Millions of websites that are running WordPress are being strongly advised to update to the latest version of the highly popular content management system as quickly as possible, after a serious security breach was uncovered recently on 1st November, 2017.
Anthony Ferrara discovered this flaw in WordPress, and said, it was a significant SQL-Injection vulnerability that was fixed in WordPress 4.8.3. And if the users haven’t t updated their version of WordPress they are strongly advised to do so, as soon as possible.
It is ironic that, the last month release of WordPress 4.8.2 was actually intended to protect it against the very same vulnerability, but according to Anthony Ferrera, it actually resulted in breaking a lot of websites and didn’t succeed in fixing the root issue.
Ferrera said that he had informed the WordPress team of this problem straight after the release of version 4.8.2, but he was effectively ignored by the security team for several weeks.
According to Anthony Ferrera, this newly-released 4.8.3 security update indeed thankfully mitigates the problem, but in his recent blog post about his interactions with the WordPress’s security team, he said that, any security report should be treated as quickly as possible. He said that, it sometimes means that every second counts and sometimes doesn’t, but the tech support needs to show attention. They need to show that they have read what’s submitted in a report.
Anyone who needs to download the latest version of WordPress (4.83) can get it from the WordPress website, or they can just go to Dashboard / Updates on their admin consoles and simply choose “Update now”.
Some of the WordPress installations support automatic background update, this means that they should have already updated themselves to the latest version of the WordPress.
Automatic updates are usually not for everyone, and many site admins who work inside organisations are wary of updating new versions of software on their web servers. This is because they want a chance to test if the update will introduce any new problems or not.
The truth is that there are many websites out there, which are still running older and vulnerable versions of WordPress. This may or may not be the only breach that could be exploited.
Running your own site which is WordPress based is a considerably hectic job. It is time-consuming to ensure that WordPress and its 3rd-party plugins always remain up-to-date and are working properly to fend off any attacks.
The chances of having your own site being hit by hackers can be reduced if you put a web application firewall in place. This firewall will attempt to filter and block any malicious web traffic before it has a chance to exploit any weaknesses in the system.
It is worth mentioning that websites which are running self-hosted versions of WordPress from wordpress.org are very different from the millions of blogs which are run on wordpress.com. WordPress.com is run by Automattic and it manages the installation of WordPress for you, and also looks after security on your behalf.
Even when there are some limitations on what the website owners can do, they can always be sure that they are fully updated and are running the latest version released by WordPress.