All copies of WordPress 4.9.3 updated to 4.9.4

One of the nice things about WordPress is that it automatically updates itself for important security and bug fixes. For example, if you installed WordPress 4.9.1, it would have automatically updated itself to version 4.9.2 on January 16, and to version 4.9.3 on February 5.

Unfortunately, WordPress 4.9.3 has a bug that prevents it from automatically updating itself to later versions. It needs to be manually updated to version 4.9.4 or later.

The WordPress 4.9.3 to 4.9.4 update is trivial (it fixes only this bug, after which automatic updates will work again), so we’ve updated every customer copy of WordPress 4.9.3 on our servers to version 4.9.4, just as if it had happened automatically.

Customers should not notice any change as a result of this — but as always, don’t hesitate to contact us if you have any trouble.

Audio and video uploads not working in old versions of WordPress < 4.4

We’ve received a couple of reports that audio and video file uploads don’t work anymore in old WordPress versions (4.3.9 and lower). You instead see the message “HTTP error”. (This doesn’t affect uploads of images, PDF files, etc.; it affects things like MP3 files and movies.)

This is because of a bug in the WordPress software itself, which will presumably soon be fixed, and not related to our servers.

However, if this is happening to you, you’re using a very outdated version of WordPress. You should update to the current version 4.7.3, which is easy to do by clicking “Updates” in your WordPress dashboard. We recommend that you always update WordPress whenever it tells you to do so, because it avoids all sorts of problems.

Our servers are not vulnerable to the critical PHPMailer security bug CVE-2016-10033

Many scripts that send e-mail include a file called PHPMailer. The file is distributed as part of WordPress, Joomla, Drupal, and lots more software.

Recently, a security researcher discovered a security bug in PHPMailer. The bug could allow “hackers” to take over a website.

However, sites hosted on our servers are not vulnerable to this problem. (Despite that, you should always update your copy of WordPress, Joomla, or any other software when there’s a new version available.)

Read the rest of this entry »

WordPress 4.7

WordPress 4.7 was recently released, and as always, we’ve updated our WordPress one-click installer to automatically install the latest version for new WordPress sites.

If you’ve previously installed an older version of WordPress, you should update it from within your WordPress Dashboard.

Read the rest of this entry »

WordPress 4.5; built in editors

WordPress 4.5 was recently released, and as always, we’ve updated our WordPress one-click installer to automatically install the latest version (actually now version 4.5.1) for new WordPress sites.

If you’ve previously installed an older version of WordPress, you should update it from within your WordPress Dashboard.

We’ve also modified our automatic installer to disable the built in theme and plugin file editor by default for new installations (existing installations are not affected).

This both improves security (many automated hacks and XSS attacks blindly try to use the editor) and avoids a problem we see happen often:

  • People think that the “Edit” link next to a plugin or theme will edit the settings of it, not the code of it, so they click it;
  • Then they see a weird screen of code and don’t know what to do, and they perhaps type something as an experiment;
  • That doesn’t help, so they click “save” to get out of the weird screen;
  • And WordPress completely stops working due to a PHP syntax error in what they typed.

We think the editor shouldn’t be enabled for most people. It should be enabled only by developers (and very brave developers who make good backups, at that). Developers can easily enable it by editing the wp-config.php file to remove the “DISALLOW_FILE_EDIT” line.

Update 2016-05-26: We have removed the customization that disabled the built-in theme and plugin editors because several customers said it is an integral part of their workflow. All new installations will have the standard theme and plugin editors functionality.

WordPress 4.4

WordPress 4.4 was recently released, and as always, we’ve updated our WordPress one-click installer to automatically install the latest version for new WordPress sites.

If you’ve previously installed an older version of WordPress, you should update it from within your WordPress Dashboard.

Preventing PHP scripts from running in /wp-content/uploads

We write a lot about how out of date WordPress plugins or themes can cause your site to get “hacked” due to security bugs.

Interestingly, many of these bugs have a near-identical flaw: They intentionally allow strangers to upload files to your site (intending to allow image uploads and so on), but they don’t sufficiently screen out malicious script files. The bugs allow a malicious PHP script somewhere under the site’s “/wp-content/uploads” directory, then the “hacker” simply runs that script in a web browser.

To help our customers, we’re doing something to minimize the impact of these security vulnerabilities: By default, we’re now blocking PHP scripts from running in “/wp-content/uploads”.

This will improve security because very few sites use this feature legitimately (and none should do so, really; relying on being able to run uploaded PHP scripts without moving them to a safe location is a security risk). Disabling PHP scripts in this directory is recommended by well-known WordPress security companies like Acunetix and Sucuri.

Read the rest of this entry »

Cleaning compromised sites while moving them to Tiger Technologies

One issue we (unfortunately) have lots of experience with is fixing a WordPress site after we discover it’s been “hacked”. But while it’s one thing to try to clean a Web site after it got infected on our servers, it’s essentially impossible to try to clean a Web site that was infected on another server and is being transferred to our servers.

We have a page with more information, including:

  • why this is a problem, and the related risks of not fixing it
  • why the normal way of fixing a site isn’t sufficient
  • how to fix the problem

Protection against the WordPress “large comment” security bug

The authors of WordPress today released version 4.2.1 that fixes a critical security bug.

While upgrading is always a good idea, we’ve blocked the attack for all versions of WordPress on all sites that we host. We’ve also verified using our MySQL binary logs that no sites were attacked before we started the blocking.

Read the rest of this entry »

Protection against WordPress “Pagelines” and “Platform” theme security bugs

The researchers at Sucuri yesterday announced that they’ve discovered a critical security bug in the widely used Pagelines/Platform WordPress themes. If you use one of these themes or their many derivatives, “hackers” can easily take over your site unless you update the theme.

Since many of our customers use these themes, so we’ve added security rules to block attacks even if you haven’t updated. And we’re glad we did: our logs show that a large Chinese botnet started attacking every WordPress site we host last night, in alphabetical order (they’re currently up to domain names starting with “e”), testing whether each site is vulnerable to the bugs.

We’re again surprised to see how many customers are using versions of these themes that haven’t been updated in years. I know we sound like a broken record, but when WordPress offers to update something you’ve installed, you must update it if you want your site to stay secure.

Read the rest of this entry »