1. WordPress have announced (21-4-2015) a critical security release (Version 4.1.2) and recommend that you update your website(s) immediately.
A critical cross-site scripting (XSS) vulnerability has been identified that affects all versions of WordPress up to and including Version 4.1.1 and could enable anonymous users to compromise your website.
If you already had version 4.1.1 installed, it has an automatic update function included and hence it should by now have updated the version for you to 4.1.2 (and subsequently from 4.1.2 to 4.1.3).
WordPress has also since released a major update, version 4.2 – this will not update automatically (auto updates are for minor updates only) so you will need to do this manually.
2. Vulnerabilities in popular WordPress Plugins
Security company Sucuri have also announced that they have discovered a number of popular WordPress Plugins that are also vulnerable to Cross-site Scripting (XSS). These should be updated to the latest versions urgently.
Known effected plugins:
- WordPress SEO
- Google Analytics by Yoast
- All In one SEO
- Gravity Forms
- Multiple Plugins from Easy Digital Downloads
- Download Monitor
- Related Posts for WordPress
- My Calendar
- P3 Profiler
- Multiple iThemes products including Builder and Exchange
- Ninja Forms
This list may not be complete so it is highly recommend that you check your installation and update any out of date plug-ins as soon as possible.
Please remember to make a backup of all your site files before running any updates in case anything goes wrong and you need to restore the site.
I have noticed that there seems to be an increase in the the number of websites getting hacked recently so it is highly recommended that you take heed of the above advice. The fact that these issues have been publicised now will make most WordPress sites a target to the hackers and they will be looking for vulnerable sites.
Recovering a website after it has been hacked can be a long and expensive process so you really don’t want to be on the receiving end of an attack.
If you are not sure what to do, ask your web designer.