It’s been a big few weeks for the WordPress community.
Last Thursday, WordPress 4.0 (nicknamed “Benny” after legendary bandleader Benny Goodman) was released to the public. While it certainly brings some new features and improvements over the previous versions, the fact that it’s a “round number version” doesn’t mean it’s an overhaul or brings drastic changes — it doesn’t.
The WordPress team has put together this video to show off some of the updates:
If you don’t want to watch the video, here’s the bullet points:
Digital Ink clients will have the sites updated to WordPress 4.0 already (many already have).
The Revolution Slider, a popular plugin bundled with many themes from ThemeForest (one of the most popular theme markets) and available independently from CodeCanyon, a plugin marketplace, was found to have a pretty big security hole in it.
The security team at Sucuri explains:
This is used to steal the database credentials, which then allows you to compromise the website via the database.
This type of vulnerability is known as a Local File Inclusion (LFI) attack. The attacker is able to access, review, download a local file on the server. This, in case you’re wondering is a very serious vulnerability that should have been addressed immediately.
It’s a big deal. Part of the problem is that many sites have this plugin because it’s bundled in with the theme they’ve purchased, which doesn’t allow them to update the plugin independently.
According to WP Tavern, more than 1,000 themes on ThemeForest have potentially been affected by the issue. If you’re not sure if the theme you’re running has the vulnerability, click on this link to see if it’s listed.
While we’re on the topic of security, the company behind WordPress, Automattic, announced it has recently acquired BruteProtect, developers of a popular security management plugin.
The plugin offered a premium service that Automattic is making free to both users of its hosted WordPress.com platform as well as standalone WordPress users (through its Jetpack plugin). BruteProtect stops malicious login attempts from robots, provides uptime monitoring and is developing malware scanning tools, according to TechCrunch.
The story of BruteProtect’s development is a good one — read it here on their blog.