redsand

You’re welcome. Exactly. Also, there is an updated blog post from the plugins team: SVN Syncing Issues Continued

Yes, that definitely would be handy for someone to write a script to test.

You’re free to attack the issue in any manner you like. Whatever works best for you. 🙂

Hi @abigailm,

I appreciate your efforts to suggest a mitigation to users, but I have determined that my sites are not subject to this vulnerability because of hosting configuration…

Notice above I said that “If a server is configured properly, it won’t be an issue.” If your server settings are properly configured then you don’t need to do anything further. However, you mentioned that your site was not vulnerable because of this:

it requires an individual site to be accessible by IP address, so will not work for most sites on shared servers. Only for poorly configured dedicated servers.

That statement is unfortunately not accurate. I can show you a number of (good) shared web hosts that allow access to the site via IP Address. There are a number of other issues with that quote, but I won’t bore you with details.

So if you’re resting on that, then your site is not necessarily immune.

Here’s a good article that sums up why most security experts seem unconcerned…

The real reason why most security experts aren’t that concerned, is that we know how to properly secure/configure our sites, and our client sites, so this exploit could never get off the ground in the first place.

In any case, my only point is that WordPress has not patched this and apparently does not see a patch as a high priority.

That shouldn’t be seen as a reason not to take a security issue seriously. They have been alerted about this issue for years, and are only now addressing it because it has gotten more public notice.

While the core dev team does do an overall good job with security, there are areas where they lack security expertise.

It’s great that your site and server is secure, but please don’t advise other users not to take security issues seriously. Each site owner will need to asses their own site security issues individually.

In any case, we’re preparing the next version of WP-SpamShield, which will mitigate the issue.

– Scott

We definitely appreciate the feedback. I think the changes in the upcoming version will be helpful to you, and satisfy those requests. We’ll note the the security alert is provided by WP-SpamShield, and that data is provided by the WPScan Vulnerability Database. (Which we are not affiliated with.) It’s an outstanding resource though (the de-facto standard for WP), and all users should regularly check it for vulnerabilities in their plugins and WordPress core.

“As soon as it’s possible” or as soon as it’s available is what should be on the warning popup.

Agreed. And that’s happening in the next release. Additionally, the warning will only be served to super-admins, which means network admins for multisite, and admins for single-site installs.

Additionally the plugin will check if the current site is on the most recent version of WP, and adjust the message accordingly.

Sure, wp spamshield is security related as you mention above but it’s always been known to be related to spam in that sense

It’s important to remember that spam and security are tightly integrated. Security has always been one of our core specialties. Anti-spam plugins that ignore security are deficient.

Thanks for all the hard work you put into WP SPamShield. It is appreciated.

You are very welcome. I realize that some of the things we do in the plugin may not always be understood, but you can be assured that everything we do is in the user’s best interest. We are dedicated to that, and will always work to improve.

@juliehowell2017: You’re welcome! 🙂

@jhnpldng:

Recommending updating wordpress 4.7.4 is pretty ludicrous as well considering there’s nothing to update to.

Please see our partner Blackhawk Cybersecurity’s response above: https://wordpress.org/support/topic/security-alert-6/#post-9119258

Note that it says:

“You should upgrade WordPress as soon as possible.” – Lets the admin know that they should upgrade as soon as possible. Even though there is no upgrade available yet, this is still true…as soon as there is, they should upgrade as soon as it is possible. (If there is no upgrade available, then manual mitigation methods will be required.)

If there’s noting to upgrade to, that means the security issue is not patched and users should request that the WordPress development team patch the security issue as soon as possible.

As noted above we will have an update in the next release that mentions it’s coming form WP-SpamShield, and we will add a mitigation for the security issue so WP-SpamShield users will be protected.

Security issues should never be ignored, no matter how seemingly “small”. There are mitigation methods available, as explained above.

Please don’t shoot the messenger.

– Scott

Hi Mike,

I’m sorry to hear that you feel that way. It seems that you are wanting to shoot the messenger.

I have had 6 clients contact me just today about this warning thinking their website is insecure, when its not…

To be clear, the vulnerability exists in the current version of WordPress, so just because they are up to date, does not mean they are secure. If you have not taken the mitigation steps mentioned above, then your client sites are still insecure.

The warning in WP-SpamShield is 100% accurate. If there is confusion among your clients, that is not up to us to clear that up for you. The plugin is doing its job.

You’re always welcome to choose another anti-spam plugin that has less of a focus on security.

Whatever you choose, just keep in mind that you still need to address the security issue.

– Scott