WordPress Weekly News 019: WordPress 4.7.5, WordPress on HackerOne and much more!

On Friday, 12th May 2017, the world witnessed the biggest cyberattack in history. The ransomware attack named “WannaCry” penetrated millions of computers around the world. Banks, organizations, and many other authorities have had their data compromised. And we might have not seen the end of it. Our mobile phones might be the next target as different modules and variants of WannaCry are set to emerge.

The WordPress community came forth and extended their support in this time of chaos. The good people at Wordfence, a popular WordPress security plugin, released a public service message on protection against the ransomware.

Let’s dig in and find out what else has kept the WordPress community busy in the past week. In this week’s weekly roundup, we will talk about the WordPress account on HackerOne, WordPress 4.7.5, and much more!

WordPress 4.7.5

WordPress 4.7.5 is now available for installation. It was released a couple of days ago with six security fixes. It is also highly recommended that you update your WordPress immediately. If you are using WordPress 3.7 or older versions, you will need to update your WordPress manually.

WordPress openly disclosed the vulnerabilities that were patched in 4.7.5. These vulnerabilities include:

1. Insufficient redirect validation in the HTTP class.
2. Improper handling of post-metadata values in the XML-RPC API.
3. Lack of capability checks for post-metadata in the XML-RPC API.
4. A Cross Site Request Forgery (CRSF)  vulnerability was discovered in the filesystem credentials dialog.
5. A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files.
6. A cross-site scripting (XSS) vulnerability was discovered related to the Customizer.

Most of the vulnerabilities were reported by security researchers on HackerOne. Since WordPress now has a new HackerOne account, which we will talk about in this roundup, many more security updates are expected to be released before the  4.8.

WordPress Joins HackerOne

WordPress now has an account on HackerOne. Security researchers can now responsibly report any vulnerabilities that they might have detected. If you remember, HackerOne recently launched a community forum for open source projects. This launch influenced WordPress to create a separate account which was previously listed under Automattic.

The account wasn’t made public at first. WordPress invited specific security researchers to report, via email, security vulnerabilities. Making it public has allowed the team to work together to solve security issues. Czar Aaron Campbell believes that the new system will definitely reduce time spent on catering security issues. It will result in the team spending its time more effectively.

“We have about 40 people with access to triage reports, although, like most volunteer groups, not everyone is usually triaging at the same time,” Campbell said.

WordPress has also announced bounties upon reporting a security threat. The bounties range from $150 to $1,337. Till now, the team has awarded bounties of more than $3,700 to different reporters.

“Anything that qualifies for a cash bounty will be $150+. We have a few swag bounties (hoodies) for really small things that will be going out soon as well” Campbell said.

WordPress.com alters “Business Plan” – Allows themes and plugin installation

One of the major distinctions between WordPress and WordPress.com is the ability to install third party themes and plugins. Very recently, WordPress.com changed its business plan, allowing users to install third-party themes and plugins to their websites.

It all started with a support thread on WordPress.com. A user asked how to install plugins on WordPress.com. Other users responded to the thread by giving the usual explanation that it’s not possible and that you need to shift to the self-hosted WordPress in order to do that.

In response to the thread, Valedeoro, a member of the WordPress.com support staff, announced that users now have the opportunity to install most of the third-party themes and plugins. Here is what she had to say:

“Quick update on third-party plugins: We’ve recently opened the opportunity to install plugins for Business Plan users. Keep in mind that most features are covered already by the plugin included in your WordPress.com account, so it is possible that you do not need any additional plugins.”

In the same thread, another staff member stated that users can install WooCommerce if they have updated to the business plan of WordPress.com

“It is now possible to add Woocommerce if you’ve upgraded to the Business Plan.

With the Business Plan customers get access to Automated Transfer, which lets you install WooCommerce. If for some reason the option doesn’t show up, we have Happiness Engineers who are available and more than capable of helping get it sorted out.” Said Chanthaboune

Hookr Rebrands as WP Inspect

Christopher Sanford, creator of the controversially named Hookr plugin, has rebranded it as WP Inspect. The plugin provides a WordPress hook/API reference for developers and displays the actions and filters as the page is loaded.

During the initial release, Sanford was committed towards keeping the Hookr brand. After 3500 downloads, he realized to rebrand the plugin and put it in the official repository.

“Based on the usage and positive feedback, I wanted to target a broader audience, which led to both the re-brand and submission to the WordPress Plugin repository,” Sanford said. “Leveraging the plugin repo, it will be much easier to coordinate/communicate updates, which is somewhat lacking today.”

The Week’s Best Tutorial & Tips

• The Ultimate Guide for 404 pages in WordPress
• 8 Common Blogging Mistakes to Avoid

That is all from this week’s WordPress Weekly News. Don’t forget to mention any WordPress news that you came across. You can email it directly as well at [email protected].