If you’re worried about the recent TimThumb security vulnerability, but haven’t had a chance to see if you’re affected, identifying and fixing vulnerable instances of TimThumb just got a whole lot easier thanks to a new plugin from Peter Butler. Now, all you need to do is install and activate this plugin, run the scanner from the new Tools -> Timthumb Scanner section in your Dashboard, and click the Fix button to repair any vulnerabilities that are found.
[Continue Reading...]
‘WordPress Security’ Category
Previous Post WordPress Theme Releases for 9/6
Previous Post WordPress Plugin Releases for 8/3
A zero day vulnerability has been found in TimThumb, a popular image resizing script used by several WordPress themes. The person who discovered the vulnerability has issued a fix and instructions to detect any lingering hacks. As described on the VaultPress blog, “The vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. Once the PHP code has been uploaded and executed, your site can be compromised however the attacker likes.” The folks at Sucuri have constructed a great list of just a few affected WordPress themes, just to give you idea of how many themes use TimThumb. If your theme uses TimThumb, contact your theme author for an update immediately, or download the latest version if it has already been updated. If your theme author is not willing to offer an update, it’s probably time for a new theme, but you can also [...]
[Continue Reading...]Previous Post WordPress FAQ: Moving WordPress
If you hate to read about security, then this great presentation by WordPress Core Developer Mark Jaquith on WordPress Theme and Plugin Security from WordCamp Phoenix 2011 is just for you! The presentation is great to watch and quite educational for both WordPress users and developers.
[Continue Reading...]Previous Post WordPress Theme Releases for 2/6
WordPress 3.0.5 and 3.1-RC4 have been released. Both releases address three security issues and add additional security enhancements, and 3.1-RC4 fixes “about two dozen additional bugs.” Both updates are available immediately via your Dashboard, but users updating to 3.0.5 will need to update to the latest release of Akismet again. Core developer Andrew Nacin hopes to minimize “the Akismet update dance” in WordPress 3.1 and put an end to it in WordPress 3.2.
[Continue Reading...]Previous Post Plugin Review – Dynamic Widgets
WordPress 3.0.4 has been released to plug a critical security vulnerability. [It] fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.” I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well. If you’re currently testing WordPress 3.1, make sure that you upgrade to the latest nightly release to get the same security fixes.
[Continue Reading...]Previous Post Comment Rating Plugin Fixes Security Vulnerability
Users are advised that WordPress 3.0.3 has just been released and is a security update. This release fixes issues in the XML-RPC remote publishing interface. This release fixes issues in the remote publishing interface, which under certain circumstances allowed Author- and Contributor-level users to improperly edit, publish, or delete posts. If you have remote publishing enabled on your site you are urged to upgrade. You can do so easily via the built-in automatic upgrade feature. If upgrading the old fashioned way is your cup of tea here is the list of revised files … wp-includes/version.php xmlrpc.php readme.html wp-admin/includes/update-core.php
[Continue Reading...]Previous Post WordPress Theme Releases for 12/8
Previous Post Contributing To The Theme Review Team
Just moments ago, WordPress 3.0.2 was released to the public. This version is a mandatory security upgrade. According to the release notes: This maintenance release fixes a moderate security issue that could allow a malicious Author-level user to gain further access to the site, addresses a handful of bugs, and provides some additional security enhancements. It’s been awhile since we’ve seen one of these types of releases. However, thanks to automatic upgrades built in, upgrading is a pretty easy thing to do.
[Continue Reading...]Previous Post Underrated WordPress plugin round-up
The three components of information security are: Confidentiality, Integrity and Availability (CIA). If you’ve followed the steps my previous tutorial, you’ll have come a long way towards ensuring all three. But you’ll always need to keep an eye on things – remember, no site is hack proof. Here are some tools to verify the integrity of your data. These plugins will not protect your site from attacks, they will only help you monitor your site and diagnose problems. I have not tested any of these with the latest WordPress 3.0 beta. Monitoring In my first article on WordPress security I mentioned Open Source Tripwire as an option for monitoring your WordPress install for unexpected changes. A reader pointed out that it wasn’t the best solution since it’s no longer maintained and suggested a couple other alternatives. Since then, I’ve discovered a much easier way of monitoring your WP install: WordPress [...]
[Continue Reading...]
Translate This Page
- Youth Theme (cjblythe)
- Flower House Free WordPress Theme (gestroud)
- WordPress Download Manager Plugin v2.2.0 released (Shaon)
- WPMarketplace - WordPress MarketPlace Plugin v1.2.1 released (Shaon)
- [New Plugin] Compact Taxonomy Checkboxes (benhuson)
- Aqua Theme (cjblythe)
- Tokin Manager WordPress Plugin (VectorXY)
- Win Everything from AppThemes (ThemeSorter Birthday Giveaway) (Gliebster)
- Shortcode press - wordpress plugin for fast and easiest way for use shortcodes (shaid)
- Unauthenticated Flaws in Network Protocols (Suvham)
- Fabric Shortest Path First (Suvham)
- [New Plugin] Google AdSense and Google Analytics Remover (gestroud)
Categories
- bbpress
- Best of WordPress
- Blog Templates Blog Skins Blog Themes
- Blogging
- Blogging Essays
- Blogging News
- brainstorming
- buddypress
- Business of Blogging
- CMS
- Code
- Cold Fusion
- Community Interviews
- Cool Scripts
- General
- HOW-TO
- LinkyLoo
- Movable Type Plugins
- Photolog Script
- Podcasting
- QuickLinking
- Spam
- SXSW
- TLA
- Tutorials
- User Reviews
- Web Design
- Web Ethics
- Weblog Add-Ons
- Weblog tools blog tools blogging tools
- Weekly Plugin Review
- WLTC Community
- wordcamp
- WordPress
- WordPress Discussions
- WordPress FAQs
- Wordpress for Beginners
- WordPress Hack
- WordPress News
- WordPress Plugin Competition
- WordPress Plugins
- WordPress Polls
- WordPress Security
- WordPress Templates WordPress Skins WordPress Themes
- WordPress Tips
- WordPress Tools
- WordPress Troubleshooting
- WordPress Weekly
- WordPress Widgets
- WordPress WishList
- XHTML Tips
Obviously Powered by WordPress. © 2003-2010 MidOut LLC
Comment Rating Plugin Fixes Security Vulnerability
If you use the Comment Rating plugin for your WordPress powered site, you are highly encouraged to upgrade to the latest version as it fixes a security vulnerability. More specifically, a Cross-site Request Forgery attack. According to the report at OSVDB.org which is an Open Source Vulnerability Database: The flaw exists because the application does not require multiple steps or explicit confirmation for unspecified sensitive transactions for the admin function. By using a crafted URL (e.g., a crafted GET request inside an “img” tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification. There is no known workaround for versions lower than 2.9.21. Kudos goes to KrebsOnSecurity for reporting [...]
[Continue Reading...]