WordPress 4.2.3 is out, update your website now

If you own a website then there’s a good chance – better than one in five – that it uses the WordPress Content Management System (CMS).

If it is, you should update it now.

The latest version, version 4.2.3, was released on 23 July 2015 and includes a fix for a cross-site scripting (XSS) vulnerability that your website could do without.

The flaw allows WordPress users who have Contributor or Author roles to add javascript to a site (something normally reserved for Editors and Administrators) using specially crafted shortcodes.

Attackers who can add javascript to a site can use it to do all manner of damage such as infecting users with malware or stealing their cookies.

Some measure of protection is afforded by the fact that attackers will need a way to log in to a vulnerable site with at least Contributor privileges.

However, it is far easier (and safer) to simply close off a backdoor than to try and second-guess how an attacker might lever it open – and you should update even if you think you won’t be vulnerable.

Across the hundreds of millions of WordPress sites that exist there are likely to be plenty that have registration or membership schemes for unknown users and plenty more that unwittingly suffer from badly configured user rights, disgruntled ex-users, poorly protected passwords and session cookies or users who’ve had credentials stolen.

Any one of those things (and no doubt more I’ve not thought of) could give an attacker the foothold they need.

And bother they will because of the vast size of the WordPress install-base.

Criminal gangs use huge networks of compromised computers, called botnets, to spread malware and send spam and they’re always looking for easy ways to harvest more victims.

Vulnerabilities in popular web platforms like WordPress and Drupal provide an easy way for them to target tens or even hundreds of millions of websites at a time with automated tools.

And they can get those automated attacks up and running fast.

In October 2014, the Drupal security team reported that automated attacks started appearing within three hours of a Highly Critical vulnerability being announced.

In a sobering follow-up message two weeks later they told their users to assume that their site had been compromised if it hadn’t been patched within seven hours of the original announcement!

It’s why the number one rule of WordPress security is always run the latest version of WordPress.

Fortunately that’s become a lot easier since October 2013 when WordPress released the first version of their software, version 3.7, with automatic security updates (something Drupal is still waiting for).

Sites with automatic updates enabled began receiving their updates almost immediately.

If your site doesn’t update automatically you can upgrade by logging in and going to Dashboard → Updates and clicking “Update Now” or by downloading a copy of the software and installing it yourself.