Category Archives: WordPress and other CMS

WordPress 4.2.2 and critical theme updates

A new version of WordPress addresses several critical security issues. Version 4.2.2 also fixes some non-security issues that were introduced in WordPress 4.2.

The vulnerabilities fixed in WordPress 4.2.2 are being actively exploited on the web, so anyone who operates a WordPress site should immediately check whether the new version has been auto-installed, and if not, install it.

Another vulnerability was recently discovered in the Twenty Fifteen theme that comes packaged with newer versions of WordPress. An updated version of the theme that addresses the issue is now available.

WordPress 4.2 and 4.1.3

WordPress 4.2 was released yesterday. This version adds some new features and improves others. This is not a security-related update.

Updating to version 4.2 also seems to trigger several theme updates. On one of my sites, which uses a Twenty Eleven child theme, an update to the parent Twenty Eleven theme caused the site to stop working completely. I was able to resurrect the site by installing the Twenty Eleven theme again manually. Update: apparently one of the download servers had an incomplete copy of the theme. This problem has been resolved.

Confusingly, WordPress 4.1.3 was also released yesterday. Because it was released so soon after 4.1.2, it’s safe to assume that it contains more security fixes. However, details are sketchy at this point. There was no formal announcement of the release. The WordPress Codex entry for version 4.1.3 says ‘Fix database writes for esoteric character sets, broken in the WordPress 4.1.2 security release.’

WordPress sites configured for auto-updates will update themselves to version 4.1.3 over the next few days. Depending on the auto-update settings, WordPress sites may also update themselves to version 4.2, bypassing 4.1.3. This shouldn’t be a problem, since it’s safe to assume that any fixes in 4.1.3 are also in 4.2.

Your best bet at this point is to update your WordPress sites manually to version 4.1.3. Then start testing version 4.2; once you’re sure it’s not going to break anything, upgrade your production sites.

Critical security updates for WordPress and plugins

WordPress 4.1.2 was released on Tuesday to address a critical security vulnerability. Sites configured for auto updates will be updated over the next day or so, but you might want to consider installing the update via the dashboard right now.

In related news, security researchers at Sucuri just published a list of popular WordPress plugins that contain serious XSS vulnerabilities. Most of these plugins already have updates addressing the issue. Check your WordPress sites for these plugins, and either update or disable them.

WordPress sites targeted by pro-ISIL hacks

An active campaign pushing the agenda of ISIL is being perpetrated mainly via hacked WordPress sites. The FBI has issued a related warning.

Anyone who runs a WordPress site should immediately ensure that it is up to date with all WordPress and plugin updates. Of course this won’t help if your site has already been hacked, so if you have any doubt, please scan your site with one (or preferably all) of the following web-based site scanners:

Meanwhile, yet another popular WordPress plugin has been found to contain a serious vulnerability. The site caching plugin WP-Super-Cache has a nasty cross-site scripting bug. Anyone using this plugin on a WordPress site needs to update it to the fixed version (1.4.4) immediately.

WordPress 4.1.1 released

A new version of WordPress, described as a maintenance release by the developers, was announced yesterday.

The new version includes fixes for several minor bugs, none of which are related to security. The announcement page includes a link to the list of tickets corresponding to the changes in this release.

WordPress sites that are configured for automatic updates should have the new version installed automatically over the next couple of days.

Testing a WordPress URL problem

In monitoring the logs for this web site, I’ve noticed a lot of weird URLs with invalid parameters like ‘loginid’ and ‘commentid’. At first I ignored them, because those parameters don’t do anything and are essentially ignored by WordPress.

But the volume of these strange requests grew to the point where I started to wonder what was going on. It turns out that although WordPress ignores invalid URL parameters, it also – in some cases – returns those invalid parameters in page content. If you go to the home page of boot13.com, and add ‘/?blahblah’ to the end of the URL, then hover your mouse over the ‘Older posts’ link at the bottom of the resulting page, it will show ‘/?blahblah’.

The fact that WordPress echoes arbitrary parameters in itself isn’t a huge problem. And most web crawlers are smart enough to recognize that the spurious parameters don’t correspond to unique pages on the site, so they are ignored automatically. That includes Googlebot. But some crawlers, in particular Bing’s crawler and the MJ12bot crawler, see every URL that includes any arbitrary parameters as a unique URL, and indexes them accordingly.

This produces a lot of clutter in Bing’s search results for boot13, and the information provided by Bing Webmaster Tools is filled with these bogus URLs. And that’s annoying.

I’ve taken several steps to try to reduce this clutter. I used robots.txt to tell crawlers to ignore any URL with ‘loginid’ or ‘commentid’. Using Bing Webmaster Tools, I told bingbot to ignore those parameters. As a result, Bing’s search results and site data are looking a lot better. But while most crawlers honour robots.txt, some don’t. In particular, some MJ12bot nodes clearly ignore robots.txt. These may be rogue MJ12bot nodes, or those nodes may be misconfigured in some way.

Now I’m trying to determine just how much of a problem this really is. I decided to see if I could introduce some arbitrary text into the search results and related data for another WordPress site (one not owned or managed by me).

Here’s a link to the UPS blog. That site runs on WordPress, and it exhibits the same behaviour I’ve been seeing on boot13. The URL in the first sentence of this paragraph contains a special, unique parameter. The idea is to see what happens when the URL is crawled by Bingbot. Will my special parameter show up in the search results for the UPS blog? I’ll update this post as I learn more.

Update 2015Jan30: The parameter is now appearing in Google site search results for the UPS blog! There are at least 79 entries, most of which are actually duplicates, as I write this. Still nothing in Bing’s search results.

Update 2015Jan31: I checked the WordPress bug tracking system to see if anyone had reported this previously. They had. I ended up re-opening an existing ticket and adding my observations. Hopefully this will lead to a fix!

Another serious WordPress plugin vulnerability

As many as 100,000 web sites built with WordPress have been compromised through a vulnerability in a plugin named ‘RevSlider’ (aka ‘Revolution Slider’, aka ‘Slider Revolution’). Attackers used the vulnerability to add malicious code to the compromised sites, which resulted in those sites serving up the malicious code to site visitors.

Unfortunately, the RevSlider plugin is not free, and as such it typically can’t be updated using the standard WordPress update mechanism. Worse still, the plugin is often included in commercial themes, in which case the theme developer must obtain the updated plugin, create a new package for the theme that includes the new plugin, then make that package available to their customers. Because of these hurdles, many affected sites have not yet been updated.

If you manage a WordPress site that uses RevSlider, you should determine whether it was purchased directly or as part of a commercial theme, then obtain an appropriate update and install it as soon as possible.

Warning: avoid using pirated themes on WordPress and other CMS sites

Anyone who operates a WordPress, Joomla or Drupal site should exercise extreme caution when selecting themes and plugins. You should assume that any commercial theme or plugin offered for free contains malware.

Popular Content Management Systems (CMS), including WordPress, Joomla and Drupal can be customized through the use of themes and plugins. A theme is a collection of styles and other files that modify the default appearance of a CMS. A plugin typically adds specific functionality to a CMS. Many CMS themes and plugins are available for free, but the commercial ones are among the most popular, since they often include more and better features.

As with all commercial software, CMS themes and plugins are sometimes copied and offered for free on pirate sites. Unfortunately, it’s very easy for a theme or plugin to be modified so that any site using it can be compromised and then used for illegal activities.

The people at Fox-It recently published a document describing “CryptoPHP” (PDF) – malware that is showing up on CMS sites with alarming regularity. They traced the source of the malware to thousands of themes and plugins that had been modified to include a single line of PHP code that allows CryptoPHP to infect any site that uses one of those themes or plugins.

Recommendation: if you operate a CMS site, do not use any commercial theme or plugin that is offered for free. Make sure you obtain themes and plugins from the developer/author, or from a reputable source like wordpress.org.

There’s more information over on the Wordfence blog.