Title: Important Security Information – Updated Last modified: August 18, 2016 --- # Important Security Information – Updated * [Mark (podz)](https://wordpress.org/support/users/podz/) * (@podz) * [20 years, 9 months ago](https://wordpress.org/support/topic/important-security-information-updated/) * This thread is void due to the release of 1.5.2. Go here: [http://wordpress.org/support/topic/41866](http://wordpress.org/support/topic/41866) ====================================== * **You must UPGRADE to 1.5.1.3 first!** * WordPress version 1.5.1.3 is remotely exploitable if the web server on which it runs has `register_globals = on` in the PHP configuration. perl and PHP code exists to automatically exploit vulnerable WP 1.5.1.3 sites, allowing the attacker to (try to) execute code on the victim’s account. * ==Are You Vulnerable?== To test if your web server has this PHP option enabled, copy-and-paste the following PHP script, save it to your web site as `rg.php`: * * Then load that page in your browser: [http://example.com/rg.php](http://example.com/rg.php) If `register_globals` is off, you may stop reading: your site is not vulnerable to this attack. * ==How to protect yourself== Download the revised [`wp-settings.php`](http://trac.wordpress.org/file/branches/1.5/wp-settings.php?rev=2779&format=raw) file. This revised version includes specific code to thwart attacks that leverage` register_globals`. * To use the revised [`wp-settings.php`](http://trac.wordpress.org/file/branches/1.5/wp-settings.php?rev=2779&format=raw) file, please first make a backup copy of your existing `wp-settings.php` file, then simply transfer the [new version](http://trac.wordpress.org/file/branches/1.5/wp-settings.php?rev=2779&format=raw) to the root directory on your site. * We **strongly** encourage security in depth. In addition to the fix above, you are encouraged to disabled `register_globals` for your site. Most users will be able to edit your `.htaccess` file, and place this at the very top: **`php_flag register_globals off`** * (Note: on some hosts you may need to take additional steps in order for this option to have an effect. For example, Dreamhost users will need to visit their control panel and **uncheck** the option to “Run PHP as CGI”.) * If you control the server, you may edit `php.ini` and disable `register_globals`. You will need to restart the webserver after making this change. Viewing 15 replies - 1 through 15 (of 28 total) 1 [2](https://wordpress.org/support/topic/important-security-information-updated/page/2/?output_format=md) [→](https://wordpress.org/support/topic/important-security-information-updated/page/2/?output_format=md) * [Marc](https://wordpress.org/support/users/marc/) * (@marc) * [20 years, 9 months ago](https://wordpress.org/support/topic/important-security-information-updated/#post-248701) * Although I’m not on Dreamhost i attempted to update this file. * After replacing the file WP gave me the all too common alert (to paraphrase) “ it looks like you haven’t installed WP, try running install.php” * I reverted to the original file and everything is normal. * Should I have run the install function? * Thread Starter [Mark (podz)](https://wordpress.org/support/users/podz/) * (@podz) * [20 years, 9 months ago](https://wordpress.org/support/topic/important-security-information-updated/#post-248703) * No – there is no need to run install. It’s a simple change that should not affect anything else. * Who is your host ? Are you on linux / Windows ? Have you tried Option 3 ? * [Kafkaesqui](https://wordpress.org/support/users/kafkaesqui/) * (@kafkaesqui) * [20 years, 9 months ago](https://wordpress.org/support/topic/important-security-information-updated/#post-248704) * Keep in mind not all hosts support the php_flag directive. In those cases, updating wp-settings.php is the way to go. * [Marc](https://wordpress.org/support/users/marc/) * (@marc) * [20 years, 9 months ago](https://wordpress.org/support/topic/important-security-information-updated/#post-248706) * Option three is the one I used and down loaded your file podz. * The host is Ploghost located in the Philippines and the server is linux. * [pcmt](https://wordpress.org/support/users/pcmt/) * (@pcmt) * [20 years, 9 months ago](https://wordpress.org/support/topic/important-security-information-updated/#post-248707) * The same thing happened to me as happened to Marc – option 3. I’ve reverted back to the original settings file, and am relying on the .htaccess mod (option 2). * [iand](https://wordpress.org/support/users/iand/) * (@iand) * [20 years, 9 months ago](https://wordpress.org/support/topic/important-security-information-updated/#post-248709) * Podz, I think you have zipped the wrong wp-settings.php file – it has references to ‘capabilities’ which I think is something to do with 1.6. The raw version seems to work ok. * Thread Starter [Mark (podz)](https://wordpress.org/support/users/podz/) * (@podz) * [20 years, 9 months ago](https://wordpress.org/support/topic/important-security-information-updated/#post-248711) * Cheers Ian – I used an svn update file. The info above has been edited so the link is now gone. * [Marc](https://wordpress.org/support/users/marc/) * (@marc) * [20 years, 9 months ago](https://wordpress.org/support/topic/important-security-information-updated/#post-248712) * podz I just did the test and the server is vulnerable. I added the new line in the .htaccess file. * I’m also filed a support ticket with my host alerting them to this thread and asking if they would be making the suggested changes. * [vern](https://wordpress.org/support/users/vern/) * (@vern) * [20 years, 9 months ago](https://wordpress.org/support/topic/important-security-information-updated/#post-248714) * wp-settings is in the WordPress root (/) directory in my installation and not in wp-includes/. * Thread Starter [Mark (podz)](https://wordpress.org/support/users/podz/) * (@podz) * [20 years, 9 months ago](https://wordpress.org/support/topic/important-security-information-updated/#post-248716) * Vern – good catch. I’ll amend the above post. * Thanks! * [Mark Jaquith](https://wordpress.org/support/users/markjaquith/) * (@markjaquith) * [20 years, 9 months ago](https://wordpress.org/support/topic/important-security-information-updated/#post-248720) * If you get this error: * `Warning: main(/home/yoursite/www/wordpress/wp-includes/pluggable-functions.php): failed to open stream: No such file or directory in /home/yoursite/www/wordpress/ wp-settings.php on line 133` * You forgot to upgrade to WordPress 1.5.1.3 first! * [vkaryl](https://wordpress.org/support/users/vkaryl/) * (@vkaryl) * [20 years, 9 months ago](https://wordpress.org/support/topic/important-security-information-updated/#post-248722) * I’m happy to report that the new wp-settings.php works perfectly on all 8 of my wp installs, on two different hosts (both of whom were fairly unconcerned about “register_globals=on”, insisting that it was strictly a wp vulnerability, etc. etc.) * Thanks, guys. I still, I might note, have no idea how to implement the ref’d line in a currently blank .htaccess, or in which folder said .htaccess needs to be placed…. anyone can give me a link to somewhere which is an “.htaccess for dummies” site? * [skippy](https://wordpress.org/support/users/skippy/) * (@skippy) * [20 years, 9 months ago](https://wordpress.org/support/topic/important-security-information-updated/#post-248723) * .htaccess is an Apache thing; see [here](http://httpd.apache.org/docs/2.0/howto/htaccess.html) for official documentation. * If the .htaccess file does not exist, simply create it in your text editor, save it as .htaccess on your computer, and upload it through your FTP program to the destination directory. * If the .htaccess file exists but is empty, simply edit it and insert the required line at the top of the file. Save it, and upload it to your site. * [vkaryl](https://wordpress.org/support/users/vkaryl/) * (@vkaryl) * [20 years, 9 months ago](https://wordpress.org/support/topic/important-security-information-updated/#post-248724) * Okay, but doesn’t there need to be something in there before that line? Heh, I already tried to wade through the apache docs, while I was setting XAMPP up on my local machine. Talk about non-transparent…. *sigh* * So this PARTICULAR .htaccess file needs to be in site-root? * Thread Starter [Mark (podz)](https://wordpress.org/support/users/podz/) * (@podz) * [20 years, 9 months ago](https://wordpress.org/support/topic/important-security-information-updated/#post-248725) * Yes, it does .. or not. Put it in the same directory as your wp-rss2.php file Viewing 15 replies - 1 through 15 (of 28 total) 1 [2](https://wordpress.org/support/topic/important-security-information-updated/page/2/?output_format=md) [→](https://wordpress.org/support/topic/important-security-information-updated/page/2/?output_format=md) The topic ‘Important Security Information – Updated’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 28 replies * 15 participants * Last reply from: [Mark (podz)](https://wordpress.org/support/users/podz/) * Last activity: [20 years, 9 months ago](https://wordpress.org/support/topic/important-security-information-updated/page/2/#post-248777) * Status: not a support question ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics