SANS ISC: WordPress Hardening

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Today one of our readers sent an interesting post from the developers of WordPress. It is about a just released version 2.8.5.

This version is called as the "Hardening Release", which I thought was quite great! According the post, these were new security features from the new 2.9 series that they decided to backport to the 2.8.x tree.

Among the new features/fix you can see:

• "A fix for the Trackback Denial-of-Service attack that is currently being seen.
• Removal of areas within the code where php code in variables was evaluated.
• Switched the file upload functionality to be whitelisted for all users including Admins.
• Retiring of the two importers of Tag data from old plugins."

Why does this news deserve a diary? For two reasons:

1) Wordpress is one of the most popular "publishing plataform" (blogs,etc...) and free...

2) In 2008 there were 23 vulnerabilities for it and in 2009 there are 12 vulnerabilities found so far...

So, this effort from the developers really deserves our attention and kudos...

---------------------------------------------------------------------------------------------------------------------------

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure