WordPress 4.2.2 fixes a cross-site scripting vulnerability – Update Now

wordpress_logoWordPress Version 4.2.2

On May 6, 2015, WordPress 4.2.2 was released to the public. This is both a security update for all previous WordPress versions, and a maintenance release for versions 4.2 and newer.

From the announcement post, WordPress 4.2.2 fixes a cross-site scripting vulnerability contained in an HTML file shipped with recent Genericons packages included in the Twenty Fifteen theme as well as a number of popular plugins by removing the file. Auto-updates and manual updates will remove this file, however manual installations and those using VCS checkout (like SVN) will not remove this file. Version 4.2.2 also improves on a fix for a critical cross-site scripting vulnerability introduced in 4.2.1.

The release also includes hardening for a potential cross-site scripting vulnerability when using the Visual editor.

In addition to the security fixes, WordPress 4.2.2 contains fixes for 13 bugs from 4.2.1, including:

  • Fixes an emoji loading error in IE9 and IE10
  • Fixes a keyboard shortcut for saving from the Visual editor on Mac
  • Fixes oEmbed for YouTube URLs to always expect https
  • Fixes how WordPress checks for encoding when sending strings to MySQL
  • Fixes a bug with allowing queries to reference tables in the dbname.tablename format
  • Lowers memory usage for a regex checking for UTF-8 encoding
  • Fixes an issue with trying to change the wrong index in the wp_signups table on utf8mb4 conversion
  • Improves performance of loop detection in _get_term_children()
  • Fixes a bug where attachment URLs were incorrectly being forced to use https in some contexts
  • Fixes a bug where creating a temporary file could end up in an endless loop.

WordPress Version 4.1.2 – Urgent Upgrade

wordpress-logo-updateOn April 21, 2015, WordPress 4.1.2 was released to the public. This is a security update for all previous WordPress versions.

This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.

Also fixed are three other security issues:

  • In WordPress 4.1 and higher, files with invalid or unsafe names could be uploaded.
  • In WordPress 3.9 and higher, a very limited cross-site scripting vulnerability could be used as part of a social engineering attack.
  • Some plugins were vulnerable to an SQL injection vulnerability.

A number of plugins also released security fixes yesterday. Keep everything updated to stay secure. If you’re a plugin author, please read this post to confirm that your plugin is not affected by the same issue.

If you are unable/uncomfortable upgrading your WordPress site then let our experts do all the work for you. Order a WordPress Maintenance service today.

Infrastructure Secured with the Plesk 12 Security Core

Plesk12_overview-plesk-graphic-2014-0430Enhanced Security on All Levels.

The new Security Core in Plesk 12 combines ModSecurity and Fail2Ban with Outbound Antispam and ServerShield™ tools allowing you to deliver server-to-site security out of the box.
 

With the Plesk 12 Security Core on your servers you get:

  • Secure servers that protect against persistent attacks targeting known or newly discovered vulnerabilities
  • Increased uptime as malicious attacks against your servers are automatically blocked in real time
  • Cleaner IP addresses with outgoing spam protection preventing your servers from being blacklisted
  • Faster site performance and bandwidth savings with next generation CDN
SP_Plesk12_SecurityCore_graphic_653x258_EN_0fc2738462

All security components work together leading to a more reliable infrastructure.
 
About ServerShield™
Odin partnered with CloudFlare to build ServerShield™, a complete security solution that enables server administrators and websites owners to protect and speed up any website with just a few clicks.

ServerShield helps to block hackers, spammers, botnets, and DDoS attacks. In addition, it offers free and unlimited reputation monitoring by StopTheHacker.

End-customers also get CloudFlare’s next generation CDN, which brings content closer and faster to visitors where on average, a website on CloudFlare loads twice as fast and saves 60% of bandwidth. No configuration or setup is needed.

The WordPress Toolkit in Plesk 12 Makes Life Easier for Web Professionals

The WordPress Toolkit simplifies daily tasks required to manage and secure WordPress sites.

Save time on WordPress site and security management. Spend more time on your core business.

With Plesk 12 and the WordPress Toolkit, you will be able to:

  • Manage multiple WordPress installations, plugins, and themes from a single point of entry
  • Easily install, update, and remove WordPress, plus activate and remove plugins and themes
  • Securely install WordPress and harden any existing WordPress installation by applying the most common recommended security settings with rollback support

The WordPress Toolkit is included in both the Plesk Web Pro and Web Host editions. All Plesk 12 hosting plans include this essential WordPress service at no additional cost.

WordPress Installation Management.
Manage multiple WordPress installations, plugins, themes, updates, and upgrades from a single point of entry.

 

WordPress Security Management.
Scan WordPress installations to identify insecure settings and secure them in one click.

Unable to execute SQL: Table ‘./db/wp_comments’ is marked as crashed and should be repaired

How to Fix: Crashed MySQL Database

If your database is marked as crashed and needs to be repaired you may find it will not backup (or migrate) using mysqldump. In these instances you need to login to mysql and run the check/repair process. It’s very easy.

First, you need to authenticate to the mysql server. The example below is for Plesk servers:

# mysql -uadmin -p`cat /etc/psa/.psa.shadow`

Let’s check the table and see the current status:

# mysql> check table db.wp_comments;
+-----------------------------------+-------+----------+-----------------------------------------------------------+
| Table | Op | Msg_type | Msg_text |
+-----------------------------------+-------+----------+-----------------------------------------------------------+
| db.wp_comments | check | warning | Table is marked as crashed |
| db.wp_comments | check | error | Size of datafile is: 26984448 Should be: 26985708 |
| db.wp_comments | check | error | Corrupt |
+-----------------------------------+-------+----------+-----------------------------------------------------------+
3 rows in set (0.00 sec)

Now we can see the problem, let’s run the REPAIR TABLE facility:

# mysql> repair table db.wp_comments;
+-----------------------------------+--------+----------+-------------------------------------------------------+
| Table | Op | Msg_type | Msg_text |
+-----------------------------------+--------+----------+-------------------------------------------------------+
| db.wp_comments | repair | info | Found block that points outside data file at 26984408 |
| db.wp_comments | repair | status | OK |
+-----------------------------------+--------+----------+-------------------------------------------------------+
2 rows in set (4.23 sec)

That’s now all fixed. Yes, it’s that easy! Let’s check the table again to be 100% sure:

# mysql> check table db.wp_comments;
+-----------------------------------+-------+----------+----------+
| Table | Op | Msg_type | Msg_text |
+-----------------------------------+-------+----------+----------+
| db.wp_comments | check | status | OK |
+-----------------------------------+-------+----------+----------+
1 row in set (0.05 sec)

You can now transfer your MySQL database, dump it or re-migrate it as required.