Posts Tagged ‘Security’

WordPress 3.3.2 Security Update

Sunday, April 22nd, 2012

wordpress 3.3.2 security update

WP security update

WordPress published version 3.3.2. It is critical security update. According to WordPress Developers Blog, three external libraries included in WordPress (Plupload, SWFUpload, SWFObject) received security updates. WordPress 3.3.2 also addresses:
– Limited privilege escalation where a site administrator could deactivate network-wide plugins when running a WordPress network under particular circumstances.
– Cross-site scripting vulnerability when making URLs clickable.
– Cross-site scripting vulnerabilities in redirects after posting comments in older browsers, and when filtering URLs.
Full list of changes made in version 3.3.2 is available here.
PHP delevelpers could see changes in source code directly using this link.
If you didn’t install this update yet, consider to do it right now. It’s very important to defend your lovely blog as much as possible.

Read the rest of this entry

delete_themes WordPress user capability

Monday, March 19th, 2012

delete_themes WordPress user capability

delete_themes

What capability to add or remove in order to allow or prohibit WordPress theme deletion? That’s simple, you can say, of course delete_themes user capability. It is clear from its name, isn’t it? You are right. But it is not full true. It’s useful to know, that if you have not switch_themes capability under single-site WordPress installation, you can not delete selected theme, even if you click ‘Delete’ command from WordPress interface. Interesting? Continue reading and see more detailed description or (if you curious enough) even look inside WordPress core source code together with me.
I found delete_themes capability in this WordPress core files:
wp-admin\themes.php;
wp-admin\network\themes.php;
wp-admin\includes\class-wp-ms-themes-list-table.php;
wp-admin\includes\class-wp-themes-list-table.php;
wp-includes\capabilities.php;
wp-admin\includes\schema.php.

Read the rest of this entry

delete_plugins WordPress user capability

Saturday, March 17th, 2012

delete_plugin WordPress user capability

Delete plugin

delete_plugins WordPress user capability allows user to delete not active plugins. Such user has to have access to the “Plugins” menu at WordPress administrator back-end (requires activate_plugins capability for that). In order to delete plugin user can use plugin row link, which is shown under each plugin name, or bulk action, applied to the selected set of plugins simultaneously.
delete_plugins capability is used inside these WordPress core files:
wp-admin/plugins.php;
wp-admin/includes/class-wp-plugins-list-table.php;
wp-admin/includes/schema.php;
wp-includes/capabilities.php;
Proceed reading if you wish to look inside WordPress core code and get more details.

Read the rest of this entry

Block posting to selected categories

Sunday, February 19th, 2012

Exclude category for role

Exclude category for role

Block posting to the list of selected categories on per role base – is it possible? If you wish to limit your WordPress blog authors or users with custom created role from posting to some categories only, you can do it with piece of PHP code below (read entire post to get it.).

Just copy it and paste it into your active theme functions.php file (wp-content/themes/your-theme/functions.php) insert ID of categories to block. You can get ID of category at Categories page. Move mouse over ‘Edit’ link of selected category and look on the link at the bottom of your browser. Search ‘tag_ID=’ there. The number to the right of it is the category ID.
Congratulations! That’s all. You got it.

Read the rest of this entry

WordPress 3.3.1 Security Update

Tuesday, January 3rd, 2012
WordPress version 3.3.1

WordPress version 3.3.1

WordPress 3.3.1 is available from January 3rd, 2012. Version 3.3.1 is a security update and fixed 15 bugs. While I didn’t meet any bugs in version 3.3 myself (and you?) I have updated my blogs as soon I got message about this security update (it fixes a cross-site scripting vulnerability that affected version 3.3) available. The same thing is highly recommended for other WordPress blog owners.
Do not wait when hackers exploit existing vulnerability, update your WordPress installation today, do not allow bad guys to use old and already closed black doors to your sweet WordPress blog home.

For more information, see the oficial release notes.

Phishing email to steal PayPal account

Saturday, December 3rd, 2011

Phishing email - original image is iStockphoto.com/Dave Pilibosian

Phishing email

Checking email today morning I got warning about my PayPal personal information change. 1st thought which I should have: “Oh, my God! Someone compromised my PayPal account. I should go there and check, as fast as possible. Oh, I see paypal link right here in email text. Click it, input login credentials to check my account…”. Can you have such thoughts in similar situation? I think you can. Do not hurry. This is very important at such moment – do not make stupid things. Scammer wait you will go this way and act by his scenario. Do not become a victim.
First of all remember, on what email you PayPal account is registered and look, on what email you got this message. Other one? Do not worry about it. Investigate it together with me, just for pleasure, and delete. 2nd, thing we should always check from what email such message was sent. My email client shows ‘PayPal <support@pula.net>’. Is it from paypal.com domain? No. Delete this message.

Read the rest of this entry

Ultimate Security Checker WordPress plugin review

Saturday, October 22nd, 2011

Ultimate Security Checker WordPress plugin

Ultimate Security Checker


As WordPress blog owner spending hours on its content you should concern about your product security. In other case it’s possible to lose all that hard earned content in a minute. There are a lot of malicious software bots and damn headless young crackers permanently trying to hack our blogs. And if it’s easy to restore original content from the fresh backup copy (do you have it?), it’s more complex (if possible at all) to restore the lost reputation in case your blog was used as spammer base or showed some bad content after hack incident.
Are you sure that your loving blog is secure?
Ultimate Security Checker WordPress plugin is the tool which could check your blog for security issues and recommend how to fix them. At the moment this review version 2.7.0 is available at WordPress repository. I tested it successfully with WordPress versions 3.2.1 and 3.3 Beta. What does “Ultimate Security Checker” offers to its user?

Read the rest of this entry