WordPress Updating & API Security Vulnerability

Steve Hardy / February 2nd 2017 / Hosting / 0 comments

Some of you will have been receiving updates from ourselves over the last few days to ensure that you’ve upgraded any instances of WordPress 4.7.0 or 4.7.1 to the latest update (v4.7.2) due to a security vulnerability that has been identified, and was publically acknowledged yesterday (see WordPress and Sucuri updates). We’re pleased to confirm that all customers here at DOWO Digital are patched against this vulnerability (for the few that hadn’t taken action and were running vulnerable versions, automatic updates were pushed out on Tuesday evening).

If you do want to know more about the specifics of the vulnerability then please see the links above – we can’t explain it any better! In a nutshell there was a bug in the new Rest API which allowed anyone to edit posts and pages on your site. Our Web App Firewall didn’t pick up any instances of this affecting sites here at DOWO Digital (and no support cases were raised regarding WordPress issues last week!).

All of this raised conversations in the office about the pros and cons of upgrading WordPress, and all agreed that we should be updating when patches and upgrades are available (we use WordPress for our website, and have automatic updates setup so we’re always running the latest version!). Here are our top 5 reasons to upgrade:

1. Security

Security is the most important reason why you should keep your WordPress website up to date.

One of the reasons that WordPress is increasingly becoming the target of security attacks is because it’s so big. A platform that powers up to a quarter of the internet will doubtless attract the attention of anyone wanting to insert malicious code, take sites down or steal data. But the very size of WordPress, and of its community of users and developers, is also an asset here.

Security vulnerabilities are spotted and dealt with quickly. The fact that WordPress is open source means that anyone finding a problem can identify the cause of that problem and alert the right people straightaway. This means that when a security vulnerability comes to light in WordPress core, it can be quickly fixed, and an update released straightaway.

This means that if you are not using the latest version of WordPress, then you are using software with known security vulnerabilities. Hackers can search for websites running the older version, and you may become a victim of a sophisticated attack.

2. Enhancements

Keeping your site up to date also gives you access to new features. For example, recent releases of WordPress have come with new features and changes to the software. For example WordPress 4.0 came with improved plugin install experience, 4.1 introduced inline image editing, and 4.2 came with faster plugin updates. We even did a blog recently about some of the new features in WordPress 4.7 too.

Each enhancement keeps making the product easier to use. Even though they’re small changes they stack up quickly – we’re always amazed at how much has changed when we start logging into earlier versions and don’t have the new features available!

3. Performance

Updates aren’t just for security. Often they’ll improve the performance of WordPress itself, or of a plugin or theme.

WordPress developers are always trying to make things faster. Each new release comes with several performance improvements that makes WordPress run faster and more efficient. WordPress 4.1 improved complex queries which helped with performance of sites using those queries, and WordPress 4.2 improved JS performance for navigation menus.

Since speed is a huge factor in SEO, you should definitely keep your WordPress updated to ensure maximum performance benefits.

4. Bug Fixes

Despite the rigorous testing of major WordPress releases, sometimes bugs may slip through the cracks, such as the REST API vulnerability we’re talking about above. With WordPress being such a big platform there are always lots of little tweaks – if you’re having an issue, and aren’t running the latest version we heavily advise to update WordPress, as that may fix the issue.

5. Compatibility

Major WordPress releases normally lead to updates from theme and plugin developers ensuring they’re taking advantage of newly available features and enhancements, as well as adding compatibility with latest technology, such as support for PHP7, which we’ve been running since 2015 here at DOWO – https://www.dowo.digital/blog/hosting/php-7-with-opcache-available-now/

Conclusion

All in all – upgrading is good, and keeps you ahead of the curve. There may be the occasional issue, but that’s why you should always take a backup before you start. If you need assistance with upgrading your WordPress, or have any questions about using WordPress, then contact our support team who will happily help you.

Update (10th Feb):

BBC News are reporting that over 1.5 million sites were affected by this bug – read more here: http://www.bbc.co.uk/news/technology-38930428

About the Author - Steve Hardy

Steven leads our line-up of Linux & Windows specialists providing DOWO with its secure hosting platforms and 24/7 support team. Having previously worked in the NHS, managing multi-million pound ICT budgets, he has the skills and knowledge to protect highly sensitive information, control access and utilise that data in the most secure and reliable way. These skills have enabled DOWO Digital to develop first class web solutions and his commercial skills have provided us with a stable financial footing.