WordPress 4.6.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
WordPress versions 4.6 and earlier are affected by two security issues: a cross-site scripting vulnerability via image filename, reported by SumOfPwn researcher Cengiz Han Sahin; and a path traversal vulnerability in the upgrade package uploader, reported by Dominik Schilling from the WordPress security team.
In short, don’t dilly-dally.
With the huge number of sites running WordPress, and the frequency with which attackers exploit vulnerabilities on the platform to launch malicious attacks, it makes sense for self-hosting bloggers to update their systems as soon as possible.
Security vulnerabilities are frequently uncovered in third-party WordPress plugins, but the above fix addresses bugs in the main WordPress content management system itself. Meaning that just about any site running WordPress could be at risk.
Fortunately, updating is pretty easy. Go to your WordPress admin panel and choose Dashboard > Updates.
Of course, it’s always good practice to test a new version of the software on a non-live version of your site first (often known as a staging site) – just in case.
Since WordPress 3.7 was released in October 2013, the software has come with the option of automatic security updates – hopefully ensuring that many site admins won’t have to worry so much about whether they have kept their software updated or not.
But, of course, there will always be those who don’t have automatic updates enabled and may miss the news.
Note: Sites running self-hosted versions of WordPress from WordPress.org are different from the many millions of blogs which run on WordPress.com. WordPress.com, run by Automattic, manages the installation of WordPress for you, and looks after security on your behalf.
Although there are some limitations on what website owners can do on WordPress.com, they can always be sure that they are running the latest version of WordPress.
Don’t worry if you find the names confusing. Everyone finds the names confusing. It’s kinda crazy.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.