Knowing that a lot of people use DreamHost for their WordPress powered websites, it’s a bit unsettling to see that suspicious activity was detected within one of their databases and thus, passwords have been reset across FTP/Shell and VPS customer accounts. If you use DreamHost and have not been able to log-in recently, this may explain why.
WordPress 3.3.1 Fixes Security Exploit
WordPress 3.3.1 was released last night and it addresses an important security issue discovered in WordPress 3.3. Along with the security fix, the release also fixes 15 issues that are outlined here. After I upgraded the Tavern website, I was a bit confused to see a number of things that were listed under the What’s New section. Most of the features outlined were introduced in WordPress 3.3, not 3.3.1.
When questioning this move on Twitter, Evansolomon responded with the following:
evansolomon @wptavern Full feature list is more useful for anyone using < 3.3. As 3.3 is still very new, good case that less accurate = more useful here
I guess that makes sense but it still throws me for a loop a little bit because it looks like those features were added with 3.3.1, not with 3.3. So the question I have for you is, do you think the What’s New section should be strict in only listing what’s new with that specific version or should other features from previous versions be shown as well?
Is Your WordPress Install Selling Handbags?
If you administer a WordPress powered website, you might want to check the directory structure, especially the WP-Content/Upgrade and WP-Content/Uploads to see if you notice a folder called Tall. According to the folks at WPMU.org, one of their co-workers websites became a victim to an attack that involved an entirely new WordPress installation being installed along with an e-commerce system. While Google is reporting a ton of results, most of them appear to be sub-pages within the hacked domains and not individual sites. I’ve checked my own installs and everything seems to be fine. It needs to be stated that this is not known to be an exploit specifically with the WordPress software although the project team is aware of the findings by WPMU.
Dre Armeda On WordPress End-User Security
From WordCamp Chicago 2011, Dre Armeda who is one of the guys behind the awesome security service/site Securi. His presentation contains a ton of information that all end users should take note of.
Naughty Plugins Caught And Removed From Repository
Siobhan McKeown has published a disturbing yet not out of the ordinary article that explains how a couple of plugins were recently added to the plugin repository that were using a version of J-Query from J-Query.org which after investigation proved to be a fake website. The purported J-Query file was actually propagating sites with CPA Infinity Affiliate Links. After the article was published, Otto responded in the comments to make note that the plugins were removed and the user who uploaded them has been banned. This is yet another reminder that the WordPress plugin repository is a powerful place to do naughty business for those that can get past a couple pair of eyeballs and not get noticed right away.
For the future, Otto recommends doing the following if you spot something malicious within a plugin on the repository:
Obviously malicious code doesn’t last long before somebody spots it (this one only lasted a week before somebody noticed, and it would have been removed that same day if anybody had reported it to us at plugins@wordpress.org), but unintended security holes can become widely propagated for a longer period of time, leading to issues when hackers find and exploit them. So they are of a somewhat higher priority to find.
Apparently, reporting offending plugins to that email address gets swifter action than anything else. Although not related specifically to this story, I think it’s good to be reminded of June 21, 2011 when a number of suspicious commits were made to popular plugins after hackers gained access to the plugin repository. Thankfully, those commits were caught in a short period of time but there is no guarantee that they would catch them in time again.
VaultPress Now Supports WordPress Multisite
VaultPress has announced that the latest edition of the plugin now supports WordPress Multisite. This has been a killer feature that owners of large multisite installs have been waiting for. VaultPress will automatically backup each site that is installed within the network. However, it must be noted that only the Network’s main site will have their users table, plugins, and themes backed up. For non-main sites, VaultPress will not backup users, plugins, or themes.
The money maker for VaultPress lies within the fact that each site within the network will require it’s own subscription as if they were individual sites. There is not a plan that specifically covers multisite installations. Unless the sites within your network are making you some decent cash, this could potentially wipe you out from month to month and you’ll need to decide as a site administrator how much that peace of mind is going to cost you. On the flip side, the way they have structured their plans allows you to only backup the most valuable sites within your network providing you with more flexibility.
With regards to plan pricing, Pete Davies responded to a comment by Donnacha regarding a sliding pricing scale. It looks like it’s an opportunity that could be tapped into in the future.
bbPress 2.0.1 Released – Fixes Anonymous Security Bug
bbPress has released version 2.0.1 which is considered a maintenance release. However, if you have anonymous posting enabled, you’ll want to upgrade as soon as possible as this release addresses an issue where anonymous posters could potentially be able to edit topics and replies. If upgrading from 2.0, try upgrading through the dashboard as you would with WordPress as 2.0 introduced easy upgrades.
The Aftermath Of The TimThumb Vulnerability
Sucuri Security has a great post that begins to review the aftermath of the massive exploitation of the TimThumb image re sizer script. According to their calculations, about a million pages have been compromised by the script but when filtering down their results for the past thirty days, there were over 200,000 results. The exploitation of the script is still an ongoing problem and will most likely continue to be for the foreseeable future. If you think an old version of the TimThumb script is on your server, use the TimThumb vulnerability scanner plugin.
The TimThumb exploitation event is interesting in that so many websites became compromised despite the issue not being relevant to the core of WordPress itself. I wonder if there are any other popular scripts or dependencies that plugins or themes use that could end up in the same situation? ∞
WordPress Not The Choice For Multinational Search
Chris Liversidge of Search Engine Land gives an explanation as to why WordPress is not his platform of choice when it comes to multinational search. I was with him up until the point he discussed security where he states that WordPress is plagued by frequent security updates. This is not true. Security within WordPress has gotten better with time, not worse and it’s not like we’re updating WordPress every two weeks. I’m not sure what Chris wants in a CMS platform. One update a year? One update every 3 months that fixes security vulnerabilities instead of getting that fix immediately? ∞
Four Common Sense Ways To Improve Security On Your WordPress Powered Site
Generally common sense material listed in the article but it’s always good to remind people about these techniques. As far as I’m concerned, just being in the know and having the awareness of what’s going on is half the battle.
On a final note, while website security can seem daunting and intimidating, it’s something that should be approached from a standpoint of keeping aware and in the know such that, if issues do arise on your website, you are able to calmly resolve the issue and get your website back to where it was, knowing full-well the scope of the security measures in place.