A group of security flaws have been found and fixed in Wordpress - Wordpress website owners need to be aware and take action.
What has happened?
This alerts was issued yesterday (April 21st 2015) on the Wordpress site.
A number of wordpress extensions were written in a manner which allowed attacks to penetrate the web site. These are called an "XSS Vulnerabilities". In the usual manner Wordpress has advised the developers, who should all have created updated versions of their plugins with the flaw fixed. They then advise us and you, the web developers and web site owners, in order that we can apply these fixes.
What should you do?
The updated versions of these plugins need to be applied. You can log in to the Wordpress Administration area, and update all plugins which have available updates. Or you could call Channel or another web developer to do it for you.
This is normally a very easy process, where a plugin is un-modified and un-customised then the automated update is quick and easy, rarely if ever breaks everything, and the only visible change is the version number of the plugin - nothing else should usually change.
However where a plugin has been customised to do something special for you, it is possible that the customisation would make the update not work. In this case your developer should make the changes foor you, as they can review their code changes, and ensure that they are not impacted by the security update.
In all events it is good practice to take a full backup of the web site before making these or any similar major changes. That way if anything should go wrong during the update, you can easily roll back to the previously working web site.
Please contact the Channel team if you have a Wordpress site and would like it updated, secured, scanned, or otherwise looked after.
See these resources for more information:
- Channel - Wordpress Security Hardening tips: http://www.channeldigital.co.uk/blog/top-eight-wordpress-security-tips.html
- Securi Blog - Wordpress XSS Vulnerability: https://blog.sucuri.net/2015/04/security-advisory-xss-vulnerability-affecting-multiple-wordpress-plugins.html
- Wordpress Announcement: https://wordpress.org/news/2015/04/wordpress-4-1-2/