It was only last week that WordPress came up with an updated security release (version 4.5.3) aimed at addressing over two dozen vulnerabilities traced in the last three updates. Leading the pack of these security threats were seventeen bugs found in the last three releases that could well be manipulated by a remote attacker to target sites running on the platform.
WordPress remains one of the most prominent website builders today with more than 24% of websites using it worldwide. Just like any other open-source platform, WordPress is saddled with security concerns. Everyone can view the code which runs the platform. And, needless to say, because it runs so many websites it has easily attracted the attention of hackers.
WordPress: Why is it vulnerable to security threats?
WordPress is one of the CMS platforms that have evolved significantly over the past decade. Besides being created on open-source frameworks, its shared development environment has also acted as one of the potent causes behind its vulnerability.
These “hackers” are not only humans but a single group of bots as well. While a human sits in front of the machine manually planning the attack, he can also set an automated script at play to corrupt your site. Your site is even vulnerable to the botnet or a group of machines backing a set of programs controlled by a central server.
There are myriad ways in which hackers can target susceptible CMS installations. Operators who use weak passwords for one – expose their account administrators to malware. DDoS (Distributed Denial of Services) triggered attacks are quite common as well. It was only in the year 2014 that over 162,000 sites backed by WordPress were used to create one DDoS net which concentrated on one site and took it down.
The latest security update: The threats addressed by it
What’s heartening is the fact that WordPress has beefed up efforts to do away with the multifarious security threats. Thanks to its laser-like focus on security, the platform has been able to come up with a series of effective security updates in recent times.
It was just in the month of April that the platform turned on its free encryption feature for its custom domains. The most recent security update (version 4.5.3) aims to mend all the vulnerabilities affecting the previous versions including 4.5.2. Notably, the WordPress customizer API faced a redirect bypass vulnerability which has been addressed by the latest security release. This customer API is used by developers to secure previews of live changes to the WordPress themes. Here is a look at the host of other vulnerabilities that the latest security update has patched.
There were two different cross-site scripting threats triggered by attachment names. They have also been taken care of. Did you ever notice unauthorized categories uncannily being removed from your website (powered by WordPress)? If yes, do know for a fact it was a bug that has now been amended by the latest security release.
With its latest update, the platform has also successfully dealt with the DDoS vulnerability affecting its third-party content protocol oEmbed.