RE: Security in 2.3.3

1) re 2.3.3 - Is version 2.3.3 secure? Are there any security issues with this version?

There have been some whispers in the dark so to speak, but no hard evidence that this version is vulnerable, see: http://blogsecurity.net/wordpress/wordpress-231-sql-injection-vulnerability/

2) re 2.5 - Are the 3 security file updates in the 2.5.1 upgrade only for 2.5? Does the security hole that is fixed in 2.5.1 exist in 2.3.3 as well?

No, I believe 2.3.3 is unaffected by some of the recent vulnerabilities in 2.5x.

3) Can I safely assume that if WordPress’s “Hardening WordPress” procedures
http://codex.wordpress.org/Hardening_WordPress

or BlogSecurity.net’s “How to create a secure WordPress install v1.1″
blogsecurity.net/projects/secure-wp-whitepaper.pdf

are applied that ANY version of WordPress would then be secure?

Applying these guidelines would certainly provide additional layers of security buying you time to apply the needed fixes as they are released, however, it cannot guarantee your security.

4) It seems that 2.5.1 only has feature enhancements?
Do I have to go with version 2.5.1 for security reasons?

At the moment a number of people are still using the latest 2.3x branch, however, WordPress does suggest you upgrade to 2.5.1.

Hope this helps.

Security in 2.3.3

I have several questions regarding security and version 2.3.3.

1) re 2.3.3 - Is version 2.3.3 secure? Are there any security issues with this version?

2) re 2.5 - Are the 3 security file updates in the 2.5.1 upgrade only for 2.5? Does the security hole that is fixed in 2.5.1 exist in 2.3.3 as well?

3) Can I safely assume that if WordPress’s “Hardening WordPress” procedures
http://codex.wordpress.org/Hardening_WordPress

or BlogSecurity.net’s “How to create a secure WordPress install v1.1″
blogsecurity.net/projects/secure-wp-whitepaper.pdf

are applied that ANY version of WordPress would then be secure?

4) It seems that 2.5.1 only has feature enhancements?
Do I have to go with version 2.5.1 for security reasons?

The WPLite project looks quite cool. Check it out here: http://mahalkita.nanogeex.com/wplite/

Will have to take a look at this in more detail.

Hello! Some time ago I released a plugin for Wordpress: DigoWatchWP.

The plugin will monitor your WP-posts and pages. Whenever an entry has been changed it informs you via email. So if you receive an email and you have nothing changed you should have a closer look at your post or page. Maybe somebody changed your post or page to include a spam-link (e.g. links to OnlineCasino, adult-content are very popular).

The plugin can be downloaded here: http://wordpress.org/extend/plugins/digowatchwp/

Ciao
digo
http://www.showhypnose.org

I’ve just released a new tool for your security arsenal to be used to protect your WordPress installation. It’s a set of scripts that will monitor the WordPress files for changes. Details at http://www.planetmike.com/goto/720

BlogSec Changes: Modified Feedburner to allow page feeds; Added Gravatars; Added Feeds for BlogSec-News; Added BlogSec-News Banner on main.

Flavio Copes has provided an Italian version of our popular WordPress Whitepaper.

Was playing with Automatic’s Gravatars (central blog user pictures). I think they have done it the right way by uploading all images to their servers.

I can’t think of any immediate security concerns, unless the Gravatars server is actually compromised. If this is done, it means an attacker could perform some rather devious attacks, affecting all blogs using Gravatars.

In response to the growing concerns that social network site user’s have had over privacy, Flugpo ( http://www.flugpo.com )has sponsored the development of a plug-in to help counteract the collection and sale of personal information.

This plug-in will be available through MyDataIsMyData.org. The plug-in (a small toolbar) allows each user to decide what information they will delete off their computer and what they will make visible as well as alerting them whenever they enter a site that is collaborating with a social network to sell their personal information. Selling private information for profit unbeknownst to the user’s is an abuse of their trust and MyDataIsMyData.org hopes to empower these user’s by allowing them to control the amount of personal information that they make visible.

Dan, its a shame you guys don’t provide a free, open source version.

I thought you guys might be interested in our new product.
( http://firewallscript.com ) Its very much like modsecurity, but easier for the end user to setup- has a
nice admin control panel, and it even runs on shared hosting. This is a very important feature, as a large percentage of the blogging community does not have the need/means for a dedicated server so by using our software, they can have the full benefits of a web application firewall with its only requirement being PHP5.

Michael, keep us informed, sounds like a great project.

I’m releasing an ebook next week, The Hard Core Guide to Locking Down WordPress, and would love some feedback on it. Anyone interested please send me an email (mclark @ my domain) and let me know your site’s URL.

Welcome to the BlogSec News Portal, feel free to contribute news, plugin reviews, security advisories etc. Knock yourselves out.