Upgrading Wordpress
Blogsecurity.net updated their site with a list of known vulnerabilities in each version of Wordpress and some popular plugins. I appreciate this list, and hope it’s regularly updated - knowing this information is important when making the decision to update Wordpress. Seeing there are more issues than the admin XSS vulnerability, I decided I should update now before generating more content.
Having updated Wordpress a few times in the past, I’m familiar with the drill - back up database and my files, deactivate plugins (why is this important?), delete old files and upload new ones, then reactivate Akismet as fast as I can. No problem - until I started changing options. After hitting the Update Options button on the General Options tab, I got a nasty 404 error:
Error 403: Forbidden
You don’t have permissions to access this page. This usually means one of the following:
- this file and directory permissions make them unavailable from the Internet.
- .htaccess contains instructions that prevent public access to this file or directory.
Please check file and directory permissions and .htaccess configuration if you are able to do this. Otherwise, request your webmaster to grant you access.
Hesitantly, I modified the permissions for options.php to 777 - no go. I quickly changed them back and headed to Google for an answer, which led me to a posting on mod_security. I recalled my host recently turned on mod_security, so I followed the instructions for creating a new .htaccess file for the wp-admin folder - no more 404.
I have to say again - I appreciate Blogsecurity.net efforts in evangelizing blog security. I think I was a little knee-jerk in reacting before, and am looking forward to more discussion on the survey data and security issues. By the way, someone on slashdot posted how they probably “surveyed” the Wordpress version on blogs:
As a guess, they probably searched Google for the phrase “Powered by WordPress” (in the default template), then pulled the HTML and looked for the following tag in the HEAD segment:
<meta name=”generator” content=”WordPress $version” />
Good point. I’m sure they used something a little more sophisticated than Google, like a spider, but that makes sense. So thanks Blogsecurity.net for giving me the information I needed to decide to update Wordpress and wordpress.org forums for giving me the .htaccess workaround. My update wasn’t painless, but a whole lot less painful than it could have been.
Thank you for visiting NoShrinkwrap. If you enjoyed this article, check out the related posts below and subscribe to our feed.
