WordPress 4.3.1 Security Release

Posted on Sep15 by

WordPress version 4.3.1 was released today, which is a security update for all previous WordPress versions. This version of WordPress addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation. (CVE-2015-5714). WordPress 4.3.1 also fixes twenty-six bugs! You can read the full announcement here.

To help keep sites using VaultPress secure, we have released a hotfix to proactively protect our users. A hotfix is essentially an immediate security fix delivered by the plugin to plug a vulnerability found elsewhere (either in WordPress core or another plugin). For those who haven’t upgraded yet, it will provide protection before you are able to. Finally, we are also e-mailing all owners of affected websites with upgrade instructions.

We encourage everyone to head over to Dashboard → Updates in their WordPress dashboard, and click “Update Now”. Otherwise, you can download WordPress 4.3.1 directly. Once you’re running WordPress 4.3.1, you are protected from these vulnerabilities.

As a friendly reminder, VaultPress recommends enabling automatic WordPress updates if they are disabled on your website. By running the latest versions of WordPress, VaultPress, and all your themes and plugins, you help to ensure that your site remains safe, secure, and speedy! As always, if you have any questions, drop us a line.

Posted in General, Security | Tagged , | Leave a comment

Interview with WordPress.org’s Security Czar, Nikolay Bachiyski

Posted on Aug20 by

At WordCamp Europe 2015 , Matt Mullenweg named Nikolay Bachiyski the first Security Czar for the WordPress project . With over 10 years of experience contributing to the WordPress project, Nikolay is a great fit and has embraced the role. I had the opportunity to chat with him about this new role and his thoughts on current security trends and best practices.

What’s the focus of your new role as Security Czar?

My responsibilities are to coordinate the security efforts of WordPress.org – a lot of it is incident response – making sure we respond quickly, have solid fixes, and everybody involved is informed.

How does security reporting work within WordPress.org?

Anyone can report security issues. We have an email address to where people can send reports (we always appreciate security reports at security@wordpress.org — even if you’re not sure, we’re happy to check it out). Thankfully, most issues are not reported publicly as there are a lot of nice people who take the time and effort to report security issues privately.

We have a security team of trusted people who have the technical and communication skills to deal with most issues. The group has worked together well in the past, but I’m here to help make everything a bit more organized and streamlined. Everyone in the group is really smart and talented, but during hectic moments, sometimes communication can drop off and it becomes hard to know what has been done, what remains to be done, and who is doing what. Overall, these communication issues can be challenging.

We also have relationships with the bigger hosts and plugin authors, so they can help us test fixes to make sure we don’t break users’ websites with security updates.

What changes do you hope to implement in how the WordPress community responds to security concerns?

There aren’t any big changes planned. We’re mainly concerned with streamlining the internal processes already in place — making sure all of the issues go through the same process and that we have everything covered for each issue.

What are some tips you can offer for securing a WordPress site?

Always complete updates as soon as you can and make sure to use strong passwords. Those two steps go a long way in keeping your site safe. If possible, I recommend enabling auto-updates. Also, when choosing plugins, check to make sure you are using a plugin that is regularly updated! You can confirm this by checking the changelog for a plugin.

As an example, here’s the changelog for VaultPress .

How have security threats evolved over time? Is the internet safer or less safe now?

These days, the public pays a lot more attention to security issues. In the late 90s, I remember that it was so easy to hack into websites. Generally, I would say security measures and efforts have gotten much better over time. Of course, the people who are trying to break things or coordinate attacks are also getting more sophisticated, very often merging more than one attack. Here’s an example.

That said, it’s much easier today to cover most of the common problems. And with the increasing importance of software in our world, security problems are only getting more critical as well since the impact is higher. As a result, the average security level is higher because people care about security a lot more. Today, security is something you incorporate throughout the software building process rather than something you might add at the end.

Put simply: security threats grow in complexity and importance as software does.

How did you discover your knack for all things security? Are there any resources you’d like to share with someone who wants to learn more about the kind of work you do?

At some point in college, I went to a network security course. The interesting thing about security is that in order to build secure software, you have to think like an attacker. To think like an attacker, you need a strong understanding of how everything works. I guess I was just curious and, over time, security became a big part of writing software for me.

As for resources, I’d recommend checking out WordPress.tv security presentations and OWASP (Open Web Application Security Project).

On that note, if you want to learn more about Nikolay and his security work check out his recent WordPress Security Presentation on WordPress.tv:

Posted in Community, Security | Tagged , , | 4 Comments

WordPress 4.2.4 Security Release

Posted on Aug04 by

WordPress version 4.2.4 was released today, which is a security update for all previous WordPress versions.

This version fixes three cross-site scripting vulnerabilities, as well as a potential SQL injection vulnerability in WordPress Comments that could be used to compromise a site (CVE-2015-2213).

It also includes a fix for a potential timing side-channel attack and prevents an attacker from locking a post from being edited.

We encourage everyone to head over to Dashboard → Updates in their WordPress dashboard, and click “Update Now”. Otherwise, you can download WordPress 4.2.4 directly. Once you’re running WordPress 4.2.4, you are protected from these vulnerabilities.

VaultPress recommends enabling automatic WordPress updates if they are disabled on your website. We are also e-mailing all owners of affected websites with upgrade instructions.

By running the latest versions of WordPress, VaultPress, and all your themes and plugins, you help to ensure that your site remains safe, secure, and speedy! As always, if you have any questions, drop us a line.

Posted in General | Leave a comment

WordPress 4.2.3 Security Release

Posted on Jul23 by

An important security update was released today for WordPress. This is a security release for all previous versions, and it fixes a cross-site scripting vulnerability which could allow users with the Contributor or Author role to compromise a website. WordPress versions 4.2.2 and earlier are affected by this vulnerability.

A large number of websites has been upgraded to WordPress 4.2.3 already. If you do not have automatic WordPress updates enabled, we strongly recommend you upgrade your website to version 4.2.3 immediately. We also suggest enabling automatic WordPress updates for your website.

We encourage everyone to head over to Dashboard → Updates in their WordPress dashboard, and click “Update Now”. Once you’re running WordPress 4.2.3, you’re protected from this vulnerability.

We are also e-mailing all owners of affected websites with upgrade instructions. Running the latest versions of WordPress, themes, and plugins is a great step to keep your site safe and sound.

As always, if you have any questions, drop us a line.

Posted in General | Leave a comment

Celebrating 5 Years of VaultPress

Posted on Jun30 by

It’s VaultPress’ 5th birthday this week! In his post on June 29, 2010 — one of the first posts ever on this blog — Matt announced that we had sent out the very first Golden Ticket invites to VaultPress. In the beginning, we sent 30 invites a day, and grew gradually over the first several months. From those first Golden Tickets to the many users we support today, VaultPress has:

  • Found 201,754 infected files
  • Made 50,100,955 backup snapshots.
  • Backed up 27,615 distinct plugins and 17,675 themes

Let’s take a look back at our first tweet and some early designs:

Logo ideas from June 2010
Logo ideas from June 2010
Homepage design from March 2010
Homepage design from March 2010
shield-medium

Our designs have changed over the years, but we’ve never wavered in our commitment to making the best product we can for the WordPress community. In a recent survey of 21 professionals on the best backup WordPress plugins, we’re proud that VaultPress came out on top as the clear winner. Feedback on our product is incredibly positive — it’s great to see people like Brin Wilson of WinningWP say that VaultPress is “basically effortless.” We’re so happy to see how far we’ve come.

To celebrate our 5-year anniversary and to say thank you and give back to our users, we’ve launched an extended 3-month trial. If you want to sign up, just visit this page: https://vaultpress.com/bestof/

We hope that by extending the trial, we can help bring VaultPress to more people for free for a longer period of time.

As always, drop us a line if you have any follow-up questions!

Posted in Announcements, Community, General | 4 Comments