If You Haven’t Updated Your WordPress Site This Year, Get On It Now!

Updating immediately when a new version is released is one of the most important actions WordPress users can take to keep their site safe. The most recent release — 4.4.1 — is a case in point. It contains a patch that fixes a critical security vulnerability that impacts WordPress sites with versions of 4.4 or older.

The vulnerability has the potential to allow a successful cross-site scripting attack against WordPress sites. WordPress has released few details about the specifics of the attack, except to note that it could allow attackers to take over a WordPress site.

Cross-site scripting vulnerabilities are among the most common security issues on the web. They’re a serious risk for any site that allows user input via on-page form elements, APIs, and less obvious means.

In the prototypical cross-site scripting attack, a malicious user will take advantage of a flaw in the way the content management system sanitizes user input. Ideally, all user input should be sanitized so that any code it contains is rendered harmless. With a cross-site scripting vulnerability, an error in input sanitization allows a malicious user to embed executable code in a page. Because the code can be executed, it will be run in the browser environment of every user who loads the page.

Ordinarily, the same-origin policy would prevent external JavaScript from running on a page, but in an XSS attack, the malicious code comes from the same origin: the browser will trust it implicitly. Malicious code injected in this way has access to the full range of data in the browser’s context, including cookies and authentication credentials. If a logged-in admin user loads the page, the attacker can access their credentials, after which, the attacker owns the site.

If that’s not enough to persuade you to install the most recent version of WordPress, 4.4.1 comes with a number of other enhancements and bug fixes. In total, 52 bugs were fixed. A range of new emoji were added, including diverse emoji. And, sadly, Rdio embeds will no longer work with WordPress. The Rdio streaming music service recently closed down.

WordPress users who have automatic updates activated can ignore this post, because their WordPress site will have automatically installed the fixes. Although WordPress’ automatic updates for point releases were not greeted with unalloyed praise, they do make the WordPress world less friendly to attackers who rely on WordPress users to neglect to update. Unless you have good reasons not to activate them, your WordPress site will be safer with automatic updates turned on.

Comments

comments

Leave a Reply

Your email address will not be published. Required fields are marked *