Update to WordPress 4.2.2 for critical WordPress Site Security Today

Glenn Glenn's Blog 3 Comments

Why should I update to WordPress 4.2.2? WordPress Site Security – Update Today!

There is a very simple answer why you should update to WordPress 4.2.2 and that is that previous versions of WordPress are open to a major security flaw that allows malicious users / machines / hackers to inject executable php code into your WordPress Core site and plugins. This exploit will typically fire out huge quantities of Spam that will inevitably lead to your site/server IP being blacklisted as a Spammer. You should update your WordPress site to 4.2.2 via your WordPress Dashboard / Updates today!

Version 4.2.2 addresses two security issues:

  1. The Genericons icon font package, which is used in a number of popular themes and plugins, contained an HTML file vulnerable to a cross-site scripting attack. All affected themes and plugins hosted on WordPress.org (including the Twenty Fifteen default theme) have been updated today by the WordPress security team to address this issue by removing this nonessential file. To help protect other Genericons usage, WordPress 4.2.2 proactively scans the wp-content directory for this HTML file and removes it. Reported by Robert Abela of Netsparker.
  2. WordPress versions 4.2 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. WordPress 4.2.2 includes a comprehensive fix for this issue. Reported separately by Rice Adu and Tong Shi from Baidu[X-team].

Can’t Update to WordPress 4.2.2 to make your WordPress Site Secure?

  1. Download the WordPress 4.2.2 package from https://wordpress.org unpack it’s content and them upload it via FTP over your existing installation. At this stage do not upload and override the wp-content folder of your site or wp-config.php as this will wipe your media files and database settings.
  2. Your WordPress site should now be fully functional again, but it’s now very important that you secure your WordPress site and then scan your wp-content site for vulnerabilities and malicious scripts. We provide a full WordPress scanning, hardening and brute force protection via a customised install of iThemes Security Pro plugin (which you can also install for yourself). However that plugin primarily focuses on securing your site and the scan logs aren’t as user friendly right now as they could be. Therefore we also use Wordfence Security plugin in tandem with iThemes Security Pro to scan your installation for malicious scripts, trojans and modified WordPress Core & Plugin files. Wordfence can remove malicious files for you, but do note that this could break your Themes and/or plugins so be prepared to re-uplaod those again too.
  3. Make sure all your plugins and themes are also updated.
  4. Run Wordfence again to check your refreshed content.

Your WordPress site should now be secure.

 

 

About the Author
wordpress site security Update to WordPress 4.2.2 for critical WordPress Site Security Today 0da77002febbfe28d15144a57bbcc2c9 s 180 d mm r g

Glenn

A highly experienced WordPress Web Developer, Front-end and Back-end Developer & New Media Specialist with extensive knowledge of a wide spectrum of technologies in the Development and Creative Industries built up over a number of years.

Comments 3

  1. Hi Glenn,
    Now i have WordPress 3.9.6 because my site it was broken and with some work its alive. I try to make some security settings. I have installed now iThemes Security and Wordfence Security hith some settings but if i try to update WordPress to 4.2.2 from dashboard, my site is crash and all what i can do is restore with backup WordPress 3.9.6. again.
    Can you help me please? I must instal 4.2.2 via FTP without wp-content folder and wp-config.php?
    Sorry for my bad english.

    thanks

    1. Post
      Author

      Hi Mihal
      Can’t be sure what you have done, but yes upload an unpacked version of latest WordPress to your server. Again do not upload ‘wp-content’ folder or ‘wp-config.php’ files as these will override your content + settings.
      Another possibility is that you have locked yourself out with iThemes Security. To see if that’s the case quickly rename the ithemes-security-pro directory in plugin and refresh your site.
      Hope that helps.
      Glenn

  2. Thanks for suggesting for updating wordpress 4.2.2. I am very happy to know that the security condition is improved in this version of the wordpress. Thanks for updating me about this.

Leave a Reply

Your email address will not be published. Required fields are marked *