Today’s article was going to be about the new WordPress 4.2, which rolled out over the past week.
However, something of interest took place which again confirmed my high regard for WordPress as the tool for running your business or organisation’s website.
Within days of the latest WordPress release being made public, one of the army of WordPress volunteers and testers discovered a trick that hackers could use to possibly create their own accounts on your site.
Here is what happened and what you should do now.
WordPress and the comment XSS exploit vulnerability
I won’t go into great detail in this article because my focus is on helping you get the most from your website workhorse known as WordPress but it can be helpful to understand the background to this latest web security threat.
In essence, scammers discovered some quirks within the popular database engine which WordPress uses, MySQL, which reacts a certain way when really long comments are left on a website.
The long comment triggers a MySQL TEXT type size limit which shortens the comment before storing it in the database BUT in doing so, bad HTML code added to the comment by the hacker gets its way into the site.
Things to look out for are nice comments that tempt you to approve and trust a commenter, and then they respond later with their long, trojan comment to try to exploit the system.
What should you do? Almost absolutely nothing!
Within days of launching WordPress 4.2, a new version, 4.2.1 has been released and the good news is the overwhelming majority of WordPress sites will have automatically updated themselves.
Thats’ right. Most WordPress websites by now will have upgraded their own security by auto-installing version 4.2.1.
Be that as it may, it is prudent to log into your website to double check. Look at the top of the Admin Dashboard where you will see a box showing which version of WordPress is running. If it is not 4.2.1 or higher, make sure you apply the update or call us to help you.
If you have chosen to use the Baker Marketing WordPress Maintenance Plan, you have nothing to do because we are monitoring that for you. If you haven’t heard about our plan, contact us today to find out more and get your website kept up-to-date for you without needing to lift a finger.