Yesterday WordPress released a security patch that fixes a huge vulnerability that they discovered in the code, so we pretty much dropped everything, and did nothing but upgrades all day.
While we usually like to wait a few days on new upgrades to ensure plugin compatibility, the notice at the WordPress site indicated that this was serious, we did take care of all of our sites immediately, except this one, which we’ll be doing last.
According to Matt Mullenweg (the founding developer of WordPress),
…apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”
Just like with Microsoft, when a company TELLS you that something is a critical update, you should get it done.
To upgrade, just log into your admin panel, and you should see the message at the top telling you that there’s a new version. Then just go to the “Updates” link on the left and follow the directions.
How else can you secure WordPress?
There are lots of easy and simple steps you can take, from deleting your default user named “admin” to removing the code that tells the world exactly what version of WordPress you’re running, and we’ve even built a couple of them into our Core Tweaks WordPress Setup Plugin.
If you Google for WordPress security tips and WordPress security plugins, you’ll find an endless list of suggestions and plugins and we’ve probably tried ’em all, sometimes even sacrificing performance in favor of security, which isn’t always the best idea.
However, when it comes to really making your site bulletproof, we follow a guide that was written by an expert, John Hoff, called WordPress Defender.
It’s a 150 page e-book, and along with 16 detailed “how to” videos, and it’s the most comprehensive WordPress security guide I’ve ever seen.
Because of the growth and popularity of WordPress, it’s going to continue to be a target, so reduce your chances of being compromised by checking it out here.