WordPress 4.1.2 and Plugin Security Updates
WordPress 4.1.2 was released today. This is a critical security release and should be applied to all existing sites. There has also been a notice put out regarding vulnerabilities in many plugins, which we’ll discuss below.
Core Update Process/Info
If you have our core updates for major or minor releases turned on, the site will be updated within 24 hours. Built-in WP automatic updates are rolling out as I write this as well. With a minor update like this that contains important security improvements I suggest everyone update as soon as they can.
Plugin Vulnerabilities
Yesterday there was a coordinated release of several updated plugins to fix a XSS (cross-site-scripting) vulnerability. Some of these are very popular plugins, there is a list in Sucuri’s post announcing the issue. It is entirely possible other plugins are also affected, not all have been audited. My expectation is that we’ll see updates for less popular plugins as authors go through their code an look for instances similar to those fixed yesterday. Some of the affected plugins have had updates forced out by WordPress.org, but not all of the plugin authors opted in to this response.
Security At Lightning Base
The problems described above are serious, and the best response is to update everything right away. If you have our automatic plugin updates turned on, those will be automatically applied if the plugin is from WordPress.org, but we cannot apply updates to premium plugins that aren’t hosted in the repository (some of which are affected by these problems). Having said that, our system may keep your sites safe even if they have vulnerable plugins.
We have tested some of the sample XSS attacks security researchers have published regarding these vulnerabilities, and are seeing most of those blocked by our webapp firewall. Our automatic virus/exploit scanning and quarantining is helpful as well – it means many attacks will be stopped even after the initial compromise, and also alerts Lightning Base support so we can take a look at how an exploit occurred and attempt to put rules in place to block the vulnerability.
Keep Up To Date
Despite the protections Lightning Base provides, it is important to keep plugins/themes/WP as up to date as possible. Our automatic update option is one good way to do this, but you can also opt-in to the built-in WP updates, or use a management tool (wpremote.com, managewp.com, infinitewp.com, mainwp.com, ithemes.com/sync/, etc.) to efficiently manage and update a large number of sites. Running updates manually is great too if you’re working in the site on a daily basis.
Questions / Problems?
If you have any questions about security or run into problems with an update, don’t hesitate to login to our https://secure.lightningbase.com client area and click the “Open Ticket” menu – we will be happy to help.