Important WordPress 4.0.1 go update!

Security | WordPress

WordPress 4.0.1 has been released, with backward patches for many WordPress versions. It’s a vitally important update, because 4.0.1 is a security release containing not only some small (but important) security updates, but also releases to fix a major issue with pre-4.0 code. It’s also important everyone tells everyone to update.

I have seen a few peeps telling people not to update as it will cause problems this might be true but it’s really irrelevant as it will definitely cause you problems if you do not.

So what is this issue exactly?
Well, put simply, the vulnerability means anyone could post a comment and in certain situations, have javascript execute. A user viewing this comment, even within the comment section of the backend of the site could trigger the malicious code, making sites with “untrusted” users (for example users of contributor level) particularly vulnerable. Klikki Oy (They also win the office prize of the geekiest website of the day), a Finnish IT company, have built a proof of concept in which they both changed the exploited users password and added accounts, as well as then removing traces of the original exploited code from the database. Now this is quite scary stuff…

So how does it actually work?

Usually WordPress would not allow executable javascript in comments, limiting the HTML elements considerably and filtering the rest. This is regulated by a function which relies on a regular expression, and this is where the weakness is because this regular expression can be tricked into only partially filtering. This opens a door for elements to be manipulated and given additional attributes.

Unfortunately, this update may mean you temporarily lose functionality in some plugins, due to some plugin developers making use of the functions previous flexibility to parse short codes to their own functions, rather than making use of the Short code API. Fortunately many of these developers will be correcting this and releasing updates as soon as possible.

But I leave you with one thought. Isn’t it amazing how far WordPress has come and how mature the eco-system has become? While it’s true that this is a serious vulnerability, it’s been handled really well by the team on the support forums, and most updates have gone smoothly. This style issue even a couple of years ago would have been disastrous, with system admins frantically patching systems and people begging others to update. Many 3.7 or higher sites had updated before I’d git committed latest changes to my own site.

Now we just need to get the rest to upgrade anyhow the short video is for any sys-admins out there who need a reminder as to why we update our WordPress sites!

Helping you and your customers stay safe

WordPress Security Consulting Services

Power Hour Consulting

Want to get expert advice on your site's security? Whether you're dealing with a hacked site or looking to future-proof your security, Tim will provide personalised guidance and answer any questions you may have. A power hour call is an ideal starting place for a project or a way to break deadlocks in complex problems.

Learn more

Site Reviews

Want to feel confident about your site's security and performance? A website review from Tim has got you covered. Using a powerful combination of automated and manual testing to analyse your site for any potential vulnerabilities or performance issues. With a comprehensive report and, importantly, recommendations for each action required.

Learn more

Code Reviews

Is your plugin or theme code secure and performing at its best? Tim provides a comprehensive code review, that combine the power of manual and automated testing, as well as a line-by-line analysis of your code base. With actionable insights, to help you optimise your code's security and performance.

Learn more

Or let's chat about your security?

Book a FREE 20 minute call with me to see how you can improve your WordPress Security.

(No Strings Attached, honest!)