WordPress bloggers ‘strongly encouraged’ to immediately apply security update

Vulnerabilities discovered. Don’t dilly-dally, patch your website now!

Graham Cluley
Graham Cluley
@[email protected]

WordPress bloggers 'strongly encouraged' to immediately apply security update

WordPress writes:

WordPress 4.6.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.

Sign up to our free newsletter.
Security news, advice, and tips.

In short, don’t dilly-dally.

With the huge number of sites running WordPress, and the frequency with which attackers exploit vulnerabilities on the platform to launch malicious attacks, it makes sense for self-hosting bloggers to update their systems as soon as possible.

Security vulnerabilities are frequently uncovered in third-party WordPress plugins, but the above fix addresses bugs in the main WordPress content management system itself. Meaning that just about any site running WordPress could be at risk.

Fortunately, updating is pretty easy. Go to your WordPress admin panel and choose Dashboard > Updates.

Of course, it’s always good practice to test a new version of the software on a non-live version of your site first (often known as a staging site) – just in case.

Since WordPress 3.7 was released in October 2013, the software has come with the option of automatic security updates – hopefully ensuring that many site admins won’t have to worry so much about whether they have kept their software updated or not.

But, of course, there will always be those who don’t have automatic updates enabled and may miss the news.

Note: Sites running self-hosted versions of WordPress from WordPress.org are different from the many millions of blogs which run on WordPress.com. WordPress.com, run by Automattic, manages the installation of WordPress for you, and looks after security on your behalf.

Although there are some limitations on what website owners can do on WordPress.com, they can always be sure that they are running the latest version of WordPress.

Don’t worry if you find the names confusing. Everyone finds the names confusing. It’s kinda crazy.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.