The vulnerability is documented here. The patch is supposedly a 1-line replace as documented here in line 190 of branches/2.8/wp-login.php - the new patch should look this (check line 118) - my question is - is this patch enough? If not, any suggestions?
+2
A:
As I understand it, the patch closes that particular hole. However, another basic security measure I take on every WP site I administrate is to delete the "admin" user, and ideally never have any users' usernames be the same as their display names. That doubles the security in that bad guys have to guess the usernames, as well as figure out a way to hack the passwords.
There are a lot of additional security measures you can find by doing a search on WordPress + security, but I have stuck with changing usernames, altering the db table names on install, and basic permissions stuff. That's worked well so far, without the ton of additional upkeep necessary during WP upgrades that some of the more intense security measures require.
McGirl
2009-09-03 16:28:51
Just saw the other post on the 2.8.3 security patch and realized my answer here may have been way too low-level/broad for what you're really asking - sorry! I guess I don't understand why upgrading to 2.8.4 isn't enough? or are you trying to avoid that for some reason?
McGirl
2009-09-03 16:31:53
@McGirl it's trivial now to upgrade but I'm interested in how other programmers would look at this issue
pageman
2009-09-05 07:21:48
A:
Yes, this is a very good patch for the Wordpress vulnerability.
if ( empty( $key ) || is_array( $key ) )
return new WP_Error('invalid_key', __('Invalid key'));
This is NOT SQL Injection, if it was then you could dump the entire table of users. Changing your name is not a very good security measure. Keeping your code up to date is what you must always do, or you will be hacked.
Rook
2009-10-03 09:02:32