WordPress security news and issues.
Welcome to the sixthΒ βWeek in Reviewβ on Post Status, where I hope to offer up some of the things you may have missed in the last week or so. Unfortunately, I haven’t posted since the last week in review. Trust me, that’ll change this week. There are already a lot of posts lined up for…
Utilizing SSH keys in conjunction with the servers you connect to is a great and highly recommended security practice. SSH stands for “Secure Shell” and enabling SSH for a server creates a secure channel between you (via the command line) and your server. SSH keys help the server validate and authenticate who you are. SSH…
Welcome to the fourthΒ βWeek in Reviewβ on Post Status, where I hope to offer up some of the things you may have missed in the last week or so. There are a lot of great reads to catch up on this week: WordPress Beta 2 is ready for testing Self explanatory but important — WordPress…
Scott Kingsley Clark notified me this morning that a security update has been released for all versions of Pods 2.0 and later. Pods allows for the creation or extension of WordPress content types. Any website that uses the feature to extend WordPress’ default Users with Pods are vulnerable to this bug. Here’s how Scott describes…
I encountered an article today that made my blood boil. Phillip Thomson wrote about the cost of three websites for the Australian Minister of Foreign Affairs for the Sydney Morning Herald. The article blasts Julie Bishop and her department for spending $113,000 on upgrades and maintenance for three websites. I have no opinion on Australian…
Pagely has made some drastic changes to their hosting platform over the last few months. They’ve moved from Firehost to being fully powered by Amazon Web Services (AWS), led by their new CTO, Joshua Eichorn. Measuring tiers of hosting by pageviews is a popular method for WordPress hosting companies, but Pagely doesn’t do that. They…
Some WooThemes customers are alleging that their credit cards suffered from fraudulent charges after purchasing items from WooThemesβ website. The point of vulnerability is unknown at this time. The number of affected customers is unknown. The following is whatΒ we know: Just after 3:00 p.m. central time Wednesday, May 7th, WooThemes publicly tweeted struggles with their…
A WordPress website is very affordable to get up and running. You can do it for free, plus the cost of your average shared hosting account. However, running a more serious site can get considerably more expensive. Here’s the list of stuff that I use here on Post Status, along with associated costs. I’m also…
Stack Overflow co-founder Jeff Atwood writes why companies are not hiring the best and the brightest employees. While the title says the article is about hiring, it’s really about working. His points boil down to a promotion for distributed workforces. He even highlights Automattic, though he incorrectly refers to them as WordPress. One point I…
Last week’s 3.8.2 security releaseΒ introduced a bug where drafts written with the Quick Draft tool in the dashboard were not saved. That bug is fixed with today’s 3.8.3 release. What’s really interesting about this release is that not only is the bug fixed, but discarded draft posts will be restored, if possible. ItβsΒ possibleΒ that the quick…
A severe Jetpack vulnerability has been disclosed and patched in Jetpack. The bug allows attackers to publish posts, and has existed since 2012. TheΒ Jetpack blog postΒ states the following: During an internal security audit, we found a bug that allows an attacker to bypass a siteβs access controls and publish posts. This vulnerability could be combined…
The good folks over at interconnect/it have backported the recent security updates for WordPress to the 3.5 and 3.6 branches, due to having some clients running older versions that, for whatever reason, aren’t able to upgrade at this time. They’ve included both SVN patch files and a full zip of changed files for sites not…
All of your websites are ready for updates. There is a security and maintenance release ready for WordPress 3.8.2 and WordPress 3.7.2. It’s being released for both 3.7 and 3.8 due to the auto-updating feature released in WordPress 3.7. One of the items updated was to address the processing of pingbacks. The fix is identical…
Akismet, the popular WordPress spam prevention plugin by Automattic, has released an update with a number of fixes, including two to address recent reports of DDOS risks in WordPress related to pingbacks. The post describes the two points that address the pingback issues: “Include X-Pingback-Forwarded-For header in outbound WordPress pingback verifications.” “Add a pre-check for…
Clef is a password-less login solution that utilizes a phone app and WordPress plugin for more secure logins. You can get more specific information about two-factor authentication (which is different than this, but along similar lines) on my post where I experimented with two-factor authentication on WordPress.com. Clef has now partnered with WPMU DEV to…
A great post from Zack Tollman at The Theme Foundry on why defaulting to what most consider best practices can sometimes be detrimental to performance. Using a CDN (content delivery network) for the new site was a forgone conclusion, as we assumed it would help us speed things up. But, after testing with a few…
End of content
End of content
