WordPress version 4.1.2 is now available to download and contains changes to address the following serious security issues:
- A serious critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.
- Files with invalid or unsafe names could be upload.
- Some plugins are vulnerable to an SQL injection attack.
- A very limited cross-site scripting vulnerability could be used as part of a social engineering attack.
- Four hardening changes, including better validation of post titles within the Dashboard.
You can read more about the update: https://core.trac.wordpress.org/log/branches/4.1?rev=32234&stop_rev=32144
You can download WordPress 4.1.2: http://wordpress.org/wordpress-4.1.2.zip
One of the greatest benefits of being a part of the WordPress community – is the access to the hundreds of thousands of existing plugins. A site owner can easily go from a vanilla site to something with a lot of functionality in a matter of minutes. On the same note – having access to all these plugins can easily cause more harm than help. Example: I recently worked with someone who was having problems with upgrading their site to the latest version of WordPress. I figured this would be a 30 minute task. After logging in and seeing they had over 60 plugins – 40+ which required upgrades – the task quickly grew.
By keeping everything up to date is important – but I would also like to stress keeping a lean version of your site is equally important. If you need a certain custom functionality – take into consideration the server resources, time for updates/debugging, etc. versus what you really get from it. Debugging 1 plugin is manageable, debugging 10 plugins is a task, debugging 40 plugins is insanity. Also – if you decide that a plugin is just not working the way you expected – delete it and forget about. There is no reason you need to keep plugins that you do not need around. By keeping these files around – it also takes up valuable resources that could be better used elsewhere.
If you are looking for a fast and secure web site (who isn’t?) remember to keep it simple. Custom functionality is great – but don’t forget to think about the cost.
WordPress is a great tool, but make sure you keep it up to date to avoid security vulnerabilities. I have fixed a number of outdated and hacked versions of WordPress over the past few years which could have easily been taken care of by keeping up to date with WordPress updates a few times a year. If you are using WordPress 2.5+ it is really easy to be notified when a plugin or WordPress has a new version available when you log in.
If you do not want to go through the process of using svn or ftp to update your files, WordPress even gives you the option to automatically update.
If you suspect you were hacked, feel free to contact us and we will update and clean your site.