WordPress 4.7.3 is now available. This is a security release for all previous versions and we at BlogSec strongly encourage you to update your sites immediately.

Security issues fixed:

Cross-site scripting (XSS) via media file metadata.
Control characters can trick redirect URL validation.
Unintended files can be deleted by administrators using the plugin deletion functionality.
Cross-site scripting (XSS) via video URL in YouTube embeds.
Cross-site scripting (XSS) via taxonomy term names.
Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.

In addition to the security issues above, WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series. For more information, see the release notes or consult the list of changes.

Please contact BlogSec if you’d like assistance in keeping your sites secure!

Here’s presentation slides on some WordPress security basics; the slides can be downloaded here.

Please contact us if you need help securing your WordPress sites.

I gave a presentation last night on the PCI DSS Credit-Card security standards and how they apply to WordPress eCommerce users.

The slides can be downloaded here.

Please contact us if you need help securing your eCom sites.

General PCI DSS information & resources:
https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard
https://www.pcisecuritystandards.org/security_standards/
https://www.pcisecuritystandards.org/security_standards/documents.php (SAQs are here)

Sloppy patching, insecure plug-ins made Panama Papers leak possible

The latest WordPress hacks highlight our continued laziness when implementing online security

70% of WordPress sites are running outdated software and are vulnerable to hackers launching DDoS attacks.

CheckMarx reports they have analyzed the 50 most popular WordPress plugins and found:

• 20% of the most popular plugins are vulnerable to common Web attacks
• 7 of the 10 most popular eCommerce plugins are vulnerable to common Web attacks

One might guess that less popular plugins are often worse, on average.

Recommendations:

1. Only download plugins from WordPress.org
2. Keep your plugins up-to-date
3. Uninstall unused plugins
4. Especially for e-Commerce sites, limit the number of plugins
5. Avoid plugins which appear to be long out-of-date or abandoned

Ars Technica reports a BotNet with 90,000 IP addresses is trying to brute-force WordPress installs via password guessing.
BlogSec.net recommends performing the following steps immediately to protect your sites from getting hacked:

1. disable or rename default admin accounts (replace them with different name-based accounts with strong passwords)
2. limit the number of admin / network admin accounts
3. install a plugin such as Limit Login Attempts

Pass-Phrase advice cartoon

Vulnerabilities have been found in 2 caching plugins: W3 Total Cache and WP Super Cache… be sure you update your plugins!