The latest WordPress release doesn’t provide much additional functionality but is highly recommended. It provides fixes for eight security bugs and 17 maintenance issues.
The most critical security flaw the project fixed is a bug that allowed attackers to change a user’s password by leveraging stolen cookies. The WordPress security team’s Michael Adams discovered this issue internally.
Browser cookies are easy to steal, and there is a lot of publicly available exploit code that can be packed as a simple XSS and steal a user’s cookie file, for a specific site, or for all. Many of the vulnerabilities can be exploited remotely and allow an attacker to control of a website running on WordPress.
The platform continues to focus on security; already this year WordPress has updated a handful of times with sizable security updates and in April, turned on free encryption for custom domains hosted on WordPress. Last week’s update patches vulnerabilities affecting versions 4.5.2 and earlier. The update addressed a redirect bypass vulnerability in WordPress customizer API, a framework used by developers to preview live changes to WordPress themes.
WordPress sites updating automatically
Many sites will have updated automatically which means that the main admin contact may receive an email confirming the news. If you did receive an email then just check that your website is working correctly, sit back and relax. If you didn’t, then you need to log in to your WordPress Dashboard to check the version – look on the bottom right of the screen.
If your WordPress website hasn’t updated, then you need to start the job.
WordPress makes it easy to update and normally the process works without any major hitches. There might be some issues with plugins or themes but most times WordPress updates are backwards compatible so older versions of both plugins and themes should work after an update.
The first thing you need to do is make a backup. Hopefully you will have a website backup plan in place and be aware of when your last update was taken. Even if you have this then it is worth taking a manual backup of the website files and MySQL database. See our recent blog posting – Website backup – how much and how often.
This means you can quickly restore the website should a problem occur. Once you have your backups simply click Update now on the top left of your Dashboard or go to Dashboard > Updates.
Like the operating system of your phone, tablet or computer, keeping up to date with your WordPress version is important for website security for your important data and your website visitors. Also Google will downgrade old versions of Content Management Systems in Search Engine Results Pages.