Tag Archives: security

WordPress Security Releases – 3.0.2 & 3.0.3

Posted on by
Reply

In case you’ve been under a rock the last couple of weeks, two security releases have been issued for WordPress, 3.0.2 and a week later, 3.0.3. I (kinda) jokingly explained to my coworkers that these security releases were less “someone left the front door open”, rather, “someone left a small window upstairs open that only the neighbors can see”. Needless to say these are legitimate security issues in some environments, as well as a couple of bug fixes, and all sites should apply them. The 3.0.3 release is specific to sites that enable the XML-RPC, remote publishing option.

What was most impressive is that the the first and larger security release was pushed out 4, yes, four, hours from when the core developers were made aware of the exploit. For a bunch of volunteers spread across multiple time zones, that’s impressive.

WordPress 2.1.1 Hacked

Posted on by
Reply

WordPress

If you haven’t seen your dashboard, or caught this in an email, it’s is imperative that you read up, and take action. From Matt on the dev blog:

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

This is a serious situation, and one not to be taken lightly. For those new to WordPress, you may want to read over the codex page on how to upgrade.

If you have any questions, you should visit the support forums, or feel free to contact me about the process.

Database Back-up Plugin Security Issue

Posted on by
Reply

Skippy reported in the WP forums that a security vulnerabilty had been found in the database back-up plugin. Subsequently, in the same thread, he posted back with a fix that had been “cooked up” by Ryan. At root the plugin could exploit a “directory traversal vulnerability”, if done by someone with admin privileges. Which, no one should be giving admin privileges to someone they don’t trust.
That said, an updated version can be downloaded here.

Kudos to Skippy for bringing this public as soon as he was aware, and kudos to the team for getting a quick fix to a popular plugin that’s bundled with the download.

Though many are capable of doing manual backups, the automatic backup is a handy feature, and one that can easily save some headache and time for those that have multiple blogs, or are just plain lazy like this blogger.

WordPress Updated and bugfix Plugin

Posted on by
2

A lot of people have already posted, but in case you missed it WP has been bumped up to 2.0.3. Mostly a security and bug fix release, it did turn out it comes with a few new bugs as well. Rather than patch some files, the talented Mark Jaquith has created a plugin specifically for 2.0.3 to fix the bugs. So while updating, go over to his site and grab the plugin, and avoid any hassles down the road.
The next release (assuming nothing is else is broken in 2.0.3) will 2.1, and is shaping up to be an interesting release. I’m really looking forward to in the new way bookmarks are handled (including importing an OPML file as your bookmarks), as well as the ability to stick a page to the front, and designate another as your “blog” page. Several other “under the hood” concepts have been added, which should open up even more for plugin authors.