If you’re running a WordPress website or blog, you’re strongly encouraged to upgrade to WordPress version 3.9.2 which is a security update for all previous versions of WordPress.
The fix which was released today fixes possible denial of service issue in PHP’s XML processing. This security fix was released by the WordPress security team.
If you can’t update immediately, you should install the update as soon as you’re able to. For more information about this security update, please visit WordPress release page @ http://wordpress.org/news/2014/08/wordpress-3-9-2/
Below are areas the fix is supposed to address:
- Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
- Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
- Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
- Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.
- Updating WordPress
Most WordPress webmasters are able to update WordPress from their admin backend page online. If you site is configured with full access to WordPress user or web server, go to WordPress admin page and select Dashboard –> Updates and click Update Now button.
For other blogs which are configured more securely without full access to the web server and the root user owns all essential files, they can SSH into the server and download the latest version of WordPress.
Run the commands below to download WordPress latest.
cd /tmp/ && wget http://wordpress.org/latest.zip
Then run the commands below to unzip the archive file.
unzip latest.zip
Finally run the commands below to copy the new files to your web server’s root directory.
sudo cp -rf wordpress/* /var/www/html
Change the path to the root directory to match your settings.
It’s recommended that you always backup your website’s before upgrading. So, before running any of the above commands, make sure you back up your stuff first.
If your your website is configured to allow automatic WordPress updates, then you don’t have to do anything. WordPress will update itself automatically, even before you notice.
I hope after reading this post you go and update your site to WordPress version 3.9.2.
Frequently Asked Questions
How do I upgrade to WordPress version 3.9.2 for security reasons?
To upgrade to WordPress version 3.9.2 for security reasons, you can go to your WordPress admin page, select Dashboard --> Updates, and click the Update Now button.
What security issues does WordPress version 3.9.2 address?
WordPress version 3.9.2 addresses security issues such as denial of service vulnerabilities in PHP's XML processing, code execution in widget processing, information disclosure via XML entity attacks, and protections against CSRF token brute attacks.
Who reported the code execution issue in widget processing to the WordPress security team?
The code execution issue in widget processing was reported by Alex Concha of the WordPress security team.
How can I protect my WordPress site from cross-site scripting attacks?
To protect your WordPress site from cross-site scripting attacks, ensure that administrators are unable to trigger such attacks, which is part of the additional security hardening introduced in WordPress version 3.9.2.
What should I do if I can't update WordPress immediately?
If you can't update WordPress immediately, install the WordPress version 3.9.2 security update as soon as you are able to in order to protect your website from potential vulnerabilities.
How can I download the latest version of WordPress via SSH?
To download the latest version of WordPress via SSH, you can navigate to the temporary directory (/tmp/) on your server, use the 'wget' command to download the latest.zip file, unzip the file, and then copy the new files to your web server's root directory.
Who reported the information disclosure vulnerability via XML entity attacks to the WordPress security team?
The information disclosure vulnerability via XML entity attacks was reported by Ivan Novikov of ONSec to the WordPress security team.
What additional security measures were implemented in WordPress version 3.9.2?
WordPress version 3.9.2 includes additional security hardening measures, such as protections against CSRF token brute attacks and preventing cross-site scripting vulnerabilities that could be triggered by administrators.