WordPress 3.9.2 Update
WordPress 3.9.2 is the latest security update for the popular WordPress blogging platform. This update is a security release and the WordPress developers encourage everyone to update their sites as soon as possible.
WordPress 3.9.2 includes several improvements to the security of WordPress. Most notably, the update fixes a suspected Denial of Service (DoS) vulnerability that was found in PHP’s XML processing system. This vulnerability was reported by Nir Goldshlager from the Product Security Team at Salesforce, and was fixed by David Rothstein from Drupal’s security team along with Michael Adams and Andrew Nancin from the security team at WordPress. This is the first time that the Drupal and WordPress teams have worked together on a joint security release. Let’s have a look at what else is new in WordPress 3.9.2.
WordPress 3.9.2 also includes several other improvements to the security of the blogging platform, including:
• A fix that prevents a possible but unlikely code execution issue when processing widgets. The default WordPress configuration means that the platform is not vulnerable to this issue, but there are certain configurations which could be flawed.
• An update to prevent information disclosure through XML entity attacks which are passed through the GetID3 library. This issue was reported by Ivan Novikov from ONSec.
• A fix which adds protection from brute force attacks against CSRF tokens. This vulnerability was reported by David Tomaschik who works for the Google Security Team.
In addition, there are several additional security updates which help to prevent cross-site scripting issues that could be triggered by people with administrative access to the platform.
The full list of release notes can be found on the WordPress.org site, along with details of what has been changed, and how to install the update. The update is fairly small and revises just a handful of files, including the readme.html, as well as wp-admin/about.php, the wp-longin.php, and several files in the wp-includes folder.
WordPress is a free and open source platform, and the update is available for free. Installing the update is as simple as logging in to the WordPress admin panel and going to Dashboard > Updates then clicking Update Now. If your website supports automatic background updates, and you are running WordPress 3.7.3 you will be updated to WordPress 3.7.4. If you are running WordPress 3.8.3 you will be updated to WordPress 3.8.4. Newer versions of WordPress will get the WordPress 3.9.2 update automatically. The auto-update feature does not support older versions of WordPress so these must be updated manually.
If you are interested in seeing the latest WordPress developments, consider beta testing WordPress. 4.0. This beta test is not recommended for production environments, but is stable enough for a personal blog, or for people who want to try the platform on a home server.
The nature of this update means that end users should see no changes. The update does not alter any themes or make significant changes to the user-interface. Your existing plugins, themes and widgets should continue to work as normal. However, it is always a good idea to back up your WordPress install before you make any changes to your installation or upload any updates.
Back up your database using your web host’s backup tool or PHPMyAdmin. Download your entire WordPress folder so that you have a backup of all of the files that it contains. If you find that you have problems with WordPress after installing an update, the first thing to do is disable all of your plugins in the admin panel. If you cannot access the admin panel, use an FTP client to rename your plugins folder so that you are running WordPress without any plugins at all. Then gradually re-enable plugins to see if one of your existing plugins is causing a conflict.
If you identify a plugin that is causing issues, check with the developer to see if there is an updated version of the plugin. Most developers are quite responsive and will be happy to help their users if they encounter an issue caused by a WordPress update. If the developer cannot help you, there is a good chance that there will be an alternative plugin in the WordPress database that serves a similar purpose.