 2014 and has a few interesting new features to make your life as a content writer (or editor) much easier. In earlier versions of WordPress, one has to install special plugins to embed videos from Youtube or any other video sharing sites. But in WP 4.0, embedding videos is a breeze – you just need to copy and paste the video URL into the editor window and WordPress will do the rest. How cool is that? Besides Youtube videos, you can also talks from TED as well as embed tweets. Another enhancement is in the area of finding plugins for your WordPress site. With over 30,000+ plugins from WordPress.org repository, one can easily get lost in the sea of options, but with WP 4.0, the developers have improved the search algorithm and included new metrics to help you find the most relevant plugin quickly and easily.   The million dollar Question: Should you upgrade? Although there has been over 3 million downloads of WordPress Benny since its launch, I’d rather wait a couple more weeks before upgrading and wait for 4.x (e.g. 4.1, 4.2, etc) to be released. This will allow the good folks at WordPress to iron out any bugs or security flaws discovered by the open source community. Also, if you’re using custom themes or premium plugins, it would be a good idea to check with those developers first to see if there are any compatibility issues. This is to prevent your site from getting those confounded “Internal 500 Errors” when... read more

Critical Slider Vulnerability

A critical vulnerability was discovered in a popular WordPress slider plugin called “Slider Revolution” which allowed the hacker to download your ‘wp-config.php’ file and access your database. This type of attack is known as LFI (Local File Inclusion) – where the attacker is able to access and download important/sensitive files on your server. When an attacker has access to the WordPress’s wp-config.php file, he or she basically has control over the database and can either insert malicious records/payloads into the database OR if the attacker wants to cause harm, delete all your content with click of a button. This is serious folks, and should be addressed immediately. Is my WordPress site vulnerable? If you’ve installed the Slider Revolution plugin, then yes, you should contact the plugin vendor and get and updated version immediately. Don’t wait until your site is hit. If you’re using a premium theme, you might want to check with the theme developer and ask them if the this slider plugin is included in the theme. Some of the premium themes have this plugin as part of the package. What to do next? If you have access to your server logs, you might want to check/look for the following string pattern – “revslider_show” to see if anyone is scanning your site for this vulnerability.  If you have SSH access to your hosting account, you can issue the following command in the Apache log directory: egrep -ri ‘revslider_show’ * If you don’t have SSH access, then download the access log file via FTP and then run a search for that string “revslider_show”. You’d probably see lots of probes... read more