WordPress 3.6.1 security update is out
A new version of the popular blogging software WordPress has been released a minute ago. The update addresses several security issues in the platform that have been reported by third parties to the WordPress development team.
WordPress 3.6.1 fixes three security issues according to the WordPress Codex website. The first addresses a remote code execution that can be triggered by unsafe PHP de-serialization. The second may prevent users with an author role from being able to create a post "written by" another user, and the third fixes insufficient input validations that could result in users being redirected to another website.
In addition to that, additional security hardening was implemented by the WordPress team. This includes updated security restrictions around file updates to mitigate cross-site scripting attacks. Writers may notice that WordPress does not allow .swf or .exe files by default anymore, and that .htm or .html files are only allowed to be uploaded if the user who uploads the files has permissions to use unfiltered HTML on the site.
When you try to upload a blocked file type after the update you will receive the following error message during the upload process:
Sorry, this file type is not permitted for security reasons.
A solution to whitelist file extensions so that you can upload them again using WordPress has been posted here. Note that the article has not been updated since 2007, and that things may have changed since then.
Instead of editing the code manually, you may prefer to use a plugin such as Manage Upload Types which you can use for exactly the same purpose.
WordPress admins should test and then update their blogs as soon as possible to secure it from potential attacks that target the vulnerabilities patched in version 3.6.1.
It is as always suggested to create a backup of the blog first before you run the update script directly from the admin dashboard, or update the blog manually via ftp or other means of connection.
While it is unlikely that you will notice any side-effects or issues, it is always better to be safe than sorry.
I have updated five blogs so far with the new patch and all are working without any issues.
Closing Words
WordPress 3.6.1 is a security update for self-hosted WordPress blogs that fixes three vulnerabilities and hardens the security of the blog further. The core issue that writers may run into afterwards is that some file extension that they were able to upload previously are not allowed to be uploaded anymore. But that can be resolved easily by the admin of the site.
Advertisement
I’ve been hunting around for the past couple of days for a fix so that students can upload swf to blogs on my network. Nothing worked – (ie functions.php codes in child themes or any other plugins I tried like the meme types ones) – until I went and tried the plugin recommended in this article: Manage Upload Types. Though it hasn’t been updated for 18 months and is listed as only working up to 3.4.2, it seems to be working fine on my network which is 3.6.1. CAVEAT: I am doing more tests just to make sure that usual site admins can upload and then embed using Top Flash Embed or similar, but it does seem ok ;)
i’ll try,i’ve never upload exe files but sometimes i upload html or htm files.
Good news. Sadly, pingback DDoS exploit is still unattended.
We’ve already reported several attack incidents, last one – 2 month ago – was a 1000 hits/second event. Most WP sites aren’t equipped to handle that. This core build issue really should be patched asap.
http://www.incapsula.com/the-incapsula-blog/item/715-wordpress-security-alert-pingback-ddos
I just updated to 3.6.1. Now, when I go to any page other than the home page, I get a message that says: The page at xyz says: 1
Below the statement is an “OK” box.
Why is this happening? Thanks.
I do not know to be honest. I’d suggest you post that question in WordPress support, and maybe fall back to the old WordPress version for the time being.