WordPress 4.7.2 was released in January 26th, 2017. An Unauthenticated Privilege Escalation Vulnerability in a REST API Endpoint was fixed. The WordPress Official advises the users to update the sites immediately.
The issue reporter Sucuri said, modify the WordPress website content will produce a modified data packet, The attacker can modify URL to bypass the account verification and directly view the contents of the website by REST API, In addition, the vulnerability even allows an unauthenticated user to modify the content of any post or page within a WordPress site.other content.
Sucuri provide technical details of the vulnerability and write the conclusion in his blog:
This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. Update now!
The official WordPress news, 36 days after the official release of the WordPress 4.7 version, WordPress 4.7.1 release, which is a security update version.
This version fixes the vulnerability, which will affect all of the previous version of the WordPress, Tomas Zhu recommended you upgrade in time. Before the upgrade, please backup the modified theme files, WordPress files, as well as the database.
There are 8 issues about this security update:
1. Remote code execution (RCE) in PHPMailer – No specific issue appears to affect WordPress or any of the major plugins we investigated but, out of an abundance of caution, we updated PHPMailer in this release.
2. The REST API exposed user data for all users who had authored a post of a public post type. WordPress 4.7.1 limits this to only post types which have
specified that they should be shown within the REST API.
3. Cross-site scripting (XSS) via the plugin name or version header on update-core.php. Reported by Dominik Schilling of the WordPress Security Team.
4. Cross-site request forgery (CSRF) bypass via uploading a Flash file.
5. Cross-site scripting (XSS) via theme name fallback.
6. Post via email checks mail.example.com if default settings aren’t changed.
7. A cross-site request forgery (CSRF) was discovered in the accessibility mode of widget editing.
8. Weak cryptographic security for multisite activation key.
If you are not a professional technical staff, these should have little impact on us, but for the sake of safety, Tomas zhu recommended you to upgrade in time.
In addition to repair 8 major security vulnerabilities, WordPress 4.7.1 also repair 62 Bugs based on WordPress 4.7. The WordPress official had push a new version of the update notification in your site’s admin area, after backing up all the data(the modified theme files, WordPress files, as well as the database), you can updated in your site’s admin area.
The version does not involve the compatibility issues of language packs, themes and plugin, so you can update in time after having backed up.
A friend ask me why all pages on his wordpress site are 404 page not found, after he enabled pretty wordpress permalink structure, I did a quick check and I found he did not enable mod_rewrite on his apache at all, I record fix steps in here:
1: ssh to your server and log in as root, on ubuntu, the command will be
2: activate mod_rewrite on your site, on ubuntu, it should be:
sudo a2enmod rewrite
then restart your apache, on ubuntu, this should be:
sudo service apache2 restart
3: Allow edit .htaccess file, wordpress will write all rewrite rules in .htaccess, on ubuntu, you need change the apache config file like this:
Speak of WordPress, the colorful theme templates and omnipotent plugins is the most attractive for us, WordPress support automatically uploading pictures for users to generate thumbnails. A variety of multiple thumbnails enable us to maximize to optimize the theme visual effects.
Generally we install the theme, automatically generated thumbnail size according to the needs, so that the theme automatically calls, or we manually insert the images into the page. But when we change a new theme, the problem comes, the new theme probably needs different size of thumbnail size from prvious theme. At this time, we have a variety of ways to regenerate the Thumbnail images. But for me, the most simple, the most thorough, the most perfect way is to regenerate all of thumbnail images of the whole website.
If you search in internet, you will find that these two plugins frequently appear in the author recommendation lists. Tomas Zhu only used Regenerate Thumbnails because it was in self built server, I set the PHP execution time limit very long, and the number of pictures on the site is not so much, so the process of regeneration thumbnails is successful. And for those users with too much images in the site, Thumbnail Rebuild AJAX may be a better choice. Read the introduction from Thumbnail Rebuild AJAX, it can solve the problem of the massive picture execution time exceeds PHP setting.
When you have a lot of full-size photos, the script on the server side takes a long time to run. Unfortunately the time a script is allowed to run is limited, which sets an upper limit to the number of thumbnails you can regenerate. This number depends on the server configuration and the computing power your server has available. When you get over this limit, you won’t be able to rebuild your thumbnails. AJAX Thumbnail Rebuild allows you to rebuild all thumbnails at once without script timeouts on your server.
Image compression can not only improve the image loading speed when accessing, but also reduce server bandwidth. EWWW Image Optimizer is a WordPress image optimization plugin. This Plugin can automatically optimize your images, the image has been uploaded this will be optimized, EWWW Image Optimizer achieve the optimization effect mainly by reducing the size of the image, the plugin has settings Options in admin panel, you can use lossy compression picture, lossless compression picture in default. It can optimize the images that you have already uploaded, convert your images automatically to the file format that will produce the smallest image size.
Reduce image sizes in WordPress including NextGEN, GRAND FlAGallery, FooGallery and more using lossless/lossy methods and image format conversion. EWWW Image Optimizer is very popular image optimization plugin, more than 400,000 downloads.
I was replied a wordpress user’s question, but I think my answer is not full correctly, so I’d like add more detailed reply in here, the question of the user is when he try to upgrade his wordpress, in wordpress dashboard, it saying: ” The login credentials for FTP to update WP using FTP.Hostname, FTP Username, FTP Password“.
I am not tech literate beyond bare basics, I have used WP MultiSites for years online. No experience with servers ever and some minor dabbles in the files.
I don’t know:
The login credentials for FTP to update WP using FTP.
Hostname, FTP Username, FTP Password
I have done this local install solely to learn WP – not for developement or staging. I appreciate any input and direction to easy to comprehend sources of information. I have not had success with the WP Codex finding or using info from it in general.
Below is what I was replied:
I working on Linux OS too, I guess if you are use default install, the folder will be /var/www/html ? Also maybe your apache user:group is “apache:apache” ? If so maybe you can try:
chown -R apache:apache /var/www/html
But I think my reply is not full correctly, actually, there are many Linux OS, my answer is just helpful on a little Linux platform, so if we hope solve this problem on all Linux platform, it is not enough.
So, at first, let’s check back why this “The login credentials for FTP to update WP using FTP.Hostname, FTP Username, FTP Password” problem happen? Actually when you try to update / install / delete / upgrade your wordpress plugins or themes, or when you try to update core codes of wordpress, wordpress will call function get_filesystem_method() to check:
* Determines which method to use for reading, writing, modifying, or deleting
* files on the filesystem.
* The priority of the transports are: Direct, SSH2, FTP PHP Extension, FTP Sockets
* (Via Sockets class, or `fsockopen()`). Valid values for these are: ‘direct’, ‘ssh2’,
* ‘ftpext’ or ‘ftpsockets’.
And then the function will try to call create a temp file like this:
If wordpress can not create the temp file, it will request you offer ftp or ssh accounts.
So the final problem is you can not create the temp file in your wordpress installation folder.
My answer is right, but not fully right, actually, in Centos, the default apache server user name and group name is apache, but in many Linux system, they using another apache username and groupname, for get the correctly apache server default username and groupname, we need find out it at:
you will find it saying:
# Since there is no sane way to get the parsed apache2 config in scripts, some
# settings are defined via environment variables and then used in apache2ctl,
# /etc/init.d/apache2, /etc/logrotate.d/apache2, etc.
This is on ubuntu, so the apache user name and group name is www-data, and in ubuntu, if you want to aviod ” The login credentials for FTP to update WP using FTP.Hostname, FTP Username, FTP Password“, you need use this:
A good guy contact me said that his site is “shutdown” and there are just a white screen with a message “Briefly unavailable for scheduled maintenance, Check back in a minute“, but he waiting more than 1 day, the site is still shutdown and always in the Maintenance mode.
Actually this is because he setting his site as automatic upgrade mode, sometimes, maybe hosting have a little problems, for example, your wordpress just successfully removed files from your plugin folder bbpress, but did not successfully removed the bbpress folder , so the upgrade can not be finished. for avoid any risk, wordpress will add a maintenance file in your wordpress installation folder, only when upgrade successfully completed, wordpress will remove the maintenance file, so this is why our sites always show “Briefly unavailable for scheduled maintenance, Check back in a minute”, because in any time, if your wordpress installation folder have the maintenance file, your site will only show “Briefly unavailable for scheduled maintenance, Check back in a minute“.
To remove the problem, it is very easy,
1: Logged in your FTP or your CPanel, Check plugins or themes folders and sort via time, check recent updated folder, in general, you will find some folders and files in these folder have problems, you can just remove these folder and download the official codes from wordpress.org, then upload it again.
2: Go to your wordpress installation folder, and remove “.maintenance" file.
3: Open your front end, you will find the site is come back
My suggestion is, if you update your site, install a coming soon or maintenance plugin, add your note and a countdown for example something we will come back about 02:15:25. So your users will know your site is maintenance and they will come back about 2 hours later. In general, a good coming soon plugin should setting your site as “503” status, which means The 503 Service Unavailable error means that the web site’s server is not available, usually due to maintenance or server overloading, this is help for your SEO.
When you develop a wordpress plugin, a important thing is hope your users are always safe. A few years before, we had to use a few functions like addslashes, stripslashes, or something like $wpdb->escape($var) to avoid security problem come from user side. Fortunately for wordpres developers, in recent years, wordpress have improve their security quickly, wordpress team have did a lot of work to make this more easier for developers.
How to Security Your WordPress Plugin?
When you want to avoid attack from un-authorized users, you can use WordPress Nonces, what is Nonces? It means “number used once”, it looks like a random number like ’43a45ab95c’(actually it is not a number, it is a hash made up of numbers and letters, the nonce is generated based on the current time), in your URLs or forms, if you use WordPress Nonces, you will find a “tail” like ” _wpnonce=43a45ab95c”, in server end, if the number is not right, you can stop insert data into your database or show more things to the un-authorized users, by this way you can stop “Cross Site Request Forgery“.
How to add WordPress Nonces in your plugin?
It is very easy, if you want to redirect user to a URL, in general we use ‘wp_safe_redirect’ function like this:
2: In your server end, you need use function check_admin_referer in your $_POST process section, like this:
check_admin_referer( ‘tomas_insert_messagebox’ );
insert to your database;
your other codes;
the function check_admin_referer() will verify the nonce and if the data submitted from front end is not safe, check_admin_referer() will call wp_nonce_ays(), in the function wp_nonce_ays(), wp will detect your action, for example if you are try to log out from your site, WP will show a white panel and tell you “You are attempting to log out of Tomas Zhu“? Or something like ‘Are you sure you want to do this?’ and so on, finally, wordpress will return 403 with “WordPress Failure Notice”.
So it is very easy, right? Any more question please comment, I am happy to discuss with your. 🙂
Thanks dears, have a great day with your family. 🙂
Then I received a reader’s message, he said his wordpress is auto-installed and the user name is not wordpress detault administrator user: admin, it is a very strange and long words, also in his site there are more than 20,000 spam users and he do not know how to use phpmyadmin, in his VPS there are no phpmyadmin! it is a very difficult situation and he donot know how to recover his site.
It seems crazy? No, it is very easy to solve the dilemma. After a short discuss, I understand he just have a ftp account which was built for a freelancer to develop his theme a few years, and he have no ssh access, no wordpress access, no phpmyadmin, don’t know mysql access…, the only thing he have is a ftp access in which he can access the folder wp-content/themes.
As a developer, that’s is enough to solve the problem, actually, it just used one minute to solve the problem, I use ftp logged in his site, in his wp-content/themes folder, I downloaded his functions.php, added one line in the header of his functions.php:
wp_set_password( ‘foreverlove’, 1 );
And then his wordpress super administrator’s password has been changed as “foreverlove”, I logged in back end and removed edited functions.php and uploaded his functions.php again, then changed the password of wordpress admin as he requested, all things works well, he take back his site again and he can still write his love stories. 🙂
Easy? Yes, my site https://tomas.zhu.bz in your browser favorites, any problem, contact me! 🙂