The TimThumb vulnerability is still in the wild as another major site fell victim to it just yesterday. As sad as this situation may be, it just goes to show that some sites may still be running the infected script even after news of the vulnerability broke over six months ago.
Like the old saying, there’s no time like the present, and now is the perfect time to install and run the TimThumb Vulnerability Scanner and Exploit Scanner plugins. If you are at all confused by the results of either of these scanners, the kind folks at the WordPress Support Forums will be more than happy to help you.
Technorati Tags: blog
Original post by James
Technorati Tags: blog, news
It’s the weekend, time to work on your next WordPress plugin, but are you following the right security practices? At this year’s WordCamp San Francisco, core developers Mark Jaquith and Jon Cave, along with developer and author Brad Williams, covered some of the best security practices for plugin development and offered some real-life examples of just how easy it is to turn a world-class plugin into a crippling vulnerability.
“One of the greatest things about WordPress plugins is they can do anything, and one of the most frightening things about WordPress plugins is they can do anything.” ~ Mark Jaquith
Technorati Tags: blog, rss, feed, google
Original post by James Huff
Technorati Tags: blog, rss, feed, google
If you’re worried about the recent TimThumb security vulnerability, but haven’t had a chance to see if you’re affected, identifying and fixing vulnerable instances of TimThumb just got a whole lot easier thanks to a new plugin from Peter Butler.
Now, all you need to do is install and activate this plugin, run the scanner from the new Tools -> Timthumb Scanner section in your Dashboard, and click the Fix button to repair any vulnerabilities that are found.
Technorati Tags: blog, google
Original post by James Huff
Technorati Tags: blog, google
A zero day vulnerability has been found in TimThumb, a popular image resizing script used by several WordPress themes. The person who discovered the vulnerability has issued a fix and instructions to detect any lingering hacks.
As described on the VaultPress blog, “The vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. Once the PHP code has been uploaded and executed, your site can be compromised however the attacker likes.”
The folks at Sucuri have constructed a great list of just a few affected WordPress themes, just to give you idea of how many themes use TimThumb.
If your theme uses TimThumb, contact your theme author for an update immediately, or download the latest version if it has already been updated. If your theme author is not willing to offer an update, it’s probably time for a new theme, but you can also get the latest […]
Original post by James Huff
Technorati Tags: blog
WordPress 3.1.3 and 3.2 Beta 2 have been released. Both releases include a number of security fixes and are recommended for all users.
WordPress 3.2 Beta 2 also introduces support for Google Chrome Frame, an enhanced blue Dashboard color scheme, and a new version of jQuery.
Don’t delay, upgrade today!™ And, if you run into problems, contact the WordPress Support Forums.
Technorati Tags: blog
Original post by James Huff
Technorati Tags: blog, google
WordPress 3.1.2 has been released and “addresses a vulnerability that allowed Contributor-level users to improperly publish posts,” while also fixing a few bugs.
You should be able to upgrade automatically from the Dashboard -> Updates section of your blog’s Dashboard, but you can also upgrade manually if you run into trouble.
Technorati Tags: blog, rss, feed, google
Original post by James Huff
Technorati Tags: blog, rss, feed, google
WordPress 3.1.1 has been released. This maintenance and security release fixes 26 issues with the following highlights:
Performance improvements
Fixes for IIS6 support
Fixes for taxonomy and PATHINFO (/index.php/) permalinks
Fixes for various query and taxonomy edge cases that caused some plugin compatibility issues
Regarding this release’s security fixes, “the first hardens CSRF prevention in the media uploader, the second avoids a PHP crash in certain environments when handling devilishly devised links in comments, and the third addresses an XSS flaw.”
For most of you, 3.1.1 should be available as an automatic update via your Dashboard. If that isn’t working for you, you can download WordPress and perform a manual update.
Technorati Tags: blog, feed, google
Original post by James Huff
Technorati Tags: blog, feed, google
If you hate to read about security, then this great presentation by WordPress Core Developer Mark Jaquith on WordPress Theme and Plugin Security from WordCamp Phoenix 2011 is just for you!
The presentation is great to watch and quite educational for both WordPress users and developers.
Technorati Tags: blog
Original post by James Huff
Technorati Tags: blog
The article How did WordPress win? has certainly been making its rounds the last two days, but all eyes seem to be (for the most part) on this comment by core developer Mark Jaquith, who sums up the state of WordPress security quite well. It sure is hard to avoid quoting the entire thing here, but here are a few key points:
I haven’t seen an up-to-date WordPress install get directly exploited in around five years. Seriously. Every time I investigate a compromised WordPress install, it is either because they were running an old version (usually not just a little bit old, but really old), or because their web host was compromised.
[…]
When you’re paying $5 a month for hosting, three things will usually suffer: Stability, Security, and Support.
[…]
Two big priorities right now are: (a) making it super easy to stay up-to-date and (b) pushing web hosts to get their act together.
To […]
Original post by James Huff
Technorati Tags: blog
WordPress 3.0.5 and 3.1-RC4 have been released.
Both releases address three security issues and add additional security enhancements, and 3.1-RC4 fixes “about two dozen additional bugs.”
Both updates are available immediately via your Dashboard, but users updating to 3.0.5 will need to update to the latest release of Akismet again. Core developer Andrew Nacin hopes to minimize “the Akismet update dance” in WordPress 3.1 and put an end to it in WordPress 3.2.
Technorati Tags: blog
Original post by James Huff
Technorati Tags: blog
