WordPress Security and Auto-Updates

autoupdatesWordPress 4.3.1 was released six days ago and included three security fixes. If you haven’t done anything silly to disable auto-updates, you would have been automatically updated within an hour of the announcement (and in some cases even before the announcement). If you have disabled auto-updates, your site was publicly at risk until you manually updated, and if you still haven’t updated, you had better do so now.

Auto-updates are not only crucial, they are almost quite literally the least you can do to protect your site. When a security update is announced, along with the vulnerabilities being made public, you could trust your site to update itself quickly and efficiently with no effort on your part, or you could disable all of that and keep your site vulnerable until you got around to doing it yourself. Sure, there is a very slim possibility that a feature of a plugin on your site may momentarily break until its developer fixes it, but such a thing is insignificant compared to recovering a hacked site, or losing an unrecoverable hacked site, just because you decided to let it live with publicly known vulnerabilities.

This doesn’t just extend to WordPress core. Plugins and themes get occasional security updates too. While WordPress doesn’t automatically update those by default, you can make it do so by modifying wp-config.php, using a plugin, or a service like Jetpack Manage. Just like with WordPress core, the updates will be applied within an hour of the release. And, if you’re worried about losing theme modifications, make sure that you’re using a child theme or a plugin like Jetpack Custom CSS so that you can modify your theme in a way that still allows you to safely update the parent theme.

When it comes to securing WordPress, there’s a lot you can do, but allowing auto-updates to function is by far the best way to keep your site secure, and almost quite literally the least you can do. Enjoy the freedom and security that auto-updates afford to you and your site.

WordPress 4.2.4 Released

wordpress600WordPress 4.2.4 has been released. This is a critical security release, addressing 6 security vulnerabilities, as well as 4 bugs (including a few you may have run into during the last security fix).

A huge thanks to the folks who kept us all safe by responsibly disclosing the security vulnerabilities.

If you have not done anything silly to disable automatic updates, you were already updated hours ago. If you did do something silly to disable automatic updates, then your site has been vulnerable to 6 now publicly known security vulnerabilities for at least the past 10 hours, so you should really update manually right now, and then turn your automatic updates back on.

As always, if you run into any trouble, please let us know!

Security, Privacy, and Resetting the Net

Accusations of online surveillance by government entities are rampant. By now, you have all seen or heard of at least one clandestine government program, like PRISM, designed to spy on citizens by circumventing what was once considered to be fundamental security.

The validity of these accusations and programs are in question, as would be expected. Is there really a threat? If so, is it really as bad as described? Are those spreading the accusations seeking only to undermine the stability of their governments? Are those defending their governments simply working for their governments or living in fear of them? I doubt we’ll ever know the truth, but why should we let that stop us from protecting ourselves regardless?

Today, over 12 thousand people joined together to reach over 12 million followers to Reset the Net by promoting security and privacy. Companies like WordPress.com are already promising better security by the end of the year, and you can protect yourself now by adopting the use of many security-focused apps and privacy-focused alternatives to popular web services, like using DuckDuckGo instead of Google. By making ourselves more secure users, we promote a more secure and private internet. Whether online surveillance by government entities truly exists or not, how could you say that a more secure and private internet is a bad thing?

Now, get out there and promote a more secure and private internet! Don’t underestimate the power of your voice online. Be the change you want to see in the world.

Disclosing a Security Vulnerability

Some of you are coming here from a site where this blog was apparently featured as an example of how to exploit a security vulnerability. I won’t link to it, because what that individual did was irresponsible, but it gives me the opportunity to hopefully educate some people.

There are many ways to disclose a security vulnerability, but the only right way and the only responsible way is to do it privately. If you publicly disclose a security vulnerability, you have made the world aware of both its existence and how to exploit it, endangering thousands (perhaps millions) of unsuspecting users. You are not the hero when you publicly disclose a security vulnerability, you’re the villain.

Many developers and companies have multiple ways to contact them privately. If you have found a security vulnerability, contact the developer or company privately via their official security report system or any private contact method you can find. If you can’t find one, contact them publicly and ask them to get in touch with you because you have found a security vulnerability. Any good developer or company will reply immediately via a private channel. Once you have privately disclosed the vulnerability, give them a few days to resolve the issue while it’s still known only to you, and feel free to publicly disclose it once the security vulnerability has been removed.

Be responsible by disclosing security vulnerabilities privately, not publicly.

Two Step Authentication on WordPress.com

If you have a WordPress.com blog, now is the perfect time to make your account more secure with our new two step authentication! Two step authentication (also referred to as two-factor authentication) requires you to enter a one-time secret code from your mobile device whenever you log in, after entering your password of course, which is hopefully a strong password (and you should consider changing that if it isn’t). This means that, with two step authentication enabled, an attacker would need to both know your password and have physical possession of your mobile device to gain access to your account.

All you need to use two step authentication at WordPress.com is an iOS, Android, or Blackberry mobile device (it doesn’t have to be a cellphone, but you do need to connect to the internet once to set it up). If you don’t have either, you can also use a cellphone capable of receiving text messages.

We’re looking into ways to bring our two step authentication system to self-hosted WordPress.org blogs soon, and you’ll see an announcement on the Jetpack blog when we’re ready. Until then, try the Google Authenticator plugin with your self-hosted blog.