If you don’t know by now, WordPress 2.8.4 has hit the public and it addresses a mild but hugely annoying issue. There was no advanced warning regarding the vulnerability but it was quickly patched in the core of WordPress for the next release. Unfortunately, word quickly spread and in fact, even my site WPTavern.com was affected by the problem as I received an email letting me know what my new password was even though I didn’t request one. Here are the details regarding the annoyance: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is […]
[Continue Reading...]
‘WordPress Security’ Category
Weren’t we just talking about upgrading to the latest and greatest version of WordPress just yesterday? Well today Ryan Boren has just posted at the WordPress.org blog about the release of the WordPress 2.8.3 Security Release. As he mentions in the posting this fix is related to the privilege escalation issues in version 2.8.1. What he says next is the real reason why WordPress is so popular and well supported: Luckily, the entire WordPress community has our backs. Several folks in the community dug deeper and discovered areas that were overlooked. With their help, the remaining issues are fixed in 2.8.3. Ryan is right – it is the community that looks after each other. Where else would you have such a diverse and talented group who points out any issues instead of just taking them public even though it would draw a lot of attention and maybe fame for themselves? […]
[Continue Reading...]The WordPress team has released WordPress 2.8.2, which fixes a XSS vulnerability. This releases fixes a issue with comment author URLs
[Continue Reading...]I did a post for a Antivirus plugin for WordPress, several users commenting about different plugins that improve the security of WordPress, so I decided to sum up some of the plugins that provide security and comment spam protection for WordPress blogs.
[Continue Reading...]Many sites across the blogosphere are reporting a fake website that is distributing a backdoored version of WordPress. Though these are few and far between, it behooves all users to be careful when downloading any kind of code to run on their blog. The Register report contains an update from Peter Westwood (a WordPress lead dev) about the code being distributed and his suggestions on how to avoid being duped. Though the fake site is down now and If you believe that you might have been the victim of this site, please download a fresh copy of WordPress from WordPress.org and upgrade your blog to be safe. I personally follow a few simple rules to make sure that I never fall for a social engineering or covert code trap on my blogs. Always download core WordPress code from http://WordPress.org. Type the link into your browser address bar rather than following […]
[Continue Reading...]WordPress 2.6.2.: This release is in response to a recent warning to developers from Stefan Esser about the dangers of SQL Column Truncation and weaknesses of mt_rand(). The issue at hand that forced the release is discussed in detail on the WordPress.org blog post linked above. Basically the attack is complex, is dependent on open registration being turned on in your blog, but can be executed in theory and turns out to be more of an annoyance than an actual exploit. If you have open registration on your blog, the WordPress.org team recommends that you upgrade your install to WordPress 2.6.2 A handful of other fixes are also included in this upgrade. Here is a list of changed files.
[Continue Reading...]Speckyboy has created a list of the top 10 security plugins to use with WordPress. The plugins range from AskApache Password Protect to WP Security scan. When asked about security at WordCamp Dallas, Matt Mullenweg responded by saying “The best thing you could do to make sure your blog is secure is to stay up to date with the latest stable versions of WordPress.” Using strong passwords for your administrator account along with not using the default admin account that is created during a WordPress install are also good practices. For more information in regards to securing your WordPress installation, be sure to check out the Hardening WordPress article on the Codex.
[Continue Reading...]Vulnerable WordPress Blogs Not Being Indexed: Technorati has decided to not index vulnerable and exploited WordPress blogs. This comes after the recent spat of hacks that were discovered on various high profile blogs and websites. What was even more interesting was the fact that some of these hacks and exploitations might have come from covert and encrypted code hidden in various themes available for free over the web. The moral of this story is that you need to upgrade your WordPress blog now to WordPress 2.5. Just so that everyone is aware, WordPress 2.5 is the latest stable version and this should be the version that everyone should upgrade to. Any older versions leaves you vulnerable. [EDIT] As mentioned on the legacy 2.0 page, WordPress 2.0.11 is the latest stable download with all the latest security fixes for the 2.0 branch. However, WordPress 2.5 is still the latest and the […]
[Continue Reading...]About the Author
- Jeff Chandler
Categories
- bbpress
- Best of WordPress
- Blog Templates Blog Skins Blog Themes
- Blogging
- Blogging Essays
- Blogging News
- brainstorming
- buddypress
- Business of Blogging
- CMS
- Code
- Cold Fusion
- Community Interviews
- Cool Scripts
- General
- HOW-TO
- LinkyLoo
- Movable Type Plugins
- Photolog Script
- Podcasting
- QuickLinking
- Spam
- SXSW
- TLA
- Tutorials
- User Reviews
- Web Design
- Web Ethics
- Weblog Add-Ons
- Weblog tools blog tools blogging tools
- Weekly Plugin Review
- WLTC Community
- wordcamp
- WordPress
- WordPress Discussions
- WordPress FAQs
- Wordpress for Beginners
- WordPress Hack
- WordPress News
- WordPress Plugin Competition
- WordPress Plugins
- WordPress Polls
- WordPress Security
- WordPress Templates WordPress Skins WordPress Themes
- WordPress Tips
- WordPress Tools
- WordPress Troubleshooting
- WordPress Weekly
- WordPress Widgets
- WordPress WishList
- XHTML Tips
Obviously Powered by WordPress. © 2003-2013
Comment Remix Security Bulletin
Normally, we usually keep a maximum of two posts a day that are published on WeblogTooolsCollection as a means of keeping your dashboard from being overcome by us. However, considering that the following security bulletin has been published concerning the plugin (WP Comment Remix) and it won the WeblogToolsCollection plugin competition, I felt it was important to pass along this security bulletin to you. According to the bulletin that was published by Chxsecurity.org version 1.4.3 contains the following vulnerabilities: SQL Injection: caused by unsanitized variable “p” in the ajax_comments.php file. Cross Site Scripting: This affects authenticated and unauthenticated users. Cross Site Request Forgery: the form generated through wpcr_do_options_page lacks the WordPress wp_nonce security function. These vulnerabilities are considered HIGH risks however, the latest version (1.4.4) apparently addresses these issues. If you are using this plugin on your blog, be sure to upgrade it to the latest version.
[Continue Reading...]