Wordpress

Doctor Web has discovered a malicious Linux program that hacks websites based on a WordPress CMS. It exploits 30 vulnerabilities in a number of plugins and themes for this platform. If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts. As a result, when users click on any area of an attacked page, they are redirected to other sites. What they can do? Upon their command, it is able to perform the following actions: ...

With the second security and maintenance release of WordPress 3.5, the developers of the popular open source blogging software have closed 12 bugs, seven of them security issues. In their announcement, the developers “strongly encourage” all users to update all their installations of the software to version 3.5.2 immediately. In addition to the fixed vulnerabilities, the new release also includes some proactive changes intended to harden the platform against attacks. ...

The WordPress developers have released version 3.4.1 of their popular open source publishing platform, fixing a number of bugs and closing security holes, one of which is rated as important. WordPress 3.4, which has already been downloaded 3 million times since being released two weeks ago, contains a important privilege escalation flaw that accidentally allowed all administrators and editors on multi-site installations to use unfiltered_html. This could have been exploited by users for cross-site scripting (XSS) attacks by, for example, publishing posts containing malicious code. ...

The H-Security: The developers of the popular open source blog engine WordPress have released a security update for the software. WordPress 3.3.2 fixes unspecified bugs in three external file upload libraries used in the software and other security problems with the application. The bugs affect both WordPress’s current file uploading library Plupload as well as the SWFUpload and SWFObject libraries; these were bundled with older versions of the application and might still be in use by certain plugins on the current versions of WordPress. The developers did not go into detail about the specifics of the security holes but thanked three people from the WordPress community for responsibly disclosing them. Three more fixes address a privilege escalation in the blog engine’s multi-site system and two cross-site scripting vulnerabilities in the core components of WordPress. More details on all of these patches and also some additional smaller fixes can be found in the change log. ...

Sophos Labs: Millions of blog owners around the world are being advised to consider their password security, after WordPress.com was hacked. To its credit, Automattic – the company behind the WordPress.com blogging platform – didn’t mince its words or try to apply any spin to the incident, explaining it had suffered a “low-level (root) break-in to several of [its] servers, and potentially anything on those servers could have been revealed.” ...

Follow up from: Hacker Gains Access To WordPress.com Servers Tech Crunch: WordPress.com has revealed that someone has gained root-access (“low-level,” as in deep) to several of its servers this morning and that VIP customers’ source code was accessible. WordPress.com VIP customers are all on “code red” and in the process of changing all the passwords/API keys they’ve left in the source code. “Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed. ...

Tech Crunch: WordPress.com has revealed that someone has gained access to several of the their servers this morning and that VIP customers’ source code was accessible. WordPress.com customers are all on ‘code red’ and in the process of changing all the passwords/api keys they’ve left in the source code. “Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed. ...

CNET wrote: The popular blogging-site hoster WordPress was hit with another distributed denial-of-service attack this morning, the second in two days. “Unfortunately, the DDoS attack from yesterday returned in a different form this morning and affected sitewide performance,” the company said in a notice on its Automattic site, which serves as a dashboard for the service. “The good news is that we were able to mitigate it quickly and performance returned to normal around 11:15 UTC. We are continuing to monitor the situation closely.” ...

Mashable: Months ago, Twitter released a clunky tool called Blackbird Pie for embedding tweets in blog posts. Today WordPress has radically simplified and improved tweet embedding with a new feature, also named Twitter Blackbird Pie. Beginning today, WordPress.com users simply need to copy a tweet’s URL and paste it on a line by itself to embed it in a blog post. Pasted URLs are converted into full tweets, which means these embedded tweets look as good as screenshots, but include the link back to the tweet, a link to the source and a retweet option. The new feature will also save users time — letting them avoid the much more manual process of snapping screenshots of tweets. ...

Microsoft announced that it has collaborated with WordPress and now onwards it will be the default blogging platform for Windows Live users. This means Microsoft is killing it’s own blogging platform and suggesting users to go for better platform called ‘WordPress’. In TechCrunch Disrupt conference, Windows Live Director ‘Dharmesh Mehta’ announced that all existing Windows Live Spaces users will be migrated over to an account at WordPress.com. So now onwards users who sign up for a Windows Live account get free Hotmail , the Xbox Live site , a free blog from WordPress.com and other services. ...