WordPress 3.0.5 and 3.1-RC4 have been released. Both releases address three security issues and add additional security enhancements, and 3.1-RC4 fixes “about two dozen additional bugs.” Both updates are available immediately via your Dashboard, but users updating to 3.0.5 will need to update to the latest release of Akismet again. Core developer Andrew Nacin hopes to minimize “the Akismet update dance” in WordPress 3.1 and put an end to it in WordPress 3.2.
[Continue Reading...]
Posts Tagged ‘security’
Previous Post WordPress Theme Releases for 2/6
Previous Post Plugin Review – Dynamic Widgets
WordPress 3.0.4 has been released to plug a critical security vulnerability. [It] fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.” I realize an update during the holidays is no fun, but this one is worth putting down the eggnog for. In the spirit of the holidays, consider helping your friends as well. If you’re currently testing WordPress 3.1, make sure that you upgrade to the latest nightly release to get the same security fixes.
[Continue Reading...]Previous Post WordPress Theme Releases for 12/8
Previous Post WordPress Theme Releases for 12/4
WordPress 3.0.2, the first mandatory security update in quite a while, was released not too long ago. The update patched an exploit which allowed an Author-level users to gain access to the site well above their user level, but the real story here is the overall efficiency of the volunteer developers. With a team unpaid volunteers keeping WordPress in tip-top shape, you might be surprised to hear that this particular update went from initial disclosure of the exploit to final release in no more than four hours! That particular time frame is almost unheard of, even amongst commercial projects. To further sweeten the pot, the VaultPress team automatically pushed a hotfix the next day to all VaultPress-enabled blogs, ensuring that all VaultPress users were protected from the exploit, even if they had not had a chance to apply the 3.0.2 update. With such an efficient team of volunteer developers, and [...]
[Continue Reading...]Previous Post WordPress Theme Releases for 04/13
WordPress developers take security very seriously, and many security experts evaluate WordPress’s code for flaws. Security updates are made frequently to keep users safe. However, there are some extra steps you can take to make a fresh installation of WordPress more secure and protect against future attacks. Remember, no system can ever be completely secure, but taking preventative measures can be helpful. Much of this guide is based on the advice from the WordPress Codex article on hardening WordPress, but it is aimed at the WordPress beginner. In future articles, I’ll cover advanced security measures, hardening existing WordPress installs, and recovering hacked WordPress sites. This guide should be relevant for both WordPress 2.92 (the most recent stable release as of this writing) as well as WordPress 3.0. Overview: -Preliminary steps for securing your WordPress install -Changing defaults in WordPress to implement “security by obscurity” -Choosing strong passwords -Installing and configuring [...]
[Continue Reading...]Previous Post How To Track Outbound Links From Your WordPress Blog
Bojan Zdrnja has published a post on the SANS Internet Storm Center blog today highlighting a distributed WordPress admin account cracking script. The script was discovered by one of the sites readers on a virtual private server (VPS). The acquired script is written in PHP and performs brute force cracking attempts to WordPress admin accounts. While this particular version is relatively simple, the power behind the script and the MySQL database allows the attacker to distribute the attacks not only by sites, but also by passwords tried as well. The article goes into detail explaining how the script works and suggests the typical security precautions such as using strong passwords, changing the admin username and limiting the admin login page to only your IP address. Brute force attacks on WordPress are nothing new but it’s interesting to see this approach using a distributed technique. Hat tip to WPVibe.
[Continue Reading...]Previous Post The Best-Of Series: Download Managers
According to the blog Unmask Parasites, there is a new version of the Gumblar botnet making the rounds on PHP based websites. Back in May of this year, this malicious botnet was responsible for infecting a large number of websites in a short period of time. This time around however, the Gumblar botnet has buggy code which is leading to a number of infected WordPress sites breaking. WordPress is a complex web application that comprises more than 200 .php files. When you open any page, WordPress loads index.php which, in turn, loads many other .php files using the require() function. WordPress admin interface also relies on multiple .php files. In all cases, WordPress loads wp-config.php file which contains database credentials and other important information required for normal operation. So what happens if both index.php and wp-config.php are infected with the gumblar backdoor scripts? Since Gumblar injects identical backdoor scripts into [...]
[Continue Reading...]Previous Post WordPress.com Becomes Mobile Friendly
WordPress 2.8.5 has officially been tagged and is now available for download. If you don’t see the upgrade nags in your administration panel already, give it a few hours and upgrade when it becomes available. This release has been dubbed a security hardening release meaning, more preventive measures have been taken to secure WordPress. Worthy of note though is an issue that was addressed dealing with a trackback spam denial of service attack which was discussed on the WP-Hackers mailing list the other day. This exploit takes advantage of the WP-Trackback.php file which would exhaust a servers resources when used. This has specifically been addressed in 2.8.5. Thanks goes out to Steve Fortuna for releasing a fix to this 0 day exploit. The release also contains a few bug fixes as well.
[Continue Reading...]Previous Post WordPress Cheatsheet
I’m pretty sure by now that you’ve heard about the worm attack on older versions of WordPress. In the trail of destruction, I’ve been reading quite a few blog posts regarding the attacks along with comments attached to those posts and quite honestly, I can’t believe some of the comments I’ve read. One of the most absurd comments I came across stated that upgrading was not an option for them. How on earth do you put yourself in a position where upgrading is not an option? Might as well just leave the door open so the bad guys can come in freely. Unfortunately, the blame game has come back in full force with those affected generally blaming WordPress, and those not affected blaming users who failed to upgrade in a timely fashion. The bottom line is, the issues that lead to this worm attacking older versions of WordPress was fixed [...]
[Continue Reading...]
Translate This Page
- [Updated plugin] StatComm 1.6.90 (WPGetReady)
- [New Plugin] Config Constants (dgwyer)
- [New Plugin] Password Protected (benhuson)
- Outline Theme (cjblythe)
- Now WordPress site can store all its content in Amazon S3. (oblaksoft)
- Yepty - SkyRocket Your Income with In-text, In-image and Slider Ads (zettalab)
- Phire – Free WordPress theme (brtak)
- 'Flourish' Theme (cjblythe)
- [New Plugin] Add To Post (HowWhoWhen)
- WordPress can now run on Amazon S3 (oblaksoft)
- New plugin: WordPress to Cloud (WP2Cloud) (oblaksoft)
- New Free Wordpress Theme Incorp4T (4templates)
Categories
- bbpress
- Best of WordPress
- Blog Templates Blog Skins Blog Themes
- Blogging
- Blogging Essays
- Blogging News
- brainstorming
- buddypress
- Business of Blogging
- CMS
- Code
- Cold Fusion
- Community Interviews
- Cool Scripts
- General
- HOW-TO
- LinkyLoo
- Movable Type Plugins
- Photolog Script
- Podcasting
- QuickLinking
- Spam
- SXSW
- TLA
- Tutorials
- User Reviews
- Web Design
- Web Ethics
- Weblog Add-Ons
- Weblog tools blog tools blogging tools
- Weekly Plugin Review
- WLTC Community
- wordcamp
- WordPress
- WordPress Discussions
- WordPress FAQs
- Wordpress for Beginners
- WordPress Hack
- WordPress News
- WordPress Plugin Competition
- WordPress Plugins
- WordPress Polls
- WordPress Security
- WordPress Templates WordPress Skins WordPress Themes
- WordPress Tips
- WordPress Tools
- WordPress Troubleshooting
- WordPress Weekly
- WordPress Widgets
- WordPress WishList
- XHTML Tips
Obviously Powered by WordPress. © 2003-2010 MidOut LLC
Comment Rating Plugin Fixes Security Vulnerability
If you use the Comment Rating plugin for your WordPress powered site, you are highly encouraged to upgrade to the latest version as it fixes a security vulnerability. More specifically, a Cross-site Request Forgery attack. According to the report at OSVDB.org which is an Open Source Vulnerability Database: The flaw exists because the application does not require multiple steps or explicit confirmation for unspecified sensitive transactions for the admin function. By using a crafted URL (e.g., a crafted GET request inside an “img” tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification. There is no known workaround for versions lower than 2.9.21. Kudos goes to KrebsOnSecurity for reporting [...]
[Continue Reading...]