It’s the weekend, time to work on your next WordPress plugin, but are you following the right security practices? At this year’s WordCamp San Francisco, core developers Mark Jaquith and Jon Cave, along with developer and author Brad Williams, covered some of the best security practices for plugin development and offered some real-life examples of just how easy it is to turn a world-class plugin into a crippling vulnerability. “One of the greatest things about WordPress plugins is they can do anything, and one of the most frightening things about WordPress plugins is they can do anything.” ~ Mark Jaquith
[Continue Reading...]
Posts Tagged ‘security’
Previous Post WordPress Plugin Releases for 9/16
Previous Post WordPress Theme Releases for 9/6
If you’re worried about the recent TimThumb security vulnerability, but haven’t had a chance to see if you’re affected, identifying and fixing vulnerable instances of TimThumb just got a whole lot easier thanks to a new plugin from Peter Butler. Now, all you need to do is install and activate this plugin, run the scanner from the new Tools -> Timthumb Scanner section in your Dashboard, and click the Fix button to repair any vulnerabilities that are found.
[Continue Reading...]Previous Post WordPress Plugin Releases for 8/3
A zero day vulnerability has been found in TimThumb, a popular image resizing script used by several WordPress themes. The person who discovered the vulnerability has issued a fix and instructions to detect any lingering hacks. As described on the VaultPress blog, “The vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. Once the PHP code has been uploaded and executed, your site can be compromised however the attacker likes.” The folks at Sucuri have constructed a great list of just a few affected WordPress themes, just to give you idea of how many themes use TimThumb. If your theme uses TimThumb, contact your theme author for an update immediately, or download the latest version if it has already been updated. If your theme author is not willing to offer an update, it’s probably time for a new theme, but you can also [...]
[Continue Reading...]Previous Post WordPress Theme Releases for 5/25
WordPress 3.1.3 and 3.2 Beta 2 have been released. Both releases include a number of security fixes and are recommended for all users. WordPress 3.2 Beta 2 also introduces support for Google Chrome Frame, an enhanced blue Dashboard color scheme, and a new version of jQuery. Don’t delay, upgrade today!™ And, if you run into problems, contact the WordPress Support Forums.
[Continue Reading...]Previous Post WordPress GSoC Students and Projects Announced
WordPress 3.1.2 has been released and “addresses a vulnerability that allowed Contributor-level users to improperly publish posts,” while also fixing a few bugs. You should be able to upgrade automatically from the Dashboard -> Updates section of your blog’s Dashboard, but you can also upgrade manually if you run into trouble.
[Continue Reading...]Previous Post WordPress Plugin Releases for 4/5
WordPress 3.1.1 has been released. This maintenance and security release fixes 26 issues with the following highlights: Performance improvements Fixes for IIS6 support Fixes for taxonomy and PATHINFO (/index.php/) permalinks Fixes for various query and taxonomy edge cases that caused some plugin compatibility issues Regarding this release’s security fixes, “the first hardens CSRF prevention in the media uploader, the second avoids a PHP crash in certain environments when handling devilishly devised links in comments, and the third addresses an XSS flaw.” For most of you, 3.1.1 should be available as an automatic update via your Dashboard. If that isn’t working for you, you can download WordPress and perform a manual update.
[Continue Reading...]Previous Post WordPress FAQ: Moving WordPress
If you hate to read about security, then this great presentation by WordPress Core Developer Mark Jaquith on WordPress Theme and Plugin Security from WordCamp Phoenix 2011 is just for you! The presentation is great to watch and quite educational for both WordPress users and developers.
[Continue Reading...]Previous Post WordPress Theme Releases for 2/10
The article How did WordPress win? has certainly been making its rounds the last two days, but all eyes seem to be (for the most part) on this comment by core developer Mark Jaquith, who sums up the state of WordPress security quite well. It sure is hard to avoid quoting the entire thing here, but here are a few key points: I haven’t seen an up-to-date WordPress install get directly exploited in around five years. Seriously. Every time I investigate a compromised WordPress install, it is either because they were running an old version (usually not just a little bit old, but really old), or because their web host was compromised. [...] When you’re paying $5 a month for hosting, three things will usually suffer: Stability, Security, and Support. [...] Two big priorities right now are: (a) making it super easy to stay up-to-date and (b) pushing web hosts [...]
[Continue Reading...]Previous Post WordPress Theme Releases for 2/6
WordPress 3.0.5 and 3.1-RC4 have been released. Both releases address three security issues and add additional security enhancements, and 3.1-RC4 fixes “about two dozen additional bugs.” Both updates are available immediately via your Dashboard, but users updating to 3.0.5 will need to update to the latest release of Akismet again. Core developer Andrew Nacin hopes to minimize “the Akismet update dance” in WordPress 3.1 and put an end to it in WordPress 3.2.
[Continue Reading...]
Translate This Page
- Youth Theme (cjblythe)
- Flower House Free WordPress Theme (gestroud)
- WordPress Download Manager Plugin v2.2.0 released (Shaon)
- WPMarketplace - WordPress MarketPlace Plugin v1.2.1 released (Shaon)
- [New Plugin] Compact Taxonomy Checkboxes (benhuson)
- Aqua Theme (cjblythe)
- Tokin Manager WordPress Plugin (VectorXY)
- Win Everything from AppThemes (ThemeSorter Birthday Giveaway) (Gliebster)
- Shortcode press - wordpress plugin for fast and easiest way for use shortcodes (shaid)
- Unauthenticated Flaws in Network Protocols (Suvham)
- Fabric Shortest Path First (Suvham)
- [New Plugin] Google AdSense and Google Analytics Remover (gestroud)
Categories
- bbpress
- Best of WordPress
- Blog Templates Blog Skins Blog Themes
- Blogging
- Blogging Essays
- Blogging News
- brainstorming
- buddypress
- Business of Blogging
- CMS
- Code
- Cold Fusion
- Community Interviews
- Cool Scripts
- General
- HOW-TO
- LinkyLoo
- Movable Type Plugins
- Photolog Script
- Podcasting
- QuickLinking
- Spam
- SXSW
- TLA
- Tutorials
- User Reviews
- Web Design
- Web Ethics
- Weblog Add-Ons
- Weblog tools blog tools blogging tools
- Weekly Plugin Review
- WLTC Community
- wordcamp
- WordPress
- WordPress Discussions
- WordPress FAQs
- Wordpress for Beginners
- WordPress Hack
- WordPress News
- WordPress Plugin Competition
- WordPress Plugins
- WordPress Polls
- WordPress Security
- WordPress Templates WordPress Skins WordPress Themes
- WordPress Tips
- WordPress Tools
- WordPress Troubleshooting
- WordPress Weekly
- WordPress Widgets
- WordPress WishList
- XHTML Tips
Obviously Powered by WordPress. © 2003-2010 MidOut LLC
