Recent WordPress Vulnerabilities and Updates

Hello WordPress fans!

Some of you may have noticed that WordPress has had a busy week of plugin and core updates. It turns out that WordPress has some vulnerabilities caused by PHP functions being used improperly. This has opened up the potential for cross-site scripting (XSS) which could allow hackers to add potentially malicious (or simply annoying) content to the core content being delivered by your WordPress site. These are commonly-used functions and in addition to WordPress core, they have impacted a large number of plugins, many of them very popular:

  • Jetpack
  • WordPress SEO
  • Google Analytics by Yoast
  • All In one SEO
  • Gravity Forms
  • Multiple Plugins from Easy Digital Downloads
  • WP-E-Commerce
  • WPTouch
  • Related Posts for WordPress
  • Multiple iThemes products including Builder and Exchange
  • Broken-Link-Checker
  • Ninja Forms

News of the vulnerability and many of the updates came early in the week, and WordPress released its own core update to address the XSS issue on Tuesday (4/21) bringing core to version 4.1.2. Interestingly, WordPress followed up with a major release on Thursday (4.2) only a few days after the security release, and they also pushed release 4.1.3 after 4.2.

The reason for this flurry of activity is because – as you may know – WordPress has auto-updates available. As of WordPress version 3.7, any minor update (dot-dot, so for example, 4.1.1 or 4.1.2) update is automatically applied to your site. This means that by default the update to 4.2 will not occur unless an administrator logs in and completes the update, however updates for both 4.1.2 and 4.1.3 should proceed. 4.1.2 was the update to address the XSS security flaws; 4.1.3 address some minor issues with the 4.1.2 release. So if you’re site is updating you automatically you should be ok with these 4.1.x updates, however you should login soon to move to 4.2 as it addresses more issues and includes some new features (https://wordpress.org/news/2015/04/powell/).

For extra information on updates, please read up on the Codex page. It is possible to turn off auto-updates, however I urge careful consideration before you do so. It’s also possible to enable all updates – minor and major – by default, and to enable plugin and theme releases (hosted by WordPress) to auto update. But again, I urge consideration as to whether this is right for your site/environment.

One final note: I haven’t heard of any sites actually impacted by this vulnerability at this time. I’m sure that there are some sites that have been impacted and now that the vulnerability is news no doubt more folks will attempt to use this for nefarious purposes. So while this seems to be an issue caught before it became a problem, it is a very important reminder to make sure your site(s) – and all the plugin and theme pieces – are being kept up-to-date and secure.

New Recycling Website Launched

Over the last few months, we have been working with NC State’s Waste Reduction and Recycling Office to build and launch a new website. Yesterday, that new website went live.

New Recycling Homepage

The new recycling homepage

The new NC State Recycles site matches the NC State brand guidelines and provides WRR with a more robust platform for online communications. OIT Design provided WordPress theme customization services and ongoing support in developing the site.

One feature that I particularly like:

Need to get rid of something, but not sure whether it can be reused, recycled, or how to dispose of it responsibly? The new website features a “What to do with…” section with a searchable database of materials and objects to help you find the right solution.

Congratulations to WRR on their new website– they put in a lot of work to build it and have a really nice finished product.

WordPress “Office Hours”

Anyone who has spent time on a college campus probably knows about office hours. Traditionally they’re set by faculty so that their students have a time they can come by and meet with the professor face-to-face to get feedback on their semester, help with an assignment — whatever they need.

Avent Ferry Complex

2114 Avent Ferry Road, Room 106

Our office wants to do the same for WordPress. As of April 10th, we’re announcing the availability of WordPress Office Hours. From 9am until noon every Friday morning OIT Design staff will be available in room 106 of the Avent Ferry Complex, 2114 Avent Ferry Road.

The idea is that anyone who has WordPress questions, whether it be detailed problems with a specific site or generic questions about the tool and how it can be used, can come by and talk with us. We’ll be able to take time one-on-one and offer advice or walk you through a process or look for the right solution for your WordPress problem.

Due to our schedules you may find only one of us here but usually we’ll both be available on any given Friday. While you do not have to be clients of ours – we’re happy to help anyone who wants to come by – please understand that if we don’t have access to your site, or know how it was built, there may be a limit to the amount of help we can provide.

So that’s the deal! Hopefully this will be something that people are anxious to take advantage of and find helpful. We’ve already had one successful test and I think that many folks on campus will find it helpful to know they have some place to go for face-to-face assistance. By all means, if you have feedback about this new service please let us know! You can email us at oitdesign@ncsu.edu.

WordPress 4.1 and New Themes

On December 18, 2014, WordPress released version 4.1. We will be updating OIT WordPress clients to the new version in the coming days. In the meantime, here are some of the new features available to users:

  • Improved Distraction-Free Writing Mode – When enabled, everything except your WordPress post editor gently fades away while you write.
    dfw-screen-1024x614
  • Improved Media Embeds – Media from websites such as YouTube, Vimeo, Vine, and SoundCloud can be embedded in your content in a smooth and easy way.
  • New API Support and Template Tags – WordPress has added new options for developers building a new theme.

In addition, we are in the process of evaluating new WordPress themes for use in our WordPress Blog Service. We have added three new themes to the service so far:

  • Twenty Fifteen – The latest default WordPress theme, easy to set up and easy to use.
    twentyfifteen
  • Independent Publisher – A simple and clean blogging theme.
    independentpublisher
  • Virtue – A flexible and very customizable theme suitable anything from a simple blog to a fully-featured organization website.
    virtue

These three themes are now available for WordPress Blogs users. You can see the full list of available themes at wordpress.ncsu.edu.

The Latest on OIT Flex for WordPress…

Aside

Some of our very astute and dedicated followers (if we have such a thing) might notice that the look of this site has changed quite significantly. In an attempt to match the new campus brand we’re working on updates to the OIT Flex theme that is used by many sites on campus. We’re still in the early phases – testing, double-checking our accessibility, and mobile experience, trying out some theme variations – but we hope to make this available soon in the new year. This site gets to be our guinea pig.

In the meantime we’re also looking for solutions for updating this theme in our various environments. In the past we’ve used the Theme Updater plugin to seamlessly prompt for updates when we pushed a change to Github. Sadly that plugin is no longer being maintained so we’re taking some time to look for other solutions that will allow us to do this update without impacting the configurations for those already using OIT Flex. Hopefully we’ll have more good news on that front in the new year as well.

In the meantime we’re keeping busy with our client projects, internal projects (more to come on these soon…), our own project management efforts, and lots of other to-do items as we look to roll into a very busy 2015. Enjoy your holiday break and we’ll see you next year!