WordPress announced on its blog a few days ago, a major security flaw affects older versions of the famous CMS platform. So urgently, upgrade to 4.0.1!
The WordPress security holes follow each other and are not the same. After the Revolution Slider and WP E-Commerce plugins were breached, it’s now the turn of the WordPress core to be subject to a major security breach!
Major wordpress security breach
Are you affected?
If your WordPress installation is older than 3.7.4, yes, it’s time to take some time to update your website.
Versions 3.9.2, 3.8.4, and 3.7.4 have been automatically updated by WordPress to a new version 3.9.3, 3.8.5, or 3.7.5.
Version 4.0 is not affected, but version 4.0.1 does address 23 minor bugs.
As a reminder, your WordPress version appears in your dashboard at the entrance to the back office.
How do I update WordPress?
Before upgrading, it is best to make a backup of your site to avoid any data loss. A backup of the database and the entire wp-content folder will ensure that you have a copy of your site and all its content that you can easily reinstall.
Once the backup is done, simply go to the dashboard and click on “Update”. Go to the “Update” page where the update itself is quite fast and should not be a problem. You could even take the opportunity to update your plugins and themes which are sometimes subject to security flaws.
What are the risks?
According to WordPress, six major vulnerabilities have been exposed:
– Cross-site scripting (abbreviated as XSS) issues that a contributor or author could use to compromise a site. Cross-site scripting is often used to redirect to another site for phishing or to retrieve cookies.
See Wikipedia for cross-site scripting: http://fr.wikipedia.org/wiki/Cross-site_scripting
– Cross-Site Request Forgery (CSRF) attack that can trick users into changing their passwords.
Wikipedia for cross-site request forgery: http://fr.wikipedia.org/wiki/Cross-Site_Request_Forgery
– Bug that can lead to a denial of service attack when the user checks his password.
Wikipedia on denial of service attack: http://fr.wikipedia.org/wiki/Attaque_par_d%C3%A9ni_de_service
– More protections against Request Forgery attacks when WordPress makes an HTTPS request
– An unlikely “hash collision” bug could compromise a user’s account (this required that the user had not logged into the site since 2008…)
– And finally, the invalidation of the links that WordPress sends when the user re-initializes the password
