Posts Tagged ‘security’

WordPress 3.1.1 Released

4
responses
by
on
April 6th, 2011
in
WordPress, WordPress News

WordPress 3.1.1 has been released. This maintenance and security release fixes 26 issues with the following highlights: Performance improvements Fixes for IIS6 support Fixes for taxonomy and PATHINFO (/index.php/) permalinks Fixes for various query and taxonomy edge cases that caused some plugin compatibility issues Regarding this release’s security fixes, “the first hardens CSRF prevention in the media uploader, the second avoids a PHP crash in certain environments when handling devilishly devised links in comments, and the third addresses an XSS flaw.” For most of you, 3.1.1 should be available as an automatic update via your Dashboard. If that isn’t working for you, you can download WordPress and perform a manual update.

[Continue Reading...]

Mark Jaquith on WordPress Theme and Plugin Security

4
responses
by
on
March 1st, 2011
in
WordPress, WordPress Security

If you hate to read about security, then this great presentation by WordPress Core Developer Mark Jaquith on WordPress Theme and Plugin Security from WordCamp Phoenix 2011 is just for you! The presentation is great to watch and quite educational for both WordPress users and developers.

[Continue Reading...]

The State of WordPress Security

29
responses
by
on
February 11th, 2011
in
WordPress

The article How did WordPress win? has certainly been making its rounds the last two days, but all eyes seem to be (for the most part) on this comment by core developer Mark Jaquith, who sums up the state of WordPress security quite well. It sure is hard to avoid quoting the entire thing here, but here are a few key points: I haven’t seen an up-to-date WordPress install get directly exploited in around five years. Seriously. Every time I investigate a compromised WordPress install, it is either because they were running an old version (usually not just a little bit old, but really old), or because their web host was compromised. […] When you’re paying $5 a month for hosting, three things will usually suffer: Stability, Security, and Support. […] Two big priorities right now are: (a) making it super easy to stay up-to-date and (b) pushing web hosts […]

[Continue Reading...]

WordPress 3.0.5 and 3.1-RC4 Released

9
responses
by
on
February 8th, 2011
in
WordPress, WordPress News, WordPress Security

WordPress 3.0.5 and 3.1-RC4 have been released. Both releases address three security issues and add additional security enhancements, and 3.1-RC4 fixes “about two dozen additional bugs.” Both updates are available immediately via your Dashboard, but users updating to 3.0.5 will need to update to the latest release of Akismet again. Core developer Andrew Nacin hopes to minimize “the Akismet update dance” in WordPress 3.1 and put an end to it in WordPress 3.2.

[Continue Reading...]

WordPress 3.0.4 Security Release

1
response
by
on
December 30th, 2010
in
WordPress, WordPress News, WordPress Security

WordPress 3.0.4 has been released to plug a critical security vulnerability. [It] fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.” I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well. If you’re currently testing WordPress 3.1, make sure that you upgrade to the latest nightly release to get the same security fixes.

[Continue Reading...]

Comment Rating Plugin Fixes Security Vulnerability

No
responses
by
on
December 8th, 2010
in
WordPress Security

If you use the Comment Rating plugin for your WordPress powered site, you are highly encouraged to upgrade to the latest version as it fixes a security vulnerability. More specifically, a Cross-site Request Forgery attack. According to the report at OSVDB.org which is an Open Source Vulnerability Database: The flaw exists because the application does not require multiple steps or explicit confirmation for unspecified sensitive transactions for the admin function. By using a crafted URL (e.g., a crafted GET request inside an “img” tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification. There is no known workaround for versions lower than 2.9.21. Kudos goes to KrebsOnSecurity for reporting […]

[Continue Reading...]

WordPress Security Update Efficiency

6
responses
by
on
December 5th, 2010
in
WordPress, WordPress News

WordPress 3.0.2, the first mandatory security update in quite a while, was released not too long ago. The update patched an exploit which allowed an Author-level users to gain access to the site well above their user level, but the real story here is the overall efficiency of the volunteer developers. With a team unpaid volunteers keeping WordPress in tip-top shape, you might be surprised to hear that this particular update went from initial disclosure of the exploit to final release in no more than four hours! That particular time frame is almost unheard of, even amongst commercial projects. To further sweeten the pot, the VaultPress team automatically pushed a hotfix the next day to all VaultPress-enabled blogs, ensuring that all VaultPress users were protected from the exploit, even if they had not had a chance to apply the 3.0.2 update. With such an efficient team of volunteer developers, and […]

[Continue Reading...]

How To improve basic security on a fresh WordPress install

40
responses
by
on
April 15th, 2010
in
HOW-TO, WordPress FAQs

WordPress developers take security very seriously, and many security experts evaluate WordPress’s code for flaws. Security updates are made frequently to keep users safe. However, there are some extra steps you can take to make a fresh installation of WordPress more secure and protect against future attacks. Remember, no system can ever be completely secure, but taking preventative measures can be helpful. Much of this guide is based on the advice from the WordPress Codex article on hardening WordPress, but it is aimed at the WordPress beginner. In future articles, I’ll cover advanced security measures, hardening existing WordPress installs, and recovering hacked WordPress sites. This guide should be relevant for both WordPress 2.92 (the most recent stable release as of this writing) as well as WordPress 3.0. Overview: -Preliminary steps for securing your WordPress install -Changing defaults in WordPress to implement “security by obscurity” -Choosing strong passwords -Installing and configuring […]

[Continue Reading...]

Distributed WordPress Admin Account Cracking

12
responses
by
on
November 30th, 2009
in
WordPress Security

Bojan Zdrnja has published a post on the SANS Internet Storm Center blog today highlighting a distributed WordPress admin account cracking script. The script was discovered by one of the sites readers on a virtual private server (VPS). The acquired script is written in PHP and performs brute force cracking attempts to WordPress admin accounts. While this particular version is relatively simple, the power behind the script and the MySQL database allows the attacker to distribute the attacks not only by sites, but also by passwords tried as well. The article goes into detail explaining how the script works and suggests the typical security precautions such as using strong passwords, changing the admin username and limiting the admin login page to only your IP address. Brute force attacks on WordPress are nothing new but it’s interesting to see this approach using a distributed technique. Hat tip to WPVibe.

[Continue Reading...]



Obviously Powered by WordPress. © 2003-2013

page counter
css.php