WordPress announced today that it has released a critical security update for all previous version, and encourages everyone to update their sites immediately.
If your site supports automatic background updates, expected to be updated to WordPress 4.0.1 within the next few hours, if you haven’t been updated already.
Those of you who are running WordPress 3.9.2, 3.8.4, or 3.7.4, will be updated to 3.9.3, 3.8.5, or 3.7.5 in order to keep your site secure.
Version 3.9.2, and earlier versions of WordPress, were found to be affected by a critical cross-site scripting vulnerability, which leaves sites open to anonymous attackers.
This issue is said to not affect version 4.0, but version 4.0.1 does fix 23 bugs with 4.0 which is another good reason to update.
WordPress 4.0.1 fixes the following security issues:
- Three cross-site scripting issues that a contributor or author could use to compromise a site.
- A cross-site request forgery that could be used to trick a user into changing their password.
- An issue that could lead to a denial of service when passwords are checked.
- Additional protections for server-side request forgery attacks when WordPress makes HTTP requests.
- WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address.
- Here are a few amazing plugins that work with this update.
To get the latest version of WordPress and ensure your site isn’t vulnerable to any of the above security issues, go to your WordPress dashboard and select “Update Now”.