• Skip to primary navigation
  • Skip to main content
  • Skip to footer
WPSecurityLock – Malware removal & WordPress security services

WPSecurityLock – Malware removal & WordPress security services

WordPress security, malware removal, repair, backups, ongoing maintenance, installation, site migration & support services – WP Security Lock.

  • Facebook
  • LinkedIn
  • Twitter
  • Home
  • About
    • About Us
    • Speaker Information
    • Contact Us by Phone, Email or Live Chat
    • Testimonials
  • Security Services
    • Malware / Virus Removal
    • WordPress Security and Installation Services
    • Monthly Security Packages
    • SSL Conversion Service (HTTP to HTTPS)
  • Blog
  • Resources
  • Contact
  • SafeWP

WordPress 3.1.1 Update – Critical WordPress Security & Maintenance Release

April 5, 2011 By Regina Smola 15 Comments

WordPress 3.1.1 UpdateWordPress version 3.1.1 has been released to the public as of April 5, 2011.

This important maintenance and security release fixes close to 30 issues found in version 3.1, including security bugs.

You should update your WordPress blog to version 3.1.1 immediately!

WordPress 3.1.1 Upgrade Summary:

  • Security hardening for media uploads (Cross-Site Request Forgery (CSRF) prevention).
  • Prevent potential PHP crashes caused by complex hyperlinks (stop maliciously devised links in comments).
  • Corrected XSS flaw on database upgrade screen (Cross Site Scripting).
  • Fixes for IIS6 support.
  • Taxonomy and PATHYINFO (/index.php/) permalinks fixes.
  • Various query and taxonomy edge cases that caused some plugin compatibility issues.
  • Additional performance improvements.

So far I have seen two posts at the WordPress.org Forums regarding WordPress 3.1.1. One stating that image cropping is not working and another regarding post titles and SEO issues with 3.1.1.

WordPress & Security Resources

  • WordPress News: 3.1.1 Security Hardening Update
  • WordPress Codex: Version 3.1.1
  • Download WordPress 3.1.1
  • WordPress.org Requests and Feedback Forum
  • WordPress Codex – Updating WordPress
  • What is Cross-Site Request Forgery (CSRF)?
  • What is Cross Site Scripting (XSS)?

Important!

If you're self-hosting WordPress on your own domain, it is important that you upgrade to WordPress 3.1.1 as soon as possible.

Leave your feedback

Have you upgraded to WordPress 3.1.1? Did you upgrade WordPress automatically through the Dashboard or manually? Do you have any WordPress plugin issues with WP version 3.1.1? If you noticed any glitches in the upgrade or conflicts with any plugins be sure to let us know. Leave your comment below.

Securely yours,

Regina Smola
WordPress Security Expert
Follow me on Twitter
Follow WPSecurityLock on Twitter
Become a Facebook Fan

Filed Under: WordPress Security Tips Tagged With: update wordpress, upgrade wordpress, WordPress, WordPress 3.1.1, wordpress security

Reader Interactions

Comments

  1. Lilia Lee says

    April 6, 2011 at 4:33 am

    Thank you for this post. I found that the last upgrade broke the functionality of some plugins, particularly video players. Hopefully, the update will fix the problem.

    Your posts are vey helpful and timely.

    Reply
  2. Fox says

    April 11, 2011 at 10:45 am

    Found that upgrading to 3.1.1 broke a text widget. I’ve removed the widget and deleted it, but it still shows the title of the widget in the sidebar, but not the content in the text widget. Weird. Can’t seem to fix it.

    Reply
  3. Hemalatha says

    April 18, 2011 at 7:13 am

    Hello Regina,
    This is Hema again.

    Has Godaddy site’s been attacked by New Virus ?

    Yesterday when i accessed my site I got an AVG Alert and Exploit blackhole was blocked.
    I continued using my site (note: I didn’t login to my site) and again another attack,
    and AVG asked me to block it and move to vault.

    I did it. And after that i was unable to use my applications like mozilla FF, IE and CCleaner as it said .exe was deleted.

    I got suspicion on the ads I was running on my site.
    I’m running Juicy Ads, Ero-advertising, Exoclick and Adxpansion.
    I just guessed one of the Ero-advertising AD might be spreading the virus,
    So I deleted the Ero-advertising ad.

    Re-installed Windows OS.

    Today morning again I tried to access my site and got another AVG Alert,
    Some Exploit Blackhole blocked.

    I have got few Questions:
    ————————————-

    Q 1. Is one of the ads spreading the virus ?
    Q 2. Is Godaddy site’s been hacked ?
    Q 3. How can I run an “Online Site Scan” ?

    Thanks for the help 🙁

    Reply
    • Regina Smola says

      April 18, 2011 at 12:03 pm

      Hi Hema,

      Thanks for your comment and questions.

      I have not heard anything about GoDaddy getting hacked again, so it may be just your website.

      You can run an online scan and get monitoring here: https://wpsecuritylock.com/sucuri

      Connect with me on Skype and I’ll see if I can help you out: wpsecuritylock.

      ~ Regina

      Reply
    • Hemalatha says

      April 18, 2011 at 7:25 am

      ==========
      1st Alert:
      ——————

      Infection: Exploit Blackhole Exploit Kit (type 2002)
      Object: reg.jemone . com/index. php?tp=fd76b8e3ad25f317
      Result: object was blocked

      Screenshot: http://i54.tinypic.com/2w7r7er.png

      ==========
      2nd Alert:
      ——————

      I didn’t note the details.
      It asked me to move to vault.
      I moved it to vault and after that computer didn’t work properly.
      So I RE-INSTALLED windows.

      ==========
      3rd Alert:
      ——————

      Infection: Exploit Blackhole Exploit Kit (type 2002)
      Object: home.bouncealisious . com/index. php?tp=fd76b8e3ad25f317
      Result: Object was blocked

      Reply
      • Regina Smola says

        April 18, 2011 at 12:05 pm

        Hi Hema,

        Are you downloading your website and getting these alerts or visiting your website on the internet when you get them?

        ~ Regina

        Reply
        • Hemalatha says

          April 18, 2011 at 9:38 pm

          Just by visiting my website I get this alert.
          Now (Today morning, the 3rd day), I got the 4th AVG Alert.

          File name: reserve. 1poundclick. com/index. php?tp=fd768e3ad25f317
          Threat name: Exploit Blackhole Exploit Kit (type 2002)

          Screenshot: http://i56.tinypic.com/11gke3s.png

          Reply
          • Hemalatha says

            April 22, 2011 at 6:52 pm

            Hello Regina,

            I found the reason.
            Its’ from PopAds.net ads. I removed the ads and everything is fine now.

            Thank you very much 🙂

          • Regina Smola says

            April 27, 2011 at 7:52 am

            Hi Hema,

            Glad you got it worked out. I haven’t used PopAds.net ads, so not sure why it was an issue.

  4. Hemalatha says

    April 18, 2011 at 10:11 pm

    Thank you Regina.

    Pl check the screenshot of the result. Site is clean.
    But there is a red alert for the index.php file. I checked it but didn’t find any suspicious codes.

    Screenshot: http://i51.tinypic.com/17v5aw.png

    Do you think it must be some of the advertisements ?

    Reply
    • Regina Smola says

      April 27, 2011 at 7:54 am

      Hi Hema,

      The red alert is showing because your internal path is showing to the public. You can hide it by making a change in your root’s php.ini:

      display_errors = Off

      Hope that helps,

      Regina

      Reply
      • Peter Paul says

        May 16, 2011 at 2:50 am

        Hi Regina.

        Now that I have set my display_errors to Off in my php.ini, does that mean that my root directory will be invisible to the public? or can they still view my internal path? If so, is there another way to protect it?

        Thanks for answering my question. ^_^

        Reply
        • Regina Smola says

          May 17, 2011 at 8:12 am

          Hi Peter,

          Thanks for your question. It’s a good idea to hide your internal server path in case of any PHP errors, for example:

          Undefined variable: options in /home/whatever/public_html/wp-content/plugins/add-to-any/add-to-any.php on line 488

          As you can see by the above error, the exact location of your server path is displayed. To hide errors like these, you need to set display_errors= Off in your php.ini file.

          By disabling it, these errors will not be displayed publicly from a browser. And you can still use WP debug feature to find them.

          Good job on disabling yours 🙂

          ~ Regina

          Reply
      • Alessio says

        May 9, 2012 at 9:43 am

        Just a note: if you are using an extremly restrictive shared hosting just put the following line at the begin of the file reported by the scanner (usually index.php inside the theme folder):

        Hope that helps,

        Alessio

        Reply
        • Alessio says

          May 9, 2012 at 9:46 am

          Insert this within php tag (Sorry i used them while posting 🙂 ):

          error_reporting(0);

          Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Let’s work together:

Get in touch with us and send some basic info about your project. Don't be shy, we can help with just about anything.

Contact Us!

Footer

  • Facebook
  • LinkedIn
  • Twitter

Contact

Call 815-600-7270
Contact
Mo,Tu,We,Th,Fr 9:00 am – 5:00 pm

Get WordPress Help Now

Chat With Us!
Submit A Support Ticket

Copyright © 2025 | WP Security Lock, Inc