Category Archives: Security

Security

Upgrade or else!

By Dougal | Published: April 8, 2008

UPDATE 2008-04-16: Well crud. I was just re-reading the WP 2.5 announcement post for something else, and spotted a bit about security updates between 2.3.3 and 2.5. So my previous advice about 2.3.3 being okay was incorrect. This is one of the areas where I disagree with the core developement team — if it was up to me, there would be a 2.3.4 security release for those who have good reasons why they can’t upgrade to 2.5 right now.

Okay, people, if you are running any version of WordPress older than ~~2.3.3~~ 2.5*, you need to upgrade now. [...]

Also posted in Blogs, Search, WordPress | Tagged payattention, Plugins, Search, Security, Spam, Technorati, Themes, upgrade, Upgrades, WordPress | 91 Comments

Creating a secure WordPress install

By Dougal | Published: October 30, 2007

Over on BlogSecurity, there’s a whitepaper on How to create a secure WordPress install. It covers several areas, including MySQL setup, WordPress user configuration, Apache protection of directories, and some useful plugins. I’ve glanced over it, and I have mixed feelings. Here’s a quick list of notes, off the top of my head:

Pros:

There is detailed information about granting the minimum privileges necessary for the MySQL login. This is a good idea that many people probably don’t think about.
Creating a less privileged WordPress account for posting, separate from your blog admin login, is also a good suggestion.
The notes on password enumeration are important. [...]

Also posted in WordPress | Tagged access, Apache, hacking, hardening, ids, MySQL, plugin, Plugins, Security, WordPress | 29 Comments

WordPress 2.2.2 Released

By Dougal | Published: August 5, 2007

There is a new security & bugfix release: WordPress 2.2.2. There are no new features in this version. Since it is a security release, all users should upgrade as soon as possible. Read the original announcement for full details. Download now!

Also, as mentioned in the original announcement, there is a new version in the 2.0 legacy branch: WordPress 2.0.11. . [...]

Also posted in Software, WordPress | Tagged Releases, WordPress | 14 Comments

WordPress 2.2.1 Released

By Dougal | Published: June 21, 2007

WordPress 2.2.1 is now available. Most of the changes are minor bug fixes, however there are some security fixes as well. We can’t stress enough how important it is to upgrade your sites and keep them current so that you aren’t open to attacks. Many people see these “minor” version updates and assume that they don’t need to install them. Mainly it seems to be folks who worry about an upgrade breaking their theme or their plugins. But if the themes and plugins are written properly, this won’t normally be a problem. [...]

Also posted in Software, WordPress | Tagged Perl, plugin, Plugins, Releases, WordPress | 19 Comments

New WordPress Releases: 2.0.10 and 2.1.3

By Dougal | Published: April 3, 2007

That’s right, two shiny new bugfix/security updates. One for the 2.0 branch and one for the 2.1 branch. There are some small bugfixes in both of these versions, but the main reason to upgrade is for the security fixes (I’m going to write more on that subject later).

Visit the downloads page for version 2.1.3, and the Release Archive for version 2.0.10.

Watch later this month for the release of WordPress 2.2. [...]

Also posted in Software, WordPress | Tagged Atom, Feeds, Releases, WordPress, xml-rpc | 9 Comments

Important: Upgrade to WordPress 2.1.2

By Dougal | Published: March 3, 2007

In the interest of getting the word out as quickly and as widely as possible, a brief word about a new WordPress release: If you recently installed version 2.1.1, you should upgrade to WordPress 2.1.2 immediately. There was a security breach on the server which housed the download archives, and some files in the 2.1.1 download were modified to include a serious security hole. There are more details in the official WordPress Dev Blog announcement.

While technically this only affects those who downloaded the 2.1.1 .zip or .tar.gz archives from the wordpress.org site in about the last week, it certainly wouldn’t hurt to go ahead and upgrade, even if you downloaded earlier, or installed from SVN. [...]

Also posted in Software, WordPress | Tagged Release, Releases, WordPress | 16 Comments

Two New WordPress Releases

By Dougal | Published: February 21, 2007

Announcing not one, but two new WordPress releases: WordPress 2.0.9 (for the 2.0 branch), and WordPress 2.1.1 (for the 2.1 branch). Both versions include fixes for a minor XSS (cross-site scripting) attack vector, plus various other small bugfixes. Due to the possible security bug, all users are urged to upgrade to the newest appropriate version. See the announcement on the Development Blog for full details.

For those of you who may be confused about why there are two versions being updated in parallel, here’s a quick rundown: for WordPress to be available as an official package for Debian Linux, we made a commitment to maintain the 2.0 branch through 2010. [...]

Also posted in Announcements, MySQL, WordPress | Tagged Releases, WordPress | 5 Comments

Virus Alert

By Dougal | Published: January 29, 2007

I don’t usually do this, but I think this is serious enough that we need to get the word out. This virus sounds particularly nasty, so make sure you take every precaution — update your anti-virus software, backup your systems, buy extra bread, milk, and eggs, and keep your kids indoors: Virus Alert – “Bedtime”.

Also posted in Fun, Humor | Tagged Virus | 2 Comments

WordPress 2.0.7 Released

By Dougal | Published: January 16, 2007

WordPress 2.0.7 has been released (yes, I know I missed announcing 2.0.6, but I was on vacation). The major focus of this release was a new security patch under certain versions of PHP with register_globals turned on, plus a fix in Conditional GET support under certain combinations of IIS/PHP-CGI versions (AKA the “Feedburner bug”). [...]

Also posted in Software, WordPress | Tagged PHP, Releases, WordPress | 3 Comments

WordPress 1.5.x safe from XML-RPC worm

By Dougal | Published: November 9, 2005

In case you didn’t already see my post over on the WordPress Development Blog, rest assured that WordPress is safe from the recently announced PHPXMLRPC worm. Some of the articles about this worm point to old information indicating that WP 1.5 is vulnerable, but that is incorrect. Versions 1.2.x and earlier are in danger, however. . [...]