If you’re running a WordPress website or blog, you’re strongly encouraged to upgrade to WordPress version 3.9.2 which is a security update for all previous versions of WordPress.
The fix which was released today fixes possible denial of service issue in PHP’s XML processing. This security fix was released by the WordPress security team.
If you can’t update immediately, you should install the update as soon as you’re able to. For more information about this security update, please visit WordPress release page @ http://wordpress.org/news/2014/08/wordpress-3-9-2/
Below are areas the fix is supposed to address:
- Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
- Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
- Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
- Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.
- Updating WordPress
Most WordPress webmasters are able to update WordPress from their admin backend page online. If you site is configured with full access to WordPress user or web server, go to WordPress admin page and select Dashboard –> Updates and click Update Now button.
For other blogs which are configured more securely without full access to the web server and the root user owns all essential files, they can SSH into the server and download the latest version of WordPress.
Run the commands below to download WordPress latest.
cd /tmp/ && wget http://wordpress.org/latest.zip
Then run the commands below to unzip the archive file.
Finally run the commands below to copy the new files to your web server’s root directory.
sudo cp -rf wordpress/* /var/www/html
Change the path to the root directory to match your settings.
It’s recommended that you always backup your website’s before upgrading. So, before running any of the above commands, make sure you back up your stuff first.
If your your website is configured to allow automatic WordPress updates, then you don’t have to do anything. WordPress will update itself automatically, even before you notice.
I hope after reading this post you go and update your site to WordPress version 3.9.2.