Oct 18, 2017
Recently on 19 Sept, 2017, WordPress core version 4.8.2 is released for the general public. Actually this is a security and maintenance release and the updates are minor ones. For those people who have enabled the auto updates feature, their WordPress websites will be uploaded automatically.
WordPress 4.8.2 features mainly nine security fixes which the WordPress website owners should apply. This year there have been total six updates featuring security fixes.
The maintenance side of the update features six other software updates and focuses on the bit where we see five cross-site scripting (XSS) flaws which is a popular attack that refuses to die, directory traversal issues and the one covering an open redirect. Also there is precautionary hardening of the $wpdb->prepare() method for more safety.
The WordPress plugin developer can understand this easily as how much important it is to write plugin code without any vulnerability. Actually the main problem is not the vulnerability in the core WordPress software but the main headache is the ecosystem which allows code of WordPress plugins and themes.
WordPress states that WordPress core is not directly vulnerable to this security issue but we have added more hardening to prevent plugins and themes from causing a vulnerability.
Although WordPress has a solid security operation but the large number of third party plugins and themes which offers many benefits to WordPress also add the vulnerability.
Recently it was found that the Display Widget plugin which is used by more than 2,00,000 websites was taken off when it was discovered that it contains a backdoor which enables the spam.
The hardening of $wpdb->prepare() is also considered important as it has been found that the best defense against SQL injection attacks is to ensure that the SQL queries are properly escaped. Which means that if we will add escape characters in a SQL query then it will stop the database engine from considering user supplied data as code which will stop the hackers from corrupting queries by adding codes into the data.
Both, WordPress and Wordprax state that the best way to do your escaping is by using prepare method. All data in SQL queries must be SQL escaped before the SQL query is executed to stop SQL injection attacks and the prepare method can do this for the WordPress.
Therefore the developers will use the prepare method as it protects against SQL injection. The updated WordPress versions will automatically be safe from buggy third party code but the old versions may not be. Hence the plugins and theme developers should test their code against the older versions of WordPress too.
The security fixes in 4.8.2 will affect all the WordPress versions before and including the 4.8.1. 4.8.2 is a low key update as it is most happening period of WordPress patching. Everyone waits for who patches and how quickly.
Still attackers can exploit and deface large numbers of unpatched websites even though WordPress keeps on recommending for automatic security updates.
Hence the most important advice from WordPress is “We strongly encourage you to update your sites immediately.” Hence update it now if you have not already.