Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - WordPress Hardening InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

WordPress Hardening

Published: 2009-10-21
Last Updated: 2009-10-21 05:11:40 UTC
by Pedro Bueno (Version: 1)
0 comment(s)


Today one of our readers sent an interesting post from the developers of WordPress. It is about a just released version 2.8.5.

This version is called as the "Hardening Release", which I thought was quite great! According the post, these were new security features from the new 2.9 series that they decided to backport to the 2.8.x tree.

Among the new features/fix you can see:

  • "A fix for the Trackback Denial-of-Service attack that is currently being seen.
  • Removal of areas within the code where php code in variables was evaluated.
  • Switched the file upload functionality to be whitelisted for all users including Admins.
  • Retiring of the two importers of Tag data from old plugins."

Why does this news deserve a diary? For two reasons:

1) Wordpress is one of the most popular "publishing plataform" (blogs,etc...) and free...

2) In 2008 there were 23 vulnerabilities for it and in 2009 there are 12 vulnerabilities found so far...

So, this effort from the developers really deserves our attention and kudos...


Pedro Bueno (pbueno /%%/ isc. sans. org)


Keywords: exploit wordpress
0 comment(s)
Diary Archives