Why should I update to WordPress 4.2.2? WordPress Site Security – Update Today!
There is a very simple answer why you should update to WordPress 4.2.2 and that is that previous versions of WordPress are open to a major security flaw that allows malicious users / machines / hackers to inject executable php code into your WordPress Core site and plugins. This exploit will typically fire out huge quantities of Spam that will inevitably lead to your site/server IP being blacklisted as a Spammer. You should update your WordPress site to 4.2.2 via your WordPress Dashboard / Updates today!
Version 4.2.2 addresses two security issues:
- The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.
- WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. Reported separately by Rice Adu and Tong Shi from Baidu[X-team].
Can’t Update to WordPress 4.2.2 to make your WordPress Site Secure?
- Download the WordPress 4.2.2 package from https://wordpress.org unpack it’s content and them upload it via FTP over your existing installation. At this stage do not upload and override the wp-content folder of your site or wp-config.php as this will wipe your media files and database settings.
- Your WordPress site should now be fully functional again, but it’s now very important that you secure your WordPress site and then scan your wp-content site for vulnerabilities and malicious scripts. We provide a full WordPress scanning, hardening and brute force protection via a customised install of iThemes Security Pro plugin (which you can also install for yourself). However that plugin primarily focuses on securing your site and the scan logs aren’t as user friendly right now as they could be. Therefore we also use Wordfence Security plugin in tandem with iThemes Security Pro to scan your installation for malicious scripts, trojans and modified WordPress Core & Plugin files. Wordfence can remove malicious files for you, but do note that this could break your Themes and/or plugins so be prepared to re-uplaod those again too.
- Make sure all your plugins and themes are also updated.
- Run Wordfence again to check your refreshed content.
Your WordPress site should now be secure.