27th September 2018
Delivering your website isn‘t the end of the road for us. Today, as a part of this strategy, we‘re pleased to introduce a monthly WordPress vulnerability report. At the start of each month, we‘ll cover plugin updates essential for our clients.
Before we dive in, I invite you to watch the video made by our technical director to explain WordPress security in more detail.
We want to make you aware of the number of risks for websites that neglect maintenance. As a result, you will get the hang of an important part of our maintenance routine. Our report will let you know about the crucial security updates to WordPress and the plugins we use on our clients’ sites.
Keeping track of the security vulnerabilities is a gruelling task. Even if you know where to look for the release notes, reading them often isn‘t a walk in the park. Let‘s change that! We want to offer a comprehensive, easy-to-understand report. No redundant information, no confusing vocabulary. Each month you’ll learn what, when and why we have updated.
The real responsibility starts the moment you make your website publicly available. Thus our service goes beyond the launch of it. We come across business owners who had their website built by an unprofessional agency or a freelancer, who has disappeared from the surface of the earth the minute after he received the final payment.
Raising awareness about the security risks of neglected websites is an important mission for us. We’re monitoring the vulnerabilities of WordPress plugins for our clients on a daily basis. Now we’ve decided to share our results with you.
Improving the security of individual websites will improve the security of the WordPress platform so we hope you’ll find this series useful and consequently learn how to keep your website safe and sound.
Just as promised, you can find a preview from our inaugural WordPress Vulnerability Report below.
It escalated the permissions for the Contributor role due to a bug in the code. A logged-in user in the Contributor role could edit the contact forms. By default, the plugin reserves the edit permission for the users with Administrator and Editor roles.
Is it safe?
Fixed in version 5.0.4, released 04.08.2018.
The plugin now reads the permissions for the Contributor role correctly. The security of the functionality that allowed you to send file attachments in replies to your visitors got improved. You can only specify file paths from within the secure wp-content directory of your website. As a result, a potential attacker is less likely to attach malicious files to the e-mails you send to your visitors.
Level of warning