March 7, 2017 Update: WordPress has now released version 4.7.3 that also includes important security updates! We recommend that all WordPress sites upgrade directly to 4.7.3. Click here to read the full security notes.
In January 2017, the WordPress core team released two security updates, 4.7.1 and 4.7.2, which fixed several important security issues, and strongly encouraged all WordPress users to update their sites immediately to not be at risk. As web development experts, Logic also suggests that all WordPress sites comply with these recommendations and update their sites to WordPress version 4.7.2 as soon as possible.
What do the updates do?
WordPress 4.7.1 addressed eight security issues that affected WordPress versions 4.7 and earlier:
- Remote code execution (RCE) in PHPMailer – No specific issue appeared to affect WordPress or any of the major plugins that the WordPress team investigated but, out of an abundance of caution, they updated PHPMailer in this release. This issue was fixed in PHPMailer.
- The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have specified that they should be shown within the REST API.
- Cross-site scripting (XSS) via the plugin name or version header on update-core.php.
- Cross-site request forgery (CSRF) bypass via uploading a Flash file.
- Cross-site scripting (XSS) via theme name fallback.
- Post via email checks mail.example.com if default settings aren’t changed.
- A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing.
- Weak cryptographic security for multisite activation key.
WordPress 4.7.2 addressed four additional security issues that were prevalent in earlier versions:
- The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it.
- WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.
- A cross-site scripting (XSS) vulnerability was discovered in the posts list table.
- An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint.
A full list of security and WordPress updates can be found here: https://wordpress.org/news/
What should I do to be safe?
There are a couple options a site owner can select from to ensure their WordPress site is secure and the optimal next step is taken.
- Upgrade the site to WordPress 4.7. If your WordPress is running on any of the earlier versions (e.g. WordPress 4.3, 4.4, 4.5, or 4.6), this is an excellent opportunity to upgrade the entire platform. Making sure your platform is on the latest major version is important to keeping on top of security updates and ensuring your site doesn’t fall behind modern technologies.
- Apply the security updates. WordPress 4.7 has been downloaded over 10 million times since its release on December 6, 2016, which means that many sites are in need of the security releases. 4.7.1 and 4.7.2 addresses significant vulnerabilities, so upgrading your site immediately is recommended.
- Contact your local website developer to perform a site assessment and assist you with the update. Since WordPress 4.7 is a major release, Logic can help you provision an identical staging environment to upgrade the WordPress core before pushing to production. On this staging environment, you can review the site to confirm nothing is affected by the upgrade. Once everything looks good, we can help you push the update to your production server. Plus, we have over 20 years experience in top-quality web development, so you know you’re in good hands.
- Use the opportunity to assess your site’s design and usability. If you’re looking to make a version jump (e.g. from WordPress 4.6 to 4.7), this would be a great chance to reskin and retheme your site, clean up your content, and improve its overall function. Is your site performing as well as you’d like it to right now? Is it responsive? Are your users engaged and is your navigation/content effective? Could the site be improved for you or your end users with integrations to 3rd-party systems? These are all important features to keep in mind!
How critical is this security update, really?
Well, since it applies to the security of your site…it is VERY important. Don’t wait until your site is hacked or after you’ve lost potential leads or revenue. Take action and call up a web development expert today!
Looking for website design & development help?
Logic Solutions has you covered!
We specialize in WordPress and Drupal, and love content writing, UI/UX, technical development, site integrations, and more!
Jennifer Pan is a mild-mannered digital marketing coordinator at Logic Solutions by day and a daring stuntwoman, swordfighter, and aerialist by night. She is known to run off with the circus on the weekends. Her attempts to convince her marketing coworkers to join her for aerial silks classes have been unsuccessful though.