Archive for WordPress

WordPress 3.6.1 Security Update

WordPress 3.6.1 Upgrade NowThe WordPress 3.6.1 Security Update was released this week.  I highly recommend updating your site as soon as possible.

3.6.1 patches 3 important security vulnerabilities listed below that exist in 3.6

  • Block unsafe PHP unserialization that could occur in limited situations and setups, which can lead to remote code execution. Reported by Tom Van Goethem.
  • Prevent a user with an Author role, using a specially crafted request, from being able to create a post “written by” another user. Reported by Anakorn Kyavatanakij.
  • Fix insufficient input validation that could result in redirecting or leading a user to another website. Reported by Dave Cummo, a Northrup Grumman subcontractor for the U.S. Centers for Disease Control and Prevention.

Additionally, the WordPress Secutiry Team adjusted security restrictions around file uploads to mitigate the potential for cross-site scripting.

Make plans to  upgrade to WordPress Core version 3.6.1 now to keep your site secure.  As always, be sure to backup your files and database before upgrading to 3.6.1.  I highly recommend Backupbuddy which allows you to easily schedule or run on demand either a full site backup or a database only backup.  If you are more comfortable having someone else run your backups and install updates, I am more than happy to help.

How to Defend Your Site Against a Brute Force Attack

Brute Force AttackBy now many of you have heard about the brute force attack being used to create a giant botnet from Hell.  Most news stories are focusing on WordPress sites, but any PHP-based web publishing platform is susceptible,  including Joomla and Drupal.

Highlights of What You Need to Know:

  • This is not a WordPress specific attack
  • A strong password and username are your first line of defense.  Do not use “admin” as your username. Ensure all usernames and passwords are alphanumeric and complex enough and can’t easily be guessed (upper and lower case, numbers, symbols, no word found in a dictionary at least 10 characters).  I recommend using a random password generator.
  • Do not share your username and password with anyone.
  • When accessing your accounts over a public network or computer be PARANOID.  In these settings, do not access accounts with sensitive information like your website admin, bank accounts, credit cards, etc. unless you are using a strong password management tool with two-way encryption.  Even then, I don’t login to sensitive accounts on public network unless necessary.
  • Use a password management program.  Gone are the days when you can combine your pet’s name and date of birth for ALL your login accounts.  You aren’t still doing that are you?  Many people have dozens if not hundreds of online accounts these days.  You should not use the same password across sites.  If one site is compromised it can open the doors to all the others. I recommend LastPass, but there are other programs available like 1Password.  Do your research and choose a program with a good reputation.
  • Change your passwords regularly.  Implement a schedule to change the passwords on your most sensitive accounts on a regular basis, at least once per year but every 6 months would be better.
  • If your site or blog is hosted on WordPress.com your site is secure, but your password may not be.  Consider changing your password and using two-step authentication.
  • This article on the WordPress Codex gives more tips for protecting your WordPress site against a Brut Force attack.  It includes a list of plugins that can limit the number of login attempts