Posts

WordPress 4.5.3 security update

From the WordPress 4.5.3 release notes, WordPress versions 4.5.2 and earlier are affected by several security issues:

  • Redirect bypass in the customizer, reported by Yassine Aboukir
  • Two different XSS problems via attachment names, reported by Jouko Pynnönen and Divyesh Prajapati.
  • Revision history information disclosure, reported independently by John Blackbourn from the WordPress security team and by Dan Moen
  • oEmbed denial of service reported by Jennifer Dodd from Automattic
  • Unauthorized category removal from a post, reported by David Herrera from Alley Interactive
  • Password change via stolen cookie, reported by Michael Adams from the WordPress security team
  • and some less secure sanitize_file_name edge cases reported by Peter Westwood of the WordPress security team.

WordPress 4.5.3 also fixes 17 bugs from 4.5, 4.5.1 and 4.5.2:

  • #35657 Image height calculation not always available on body.load
  • #36379 Saving post can remove its hierarchical terms if user cannot
  • #36531 Default image size medium_large is not generated
  • #36533 Doesn’t work browse media libary on Frontend
  • #36590 POST[‘nav-menu-data’] breaks other POST
  • #36637 Inline linking inserts `_wp_link_placeholder`
  • #36660 WP_Customize_Widgets::preview_sidebars_widgets() can return false
  • #36708 Silence ini_set() in wp_debug_mode() if WP_DEBUG is off
  • #36748 Updating tables to utf8mb4 causes some columns to change type
  • #36749 Customizer wont load: issue with site-icon control
  • #36767 oEmbed performance optimisation
  • #36793 Customizer doesn’t load in IE8
  • #36838 Invalid argument supplied for foreach() in /wp-includes/theme-compat/embed-content.php
  • #36861 The Insert into post button in the Edit Image window doesn’t work.
  • #36876 TinyMCE: inline toolbars don’t adjust position
  • #36892 Update jQuery migrate to 1.4.1
  • #36900 Media grid AttachmentsBrowser arrows navigation and restoreFocus()

WP Mobile Detector Vulnerability Being Exploited in the Wild

Please note that a vulnerability has been found in the WP Mobile Detector script used by many WordPress users.

This issue has now been patched according to Sucuri. Please make sure you update your wordpress if you use WP Mobile Detector;

Also if you do not use the WP Mobile Detector Script please make sure you update your WordPress plugins regularly.

Want to know more about the WP Mobile Detector Vulnerability, please read the full Sucuri blog about this issue.

Critical Security Update WordPress 4.01

WordPress has published a new critical security release : WordPress 4.01 see below what issue are resolved:

WordPress 4.0.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

Sites that support automatic background updates will be updated to WordPress 4.0.1 within the next few hours. If you are still on WordPress 3.9.2, 3.8.4, or 3.7.4, you will be updated to 3.9.3, 3.8.5, or 3.7.5 to keep everything secure. (We don’t support older versions, so please update to 4.0.1 for the latest and greatest.)

WordPress versions 3.9.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. This was reported by Jouko Pynnonen. This issue does not affect version 4.0, but version 4.0.1 does address these eight security issues:

  • Three cross-site scripting issues that a contributor or author could use to compromise a site. Discovered by Jon Cave, Robert Chapin, and John Blackbournof the WordPress security team.
  • A cross-site request forgery that could be used to trick a user into changing their password.
  • An issue that could lead to a denial of service when passwords are checked. Reported by Javier Nieto Arevalo and Andres Rojas Guerrero.
  • Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. Reported by Ben Bidner (vortfu).
  • An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 (I wish I were kidding). Reported by David Anderson.
  • WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. Reported separately by Momen Bassel, Tanoy Bose, and Bojan Slavković of ManageWP.

Version 4.0.1 also fixes 23 bugs with 4.0, and we’ve made two hardening changes, including better validation of EXIF data we are extracting from uploaded photos. Reported by Chris Andrè Dale.

We appreciated the responsible disclosure of these issues directly to our security team. For more information, see the release notes or consult the list of changes.

Download WordPress 4.0.1 or venture over to Dashboard → Updates and simply click “Update Now”.

WordPress and Drupal Updates

Please note that there are new updates for WordPress and Drupal to stop Brute Force attacks on these websites;  a security researcher revealed a new crucial vulnerability that allows offenders to launch a very effective Denial of Service attack, through a process that circumvents existing security measures.

Please make sure you have your WordPress updates to version 2.9.2 and your Drupal to either 7.31 or 6.33 (depending on which Drupal version you are running).

Want some more information check out the following blogpost on this topic.

Joomla and WordPress Brute Force attacks

If you are using Joomla or WordPress  there is a high chance your site will be under attack now or in the near feature by a so called Brute Force Attacks.
The attacker tries to gain access to your application by guessing the password; often because users have the default username or simple passwords.

But such an attack has also an impact on the system resources, when an attack comes from an other infected server and multiple of these infectes sites are going to target your site together it actually works a bit like a ddos ; because all resources of your account get used and your account will be slowed down, with very large attacks it might even affect server performance in general.

While we take many precautions against such an attack the best way to counter such an attack is to install a script which stops IP after (some) failed login.
As well for WordPress and Joomla there are such a scripts. If you do not use WordPress or Joomla please check with your software developer if a login limit exists or can be implemented.

WordPress – We have seen good results with the following plugins:

Bruteprotect: https://wordpress.org/plugins/bruteprotect/
Wordfence: https://wordpress.org/plugins/wordfence/

Joomla – While no direct experience the following plugin should help:

Brute Force Stop: http://extensions.joomla.org/extensions/access-a-security/site-security/login-protection/22982
an other plugin one of our customers recommend is: https://www.akeebabackup.com/products/admin-tools.html

It is possible in some cases to protect the /wp-admin/ (wordpress) or /administrator/ (joomla) directory with a .htaccess authentication script; as .htaccess functions on a server level our WAF (Web Application Firewall) will work as a login limitter as block IPs which fail.

[Resources] Stop WordPress Bruteforce Logins

There are many different wordpress plugins, some work locally, some work with a community; if you are looking for a plugin to secure your site against bruteforce (and likely other hack attempts) you can use the BruteProtect plugin.

BruteProtect is a cloud-powered Brute Force attack prevention plugin and the ONLY SECURITY PLUGIN able to guard against botnet attacks.

BruteProtect logs every failed attempt community-wide

When an IP has too many failed attempts in a specific period of time BruteProtect logs and blocks that IP across the entire BruteProtect network (your site included). The more users of BruteProtect the safer we all are from traditional brute force attacks, and distributed brute force attacks that use many different servers and IP addresses

Website: http://bruteprotect.com/