Recent WordPress security issues – how to update the version and your plugins safely

Home » Internet security » Recent WordPress security issues – how to update the version and your plugins safely

Recent WordPress security issues – how to update the version and your plugins safely

Posted on

There have been some recent WordPress security issues which mean that you must get your WordPress version and certain plugins updated as soon as possible.

WordPress 4.7.3 update

Recent WordPress security issues addressed by Version 4.7.3

Version 4.7.3 of the content management system includes fixes for the half dozen flaws that could allow for, among other things, cross-site scripting and request forgery attacks.

“This is a security release for all previous versions and we strongly encourage you to update your sites immediately,” WordPress says of the patch.

The three cross-site scripting errors were found in the handling of file metadata, YouTube video URLs, and taxonomy term names.

WordPress said that in addition to patching the six security flaws now publicly disclosed, version 4.7.3 also addresses 40 maintenance issues in various WordPress components.

The 4.7.3 update comes just days after WordPress admins were alerted to a separate security crisis in NextGEN Gallery, a WordPress plugin vulnerable to SQL injection attacks.

WordPress still the most popular content management system

The WordPress content management system is a highly regarded system for creating and managing websites. We think that you can do pretty much anything with it, from high traffic e-commerce websites through websites for start-up businesses and personal blogs.

WordPress Dashboard

Here are some major website currently powered by WordPress:

The active developer community is always churning out new plugins and themes that extend the capability of WordPress while still retaining the core strength of a well-supported system that is widely used.

At the time of writing WordPress powers 27% of the all world’s website and nearly 60% of those using a generic Content Management System.

© W3Techs.comusagechange since
1 February 2017
market
share
change since
1 February 2017
1.WordPress27.7%+0.3%58.9%+0.3%
2.Joomla3.3%7.1%-0.1%
3.Drupal2.2%4.7%
4.Magento1.2%2.6%
5.Blogger1.1%2.3%-0.1%

 

This popularity and open source setup means that the system is a target for unscrupulous hackers trying to exploit security flaws to extract private date or damage websites.

Therefore updating your WordPress and plugins is critical for the efficient running of your website but you need to follow a set procedure just in case something goes wrong.

How to update the WordPress version and plugins safely

Here is our take on updating WordPress version and plugins safely.

  1. Backup, Backup, Backup

Before any WordPress version update you should backup your website files and database.  This is so you can roll back to a working version should anything go wrong.

There are numerous options available for automatic backup through commercial plugins and your web hosting which we have discussed in a past blog posting.

If you are updating plugins only then you can get away with not taking a full site backup, however you should have a recent version of the plugin, just in case you need to swap it out of your installation.

We would advise taking a backup before any update of several plugins at one time.

  1. Update the WordPress version and test

Once you have been through the update process, run some basic checks on your website: visit key pages and test features like shopping carts, forms, etc.  If something has gone horribly wrong then it should be obvious.

  1. What you can do if something does go wrong

If something does go wrong then WordPress will, by default, often present you with a completely blank screen, which helps no one!

To get the error message you need to turn on Error reporting in your wp-config,php file. Go on to hosting control panel and, using the file manager or FTP, download the wp-config,php, open your text editor and find this line:

define(‘WP_DEBUG’, false);

wp-config.php error reporting

Change false to true, and go back to your website. There should now be an error message telling you the line number, file and location that is causing the error. This is the first step in solving the problem.

If it is a plugin, then deactivate the plugin by renaming its folder and checking whether this has let the site work again. If is theme, change to a different one to get the site back, although it may look awful temporarily.

If you have a backup then you can simply roll-back and try again. Remember to set error reporting back to false once you have finished.

Usually, updating WordPress and plugins will go smoothly, but good habits such as backup, will save a lot of time if something does go wrong.

Sources and further reading

WordPress 4-7-3 security and maintenance release

Time to udate WordPress

Statistics about WordPress usage

https://w3techs.com/

Save