Guess what? A new important security update for WordPress arrived on March 6, 2017. What a surprise.
If you manage your own site based on WordPress you should update it as soon as possible, as it revealed the existence of six security holes that could be exploited by a malicious attacker.
The new version is 4.7.3, and a warning was issued stating that outdated sites could be vulnerable to various threats, including cross-site scripting and cross-site request forgery:
- Cross-site scripting (XSS) through multimedia file metadata.
- Control characters can fool validation of the redirect URL.
- Unwanted files can be removed by administrators using add-on removal functionality.
- Cross-site scripting (XSS) through the URL of embedded YouTube videos.
- Cross-site scripting (XSS) through taxonomy of terms.
- Cross-site request forgery (CSRF) in Press This resulting in excessive use of server resources.
The good news is that the researchers who discovered the flaws privately revealed the details to the WordPress team in a responsible way, which allowed the bugs to be corrected before being public. Vulnerabilities are often discovered in third-party plugins, unrelated to the content management platform, but in this case they were at their very core.
Site administrators should take the time to make sure that these patches were deployed on their vulnerable web servers because virtually any site could be at risk.
Fortunately, for most people, it is fairly easy to do the upgrade:
You must go from the administration panel and to Updates.
In fact, many users have taken the excellent decision to update the platform automatically every time an update is available.
In my experience, managing your own site can be considered a job, since you have to make sure that WordPress and its third-party plugins are up-to-date and able to defend against attacks.
You can further reduce your chances of being victimized by attackers by investing in a firewall that can filter and block malicious HTTP traffic before it can exploit a vulnerability on your platform.
Do not forget that those who use self-hosted WordPress versions from wordpress.org are different from the many millions of blogs that use wordpress.com.
Although there are limitations on what site owners can do on wordpress.com, they can always be sure that they are using the latest version of the platform.
Hope the article helped, and remember to update!