This should go without saying: Upgrade your WordPress!

Apparently, 86% of WordPress blogs haven’t been upgraded yet to version 4.0 or 4.01, because they are vulnerable to a terrible cross-site scripting vulnerability.

If you’re reading this, and you have a WordPress blog, go update it. This post will still be here when you’re done.

Cross-site scripting is injecting malicious content into a web site that people trust, to get people to run content they otherwise wouldn’t. For example, one could inject malicious Javascript into a comment on this site if they wanted to infect the computer of someone known to read me.

Sound crazy? Well, if the target is my boss, probably not. The most effective way to get to him may very well be through me. Trust me, it’s a lot more reliable than sending him a booby-trapped e-mail attachment.

That’s why blogs can be an attractive hacking target. They have very specific, narrow, and focused niches. And, apparently, most of them are very poorly maintained. So if a high-value target reads an obscure blog, that blog has a target on its back.

The other important thing to remember is that while the core platform has auto-updated since version 3.7, plugins don’t, and the platform doesn’t always update itself automatically–at least not right away. Except in the case of very minor updates, I always end up running the update myself.

So, if you run a WordPress blog, do yourself and the world around you a favor and update the core platform and update your plugins. Speaking of that, one of my plugins is out of date. Excuse me while I go take care of that.


If you found this post informative or helpful, please share it!
%d bloggers like this: