What every WordPress user must know about File Permissions

File permissions grid

File permissions play a vital role in security and functionality of a web site. Here is an excellent article by Shylaja Sreedharan that provides a good overview of file (and directory) permissions. Understanding this is fundamental to managing many web sites, including WordPress sites.

Read the full article here: https://blogvault.net/wordpress-file-permissions/

Severe Bash Vulnerability Disclosed that may affect many websites

This advisory just came out from Mark Maunder of Wordfence Security plug in:

A serious vulnerability in the bash shell has been disclosed. Bash will execute any trailing code after a function definition contained in an environment variable.

If you manage a Linux WordPress server, an update for Bash has been released today for most major Linux distributions. Update immediately. If you don’t run a server but are using a hosting provider it’s likely your host is aware of this issue already and has already upgraded their systems to protect you.

For more information please visit the Wordfence blog where I’ve included details of the vulnerability, how to test if you’re vulnerable, how to fix the issue and some details on how it works.

More information at: http://www.wordfence.com/blog/2014/09/major-bash-vulnerability-disclosed-may-affect-a-large-number-of-websites-and-web-apps/

Vulnerabilities in WordPress older than 3.8.2, Twitget Plugin and Quick Page Post Redirect Plugin.

WordPress vulnerabilities as reported from WordFence on April 14, 2014.

WordPress Vulnerability: WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role. More info available on the National Cyber Awareness System: CVE-2014-0165

WordPress Vulnerability: The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it easier for remote attackers to obtain access via a forged cookie. More info available on the National Cyber Awareness System: CVE-2014-0166

What to do about the above: Make sure you are running the newest version of WordPress, version 3.8.2.

Plugin Vulnerability: CSRF/XSS vulnerability in Twitget 3.3.1. If a logged-in administrator visits a specially crafted page, options can be updated (CSRF) without their consent, and some of those options are output unescaped into the form (XSS). Vulnerability ID: CVE-2014-2559 (not yet published)

What to do: Upgrade to Twitget 3.3.3 or later which contains a fix. Author is aware of the vulnerability and has fixed it.

Plugin Vulnerability: Quick Page/Post Redirect Plugin contains a CSRF and stored XSS vulnerability. Vulnerability ID is: CVE-2014-2598 (not yet published)

What to do: Upgrade to version 5.0.5 or later. Author is aware of vulnerability and has fixed it.

These reports courtesy of

Mark Maunder
Wordfence Creator & Feedjit Inc. CEO.

Just Released: WordPress 3.5.2, for Maintenance and Security

The second maintenance release of WordPress 3.5, fixing 12 bugs is now available. This is a security release for all previous versions. Web site owners are encouraged to update their installations immediately.

The security fixes include:

  • Blocking server-side request forgery attacks, which could potentially enable an attacker to gain access to a site.
  • Disallow contributors from improperly publishing posts or reassigning the post’s authorship.
  • An update to the SWFUpload external library to fix cross-site scripting vulnerabilities.
  • Prevention of a denial of service attack, affecting sites using password-protected posts.
  • An update to an external TinyMCE library to fix a cross-site scripting vulnerability.
  • Multiple fixes for cross-site scripting.
  • Avoid disclosing a full file path when a upload fails.

More information and download at: http://wordpress.org/news/2013/06/wordpress-3-5-2/

Web Weavers Workshop August 20

Learn how web development skills. Workshop attendees will learn how to create web sites, setup web services and create content. Additional topics will include domain name system, search engine optimization and web site security.

Seating is limited to 12 students. All skill levels welcome — but be aware that this is not an introductory workshop. Bring your laptop or mobile device if you wish.

No fee. Open to members and guests. Registration required. (Submit your registration here)

Hosted by HMAUS.

Location

ING Direct Cafe (Google map here)
1958 Kalakaua Avenue