What all comes loaded in WordPress v4.7.2

After releasing a major update at the end of December 2016, WordPress two weeks ago introduced another update in i.e. WP v4.7.2 which has introduced to fix some crucial security flaws, three of which are disclosed at the time of official launch. The security issues eliminated in this update are SQL injection vulnerability in WP_Query, a cross-site scripting (XSS) vulnerability in the posts list table, and the Press- which allowed users to assign taxonomy terms with permission.

The fourth and the most important issue resolved in this update was of unauthenticated privilege escalation vulnerability in the REST API endpoint. WordPress fixed problem silently and disclosed it one week after the release. There are several other risk factors which can be cut down if you carefully convert PSD to WordPress and inspect every element before launching the website on the World Wide Web. The primary reason contributors opted to delay the disclosure to migrate the potential for mass exploitation of any site running on 4.7 or 4.7.1 is at risk.

This non-disclosure enabled users to manually or automatically update their portal which exposing themselves to any sort of risk. Sucuri, a company which works with WordPress was the first one to discover this issue. Various WAF (Web App Firewall) vendors and hosting companies also added different protections before the vulnerability was publicly disclosed.

This security problem existed for a week, the hackers were able to exploit it to the full extent and thousands of WordPress sites were defaced with messages such as “Hacked by NG689Skw”, “Hacked by w4l3XzY3” or similar. And when the users Googled the information about the particular hacks, they initiated the auto-process of hacking various other WP sites.

As the WordPress v4.7.2 is now officially available for download, it’s strongly recommended to download & install it, without wasting time.

Given below are some highlights of this latest version:

1. The user interface which was used for assigning taxonomy terms in Press This is shown to users who don’t have permission to use it.

2. WP_Query was vulnerable to the SQL Injection (SQLi) while passing the unsafe data. The WP core is not directly vulnerable to this issue, but you can safeguard this by adding plugins.

3. A cross-site scripting (XSS) was discovered in the posts list table.

4. An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint.

To download the WordPress v4.7.2, open the Dashboard-> Updates and simply click “Update Now”. If you are site supports automatic background updates are already beginning to update to WordPress 4.7.2. It will be good if you update your site as soon as possible so that your site doesn’t have to face any downtime.

All you need to know about WordPress v4.7.1

On 6th Dec 2016, WordPress released the v4.7 which is codenamed as “Vaughan”. Within just one month, the v4.7 recorded over 16 million downloads and this number is rising day by day. The best thing about this new version is the users don’t have to do the up-gradation process manually, everything is initiated directly from the WordPress main servers. After the launch of v3.7, WordPress integrated automatic updating system so that users don’t have to get into the hassle of installing update files themselves.

Recently, the user community and WordPress developers noticed some major vulnerabilities in the v4.7 and to overcome all these, WordPress quickly released v4.7.1 which eliminated over 62 bugs from the core codes and also resolved the security flaw in the popular PHPMailer Email Library that was first detected in November 2016. This incremental update and bug fixing helped users to make their portals safe & secure.

The security upgrade in the WordPress v4.7.1 removed the vulnerability which wasn’t actually in the WP’s core codes but in the open-source script of the PHPMailer library. The PHPMailer is a popular email creating and transfer library for the PHP which is used by the WordPress. The error was reported in the Remote Code Execution (RCE) which was later identified as the CVE-2016-10033 and the users detected this issue in December 2016.

Although, PHPMailer released a separate update for the CVE-10033 error but they were not able to fix this issue properly. As a result of this loophole, millions of websites were not able to roll out emails to their global clients and customers. Once this issue was reported, the PHPMailer released another security patch to eliminate this vulnerability. As this error was not associated with WordPress code, so the WP support team was less bothered about this problem.

Once the v4.7.1 was released, all the vulnerabilities were removed and the CMS system remains unaffected by the technical issues. With v4.7.1 has become more safe and secure. According to the installation notes of v.4.7.1 “there is no specific issue appears to affect the functioning of the WordPress. All the plugins we investigated till now remain safe and out of an abundance of caution we are officially updating PHPMailer in this latest release.”

Apart from rectifying the PHPMailer problem, another loophole was of the information leakage that occurred from the REST API that exposed the user’s personal and financial data. Moreover, the v4.7.1 also offers patch files for Cross-Site Scripting (XSS) vulnerabilities as well as the pair of Cross-Site Request Forgery (CSRF) flaws.


In this article, you will read about some major security updates that come with the latest version of WordPress i.e. v4.7.1. It will be good if you update your CMS software today and get rid of all these issues in a hassle-free manner.

Updating To WordPress 4.7? Read This First

The latest version of WordPress, WordPress 4.7 Vaughan was recently released on December 6, 2016. The version is named after the legendary Jazz singer Sara Vaughan.

In case you missed, here are the highlights of the latest WordPress 4.7:

  • A new default theme – Twenty Seventeen has been introduced which is sleek in design and quite appealing.
  • All WordPress themes will now provide a list of starter content. This is helpful for admins converting PSD to WordPress theme as this will give a solid base for creating a website.
  • You get to add video as a blog header. This is probably the main update of WordPress 4.7.
  • You can now see the preview of the CSS before the site goes live.
  • Managing web content is easier WordPress 4.7.
  • Preview images and videos as PDFs.

These are just a few of the amazing advancements WordPress technology has made with its 4.7 Vaughan version. But before you upgrade your WordPress, here are a few steps to follow.

First of all, save the WordPress XML file in a hard drive. For doing this, click on the Tools icon. This is in the left sidebar of the screen. Now, export the file and click on Download Export File. Create a new Folder on the hard drive and name it WP Backup (optional). Creating a backup is recommended once a month, regardless of the updates available.

Next, you need to create a backup of your WordPress database. For this, you can make use of the backup plugins like:

1. BackupBuddy
2. UpdraftPlus
3. BackWPup
4. BackUpWordPress

These plugins can also be used later for optimizing the database.

  • Download a copy of the database backup. This should be not be stored on the server itself. This is because the backup will be useless if there are any issues in the server. Rather, store the backup in an external drive or cloud.
  • In case you have a custom theme, download all your theme folders in a local hard drive.
  • Finally, deactivate all the installed plugins before you hit the upgrade option. Later, remember to activate them again. Although you can update the plugin with a single click, but this method is more preferred. If you notice that any plugin is not working well, start deactivating the plugins one at a time. If this doesn’t work, it is not sure that there is some issue in your website. If the plugin developer has not upgraded the plugin firmware as per the WordPress 4.7, it might not work. Simply, look for an alternative and install it.

Do Not Let Malicious Hackers To Botch With WP Security

74,652,825 websites out of one billion websites present out there are hosted on WordPress.com. Talking about self-hosted sites, WordPress holds a considerable 18.9%. WordPress has outgrown to be one of the most incredible CMS platform covering up 25 percent of the market and has thus become quite a popular CMS platform. It is not that there are no worthy competitors in the CMS world, but we do not have such a precise and easy to go CMS platform which makes it quite easy for even the greenhorns if the web development to carry their work easily, however for technical processes which needs security such as HTML to WordPress theme conversion they might need assistance of a professional company which can securely move their website to WordPress .


According to Matt Mullen-way, who happens to be the CEO and founder of Automatic, the developers of WordPress asserts in a blog: “The big opportunity is still the 57 percent of websites that don’t use any identifiable CMS yet, and that’s where I think there is still a ton of growth for us (and I’m also rooting for all the other open source CMSes).”

Crypto ransomware and other software with malicious intentions were in the news because they hacked ample lot of WordPress websites which was something extremely shocking for the users.

One of the most talked about news was that three major security firms have reported hackers has attacked a large number of websites and the users in a vile manner to malicious websites so as to fetch their credentials.

Black Markets

Now you might be wondering from where do these malicious websites host their codes. They go to Nuclear exploit kit to host their malicious code that one can purchase from the black markets of the Internet.

Those users who do not have the updated version of plugins such as  Microsoft Silverlight, Adobe Flash Player, Adobe Reader or even the browser can fell into a trap of  Teslacrypt ransomware package. This encrypts your file and keep it as a hostage and demands ransom for giving you the decryption key to restoring the version.

Jérôme Segura, who happens to the Senior Security Researcher at Malwarebytes, reports that nowadays, malicious users inject malicious code that can quietly redirect the users to domains that apparently look like hosting adds. These ads are a distraction or fraudulent, as they are infused with code that redirects the users to the Nuclear Exploit Kit.

We have ample lot of security plugins for WordPress websites , but here we have handpicked three top most plugins that will help you to strengthen your WordPress security.

1. WordFence

When it comes to WordPress security WordFence has gained credence in among all the security plugins present out there. One of its best quality is that keeps a check on the malware infection.

Apart from that it scans the complete file structure of  the core of your WordPress website, and also the themes and plugins.  It will notifies you whenever it comes across you.

This is not it as it claims to speed up your website 50 times securer and faster than your regular WordPress. Now you might be wondering what it does to improve the speed of your website at such an considerable rate and the answer to this is that makes use of a caching engine known as Falcom . You can get this plugin for free, but there are advanced features that makes it a  premium plugin as well. So this is something great that one needs who can afford and make their security quite stringent.

Among its many benefits this  plugin  secured your website from bruteforce attack and this adds a authentication which is a two factor one can be added through SMS.

It also  gives you the leverage to  block the traffic coming from any particular country.
Along with this you can also leverage a firewall that saves people to block traffic which is not coming from a legitimate source, scanners and bonets.

It also has the ability to scan self hosting such as your backdoors that includes  R57,C99, and several others.

It notifies you with an email in case it detects any malicious activity.
It has the ability to scan your WP post along with comments to find out the malicious code and this also supports multiple websites. Plus it gives you the benefit if checking the traffic in the real time or any other suspicious threat to which your website is vulnerable.

2) All In One WP Security & Firewall

Prevention is certainly better than cure can certainly count of the WP plugins that check all the vulnerable areas that can affect your WP website. This plugin comes with certain recommendations for security which considerably reduces all the security risks. It also renders you security against bruteforce attack and locks those visitors who try to barge in your website using bruteforce.

Along with this you also get  email notification for those who accidentally gets locked when the login attempts fail.It also has the ability to find out weak password and makes sure that the users try to enter a strong one. This is not it as it can also monitor the activity of the users account  and also tracks down the username, their IP and even their login date time.

Using this plugin you can even schedule an automatic backup of your website and can also get email notification. This plugin also protects PHP code as it disables the editing area of  admin area.

Further you also get to add a firewall in web application into your WP website and it also enables 5G Blacklist that helps you avoid all the attacks that allows you to safeguard your website. This do not allow you to keep a check on the following such as bad query strings,  CSRF, prevent XSS, malicious bots, SQL injection, and any other security threats.

3) Sucuri Security

Sucuri Security is yet another plugin that helps WP website owners to stringent their security. Developed by Sucuri which is one of the popular company for developing WordPress security. This plugin is a great security feature such as security activity auditing, file integration monitoring, malware scanning, website firewall and blacklist monitoring.

This is not it as it also comprises of  search engines that can blacklist malicious activities such as  Norton, Google Safe Browsing, Sucuri Labs,  McAfee Site Advisor and several other that can prove to be of greater help. It further has the ability to notify users of any suspicious activity lingering around.

This plugin also has the ability to save guard your website from several malicious attacks such as  Zero Day Disclosure Patches, DOS attack, bruteforce attacks and several other attacks that intervene the integrity of the websites. Further it also maintains a all the activities performed by the user and uses the Sucuri cloud to store all the data.

This means that the login credentials of even the nefarious hackers who will try to circumvent the security rules the record with get saves in the operation center of  Sucuri’s security . For those who think that their website needs extra security can purchase premium services of Sucuri.

Seal your database manually

It is not just the plugins that can help you to improve the security of your website wherein there are several manual methods you need to use to protect your WP website. One of the them is to seal your database. Hackers actively take advantage if they get to know the names of the database tables prior to the installation process. One of the reason for that is because of the prefix ‘wp_’ and this gives hacker a food for thought.

The first thing we need to know that  wp-config.php that we are altering the prefix. You need to open up the file in order to make changes.

$table_prefix = ‘wp_’;
Add some numbers or letters:

$table_prefix = ‘wp_2a4_’;

Afterwards it is required of you to go to it and then change the name into your database. You can run the command as shown in the following  11 tables:

RENAME TABLE ‘wp_commentmeta‘ TO ‘wp_2a4_commentmeta‘;

You might have come across to the references in the old prefix that you might need to clear. You can run the query to list everything from the options table by making use of any old prefix.

SELECT * FROM ` wp_2a4_options` WHERE `option_name` LIKE’%wp_%’

However, you need to make sure that you need to go through the every single update.

After that you need to take a look at the UserMeta table, which is similar to the other process:

SELECT * FROM ` wp_2a4_usermeta` WHERE `meta_key` LIKE’%wp_%’

This further allows you to apply limitations to your database tables to give authorities such as read and write privileges such as : INSERT, SELECT, DELETE, and UPDATE . This also gives the privilege to the user that can give admin and database structure such as : ALTER, GRANT, and DROP.

However this required you to update the core and also incorporation new plugins which is a new tricky business as they are required to make changes in the structure of the database. Those who will choose this route will need to be quite particular about their backup.