A WordPress 3 security bug, just found, should make you want to upgrade your WordPress website right now! Check with your website developer and make sure you website can be upgraded to WordPress 4. (Note: this is for hosted websites, not websites at WordPress.com)
WordPress 3 Security Bug
This new security bug was found by Klikky Oy, in Finland. Here’s what was found:
“An attacker could exploit the vulnerability by entering carefully crafted comments, containing program code, on WordPress blog posts and pages. Under default settings comments can be entered by anyone without authentication (login).
Program code injected in comments would be inadvertently executed in the blog administrator’s web browser when they view the comment. The rogue code could then perform administrative operations by covertly taking over the administrator account.”
This means any WordPress website that has comments enabled, which is the default, and still on WordPress version 3, will be vulnerable to this bug.
How To Mitigate This Bug
You have a couple options:
- Turn off comments – unlikely for many blogs and websites, or
- Upgrade to WordPress 4
Before you just go ahead and upgrade you need to do a couple things.
First, make a backup of your WordPress files and the WordPress database. Once that is done then you should confirm that the upgrade to WordPress 4 will not break any AddOns or custom code that is part of your website. After upgrading you will want to upgrade your AddOns as well if they need it.
How Many Websites Are Affected?
It is estimated that 86% of all WordPress websites are affected by this security bug, and many websites out there are based on the WordPress platform, such as The New Yorker, Sony Music, Ebay, BestBuy, and others. In fact 74.6 million websites are based on WordPress!
If yours is one of them – time to upgrade!