Another day, another important security update for WordPress. Oh boy.
If you administer your own self-hosted WordPress website then you must update the software as soon as possible, following the disclosure of six security holes that could be exploited by malicious attackers.
Version 4.7.3 of the immensely popular web-publishing software has been released, alongside a warning that if left unpatched websites could be vulnerable to various threats, including cross-site scripting and request forgery attacks:
- Cross-site scripting (XSS) via media file metadata.
- Control characters can trick redirect URL validation.
- Unintended files can be deleted by administrators using the plugin deletion functionality.
- Cross-site scripting (XSS) via video URL in YouTube embeds.
- Cross-site scripting (XSS) via taxonomy term names.
- Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.
The good news is that vulnerability researchers privately disclosed details of the flaws to the WordPress team in a responsible fashion, allowing the bugs to be fixed before they were made public.
WordPress fixing the holes is only half the journey, of course. Webmasters need to take the time to ensure that those patches are rolled out across their vulnerable webservers.
Security vulnerabilities are frequently uncovered in third-party WordPress plugins, but these latest fixes address security vulnerabilities in the WordPress core itself.
That means that just about any site running WordPress could be at risk.
Fortunately, for most people, it is pretty easy to update. Go to your WordPress admin panel and choose Dashboard > Updates. In fact, many users have now opted to automatically update WordPress as updates are made available.
Of course, it's always good practice to test a new version of the software on a non-live version of your site first (often known as a staging site) - just in case.
This is particularly important if you use your WordPress site for business that cannot afford to be offline while you iron out any potential wrinkles with an update, but perhaps less critical if you just use WordPress for personal blogging.
If it's any reassurance, I was able to update my own WordPress self-hosted website to version 4.7.3 in less than a minute - without experiencing any unpleasant hiccups.
In my experience running your own WordPress-based site can be a considerable job - ensuring that WordPress and its third-party plugins are updated and working properly to fend off attacks.
You can further reduce the chances of having your site fall at the hands of hackers by investing in a web application firewall which attempts to filter and block malicious HTTP traffic before it can exploit a weakness on your website.
Don't forget that websites running self-hosted versions of WordPress from wordpress.org are different from the many millions of blogs which run on wordpress.com. Wordpress.com, run by Automattic, manages the installation of WordPress for you, and looks after security on your behalf.
Although there are limitations on what website owners can do on WordPress.com, they can always be sure that they are running the latest version of WordPress.