Home » Critical! (Page 4)
Category Archives: Critical!
WordPress 2.2.1 released
WordPress 2.2.1 has been released. This release has some important security and usability fixes and is a required update for anyone using 2.2 or the 2.1 versions of WordPress. Remember to back up your files and your database before upgrading. You can download it from the WordPress download page.
Important AWSOM Pixgallery News, read this!
It appears that the wordpress.org website repository has been naming the zip file folder for the AWSOM Pixgallery plugin incorrectly leading to activation issues and other problems getting it to work. If you downloaded your version of the plugin from anywhere but here, please make sure that the plugin folder is called “awsompixgallery” in the wp-content/plugins folder. If it is called anything else it will most likely cause issues. To fix this deactivate the plugin, rename the folder to awsompixgallery, then reactivate it. This should correct the issue.
WordPress 2.2 Security Issue, patch it now
WordPress 2.2 has a security issue that requires immediate patching by anyone using this version. There is not an official new download available from the wordpress.org site yet, but you can get information on how to fix the vulnerability on their support forum here: http://wordpress.org/support/topic/120857?replies=12.
It requires you to replace a file (xmlrpc.php) with a new version, details are in the thread linked to above. This vulnerability affects any WordPress 2.2 install that allows comments and allows users to register. (which is probably a large number of websites). The vulnerability will allow a hacker to get your admin password, so this is bad.
Go check now and fix this if you are using this version!
Critical WordPress Exploit in Version 2.1.3
A critical exploit has been discovered in WordPress 2.1.3 related to the way WordPress admin cookies are accessed. A malicious user could possibly steal your admin password cookie and gain admin rights to your website. This is only an issue if you are using the default WordPress prefix of wp_ or are using an easy to figure out prefix. Unfortunately the only fix currently available is to upgrade to WordPress 2.2–which has it’s own set of major issues due to the widget changes and other new coding conventions introduced in that version.
I wish I could provide an easy fix, but there isn’t one. If you have a WordPress 2.1.3 site with a standard setting for the prefix (in the wp-config.php file) then you really should think about upgrading–do research on the upgrade though, its not very straightforward.
Change your WordPress prefix
One area of WordPress setup that many people miss is changing their database prefix. This is a setting in the wp-config.php file that determines what WordPress uses to talk to your database. By default WordPress adds wp_ to the front of all of your tables, but you should consider changing this to something very random.
Why? Well, an exploit has just surfaced for the 2.1.3 version of WordPress (and possibly previous versions) that allows someone to steal your admin password–but it only works if they know your WordPress prefix. Of course since most people haven’t changed this they know to use wp_.
Unfortunately it’s not a simple fix AFTER you have installed things. The prefix gets written to your entire database, so DON’T change it now after you’ve installed and are running, it’ll cause you to create an entirely new database within your current one, but not set to your current settings. The actual fix would be to download your database .sql file and use a text editor to change the entire thing (Ugh!).
Anyway, I’m updating my install tutorial to mention this important step.