☰ Navigation

Pixel Internet Blog

Offers - Resources - News

WordPress user? Why you need to update now

WordPress is an amazing, and incredibly popular, content management system (CMS) thanks to its flexibility, the ability to quickly customise it with a variety of themes and plugins, and its clean code which enables the search engines to easily index sites using its platform.

It is, however, vulnerable to attack by hackers, particularly if updates to the platform itself and any plugins in use are not applied in a timely fashion.

There’s really no excuse not to do this, as many updates can be set to update automatically, keeping your site secure and applying any bug fixes that might be included in the update.

If you haven’t already updated, either go to your dashboard, click ‘updates’ and then ‘update now’, or download the update from WordPress (https://wordpress.org/download/) and if you’re still manually updating, read on for why it really is a good idea to at least schedule your updates or consider switching to that automatic update if it’s available on your site!

WordPress is now on stable version 4.6.1 as of 7th September 2016; their security advisory (https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-release/) explained that this update not only fixed 15 bugs from version 4.6, including strange unicode (Vietnamese) characters displaying in the Visual Editor on WordPress 4.6, odd behaviour with thumbnails in preview and emails failing on some server setups, but also fixed two vulnerabilities which could affect any site that doesn’t install the update.

The latest update for WordPress offers a patch for two potentially severe security problems.

SumOfPwn researcher, Cengiz Han, discovered a cross-site scripting (XSS) flaw which would allow an attacker to take a crafted image file and upload it to WordPress, enabling a client-side code injection attack of malicious JavaScript code into the platform.

This would allow an attacker to steal login details, execute malicious code and steal session tokens, among other things – all of which would leave your site wide open, and quite possibly out of your control.

The second major issue fixed with this update is a path traversal vulnerability within the upgrade package uploader which was discovered by Dominik Schilling of the WordPress security team.

If you have any other version of WordPress apart from 4.6.1, your site could be vulnerable to attack, so do update as soon as possible.


Comments

Comments are closed.

Want to find out more? Let’s chat