WordPress 3.5.1 Security update

WordPress 3.5.1 is out. This is a maintenance and security update. The security updates are for:  ■ Server-side request forgery (SSRF) and remote port scanning via pingbacks. Fixed by the WordPress security team. ■ Cross-site scripting (XSS) via shortcodes and post content. Discovered by Jon Cave of the WordPress security team. ■ Cross-site scripting (XSS) …

Continue reading ‘WordPress 3.5.1 Security update’ »

WordPress Uploadify Vulnerability

Woke up this morning and saw a post by ITPixie regarding uploadify vulnerabilities in multiple WordPress themes and plugins.   One of the themes was one I remember looking at using, so took a quick trip to the computer to make sure those files weren’t on my server. (fortunately, they weren’t). Uploadify is used by WordPress themes and plugin to …

Continue reading ‘WordPress Uploadify Vulnerability’ »

WordPress 3.3.2 Security Update

WordPress 3.3.2 is out to fix multiple vulnerabilities.  If you have a WordPress site somewhere on the internet, it is important to keep up to date.   Plupload (version 1.5.4), which WordPress uses for uploading media. SWFUpload, which WordPress previously used for uploading media, and may still be in use by plugins. SWFObject, which WordPress …

Continue reading ‘WordPress 3.3.2 Security Update’ »

Dreamhost Adds One Click Cloudflare Option

Regular reader of this blog may remember that back in August I looked at both Cloudflare and Incapsula to protect an accelerate infosecblog.org. Webmasters are faced with two huge challenges.  The first is keeping the blog secure.   There were many examples recently of WordPress blogs, even security related ones, compromised.   While it is always easy to …

Continue reading ‘Dreamhost Adds One Click Cloudflare Option’ »

WordPress Default Database Prefix

One of the recommended security measures for WordPress is to change the default database prefix.   When you use the default setting, hackers can more easily perform SQL injection attacks.   The easy way to avoid this is to change the prefix before installing WordPress for the first time.   If you forget to do this, you can either …

Continue reading ‘WordPress Default Database Prefix’ »

WordPress 3.3.1 Released

If you haven’t logged into your WordPress today, this is news to you.   Version 3.3.1 has been released to fix a XSS vulnerability. According to ThreatPost, this is only a vulnerability if you installed WordPress by browsing to the IP.   Most installs are hosted and you would browse to the site FQDN to install.   These …

Continue reading ‘WordPress 3.3.1 Released’ »

WordPress 3.0.2 released

WordPress has released version 3.0.2 to address a privilege escalation user  for users having author access.   Upgrading is recommended by the vender even if you don’t have untrusted authors. The upgrade went smoothly on this blog.  But on another blog, the update didn’t complete and the blog was stuck in maintenance mode.   After taking care of …

Continue reading ‘WordPress 3.0.2 released’ »