back to article BURN ALL BLOGS! WordPress has a critical cross-site scripting flaw

Wordpress has warned users of a “cross-site scripting vulnerability, which could allow users with the Contributor or Author role to compromise a site” and urged all users “to update your sites immediately.” Installations that auto-upgrade should already be patched. The patch comes in the form of WordPress 4.2.3, which fixes …

  1. Richard 84

    Slightly off-topic, but do WordPress extensions such Wordfence Security offer any serious protection?

    1. Anonymous Coward
      Anonymous Coward

      Wordfence fends off brute-forcers quite well (and there's a lot of them about) and the live view is quite good to have. It also turns off the user listing page (which if your username and 'screen name' are the same leaves brute-forcers only needing to guess the password). You can also have 2FA if you cough up the money.

      Wordfence and All-In-On Wordpress Security and firewall together cover a lot of common flaws and play quite nicely together.

      It's mainly to stop brute-forcers and obvious/common attacks/flaws. Like having a burglar alarm really - ups the skill level required, but if someone skilled enough really wants you they'll find a way in.

      1. Anonymous Coward
        Anonymous Coward

        Errata: All-in-one wordpress security and firewall

        1. Anonymous Coward
          Anonymous Coward

          Add Google authenticator

          If you add Google Authenticator to it and use the "All in one WP Security change" of the admin login URL it becomes quite hard for an outside to breach a WP site, especially if you have a read-only one (a number of breaches are privilege escalations).

          Of course, avoid installing anything you do not absolutely need. You will see in the All in One "Firewall" logs of 404 errors just what gets thrown at a site, and helps identifying plugins worth avoiding :).

          Last but not least, you may also want to install "IQ Block Country" - my sites seem to get most hacking from China and Ukraine, with that plugin I just bar any access from those countries instead of building a massive blacklisting file..

  2. Nate Amsden

    doesn't seem too bad

    the main bug seems to specifically refer to users with special rights being able to compromise the site not just any random anonymous user.

    I would wager most of the wordpress blogs out there probably have just a single account for the one person there(like mine), or have only trusted users (like the wordpress blog for my company, I think all of the users that contribute content have admin access already)

    1. Anonymous Coward
      Anonymous Coward

      Re: doesn't seem too bad

      Every site with user-contributed content has tons of Author/Contributors. There's a "default new user role" setup option. Easy peasy. Easy to pwn in 5 minutes too...

  3. msknight

    It is seeming to be a common theme now. I wake up to Wordpress automatic updates in my in-box,and by the time I've got to work, ElReg tells me all about what happened while I was sleeping :-)

    Now this is how IT is supposed to be!

    1. Ole Juul

      Yep, just checked, and it was already done.

  4. TeeCee Gold badge
    Meh

    "WordPress has a critical XSS flaw"

    Gosh, really? Is there a "Y" in the day or something?

    1. Anonymous Coward
      Joke

      Re: "WordPress has a critical XSS flaw"

      Montag, Dienstag, Mittwoch, Donnerstag, Frietag, Samstag, Sonntag.....nope, no 'y's at all.

      1. O RLY
        Headmaster

        Re: "WordPress has a critical XSS flaw"

        *Freitag

        Sorry, couldn't resist.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like