WordPress version 3.1.1 has been released to the public as of April 5, 2011.
This important maintenance and security release fixes close to 30 issues found in version 3.1, including security bugs.
You should update your WordPress blog to version 3.1.1 immediately!
WordPress 3.1.1 Upgrade Summary:
- Security hardening for media uploads (Cross-Site Request Forgery (CSRF) prevention).
- Prevent potential PHP crashes caused by complex hyperlinks (stop maliciously devised links in comments).
- Corrected XSS flaw on database upgrade screen (Cross Site Scripting).
- Fixes for IIS6 support.
- Taxonomy and PATHYINFO (/index.php/) permalinks fixes.
- Various query and taxonomy edge cases that caused some plugin compatibility issues.
- Additional performance improvements.
So far I have seen two posts at the WordPress.org Forums regarding WordPress 3.1.1. One stating that image cropping is not working and another regarding post titles and SEO issues with 3.1.1.
WordPress & Security Resources
- WordPress News: 3.1.1 Security Hardening Update
- WordPress Codex: Version 3.1.1
- Download WordPress 3.1.1
- WordPress.org Requests and Feedback Forum
- WordPress Codex – Updating WordPress
- What is Cross-Site Request Forgery (CSRF)?
- What is Cross Site Scripting (XSS)?
Important!
If you're self-hosting WordPress on your own domain, it is important that you upgrade to WordPress 3.1.1 as soon as possible.
Leave your feedback
Have you upgraded to WordPress 3.1.1? Did you upgrade WordPress automatically through the Dashboard or manually? Do you have any WordPress plugin issues with WP version 3.1.1? If you noticed any glitches in the upgrade or conflicts with any plugins be sure to let us know. Leave your comment below.
Securely yours,
Regina Smola
WordPress Security Expert
Follow me on Twitter
Follow WPSecurityLock on Twitter
Become a Facebook Fan
Thank you for this post. I found that the last upgrade broke the functionality of some plugins, particularly video players. Hopefully, the update will fix the problem.
Your posts are vey helpful and timely.
Found that upgrading to 3.1.1 broke a text widget. I’ve removed the widget and deleted it, but it still shows the title of the widget in the sidebar, but not the content in the text widget. Weird. Can’t seem to fix it.
Hello Regina,
This is Hema again.
Has Godaddy site’s been attacked by New Virus ?
Yesterday when i accessed my site I got an AVG Alert and Exploit blackhole was blocked.
I continued using my site (note: I didn’t login to my site) and again another attack,
and AVG asked me to block it and move to vault.
I did it. And after that i was unable to use my applications like mozilla FF, IE and CCleaner as it said .exe was deleted.
I got suspicion on the ads I was running on my site.
I’m running Juicy Ads, Ero-advertising, Exoclick and Adxpansion.
I just guessed one of the Ero-advertising AD might be spreading the virus,
So I deleted the Ero-advertising ad.
Re-installed Windows OS.
Today morning again I tried to access my site and got another AVG Alert,
Some Exploit Blackhole blocked.
I have got few Questions:
————————————-
Q 1. Is one of the ads spreading the virus ?
Q 2. Is Godaddy site’s been hacked ?
Q 3. How can I run an “Online Site Scan” ?
Thanks for the help 🙁
Hi Hema,
Thanks for your comment and questions.
I have not heard anything about GoDaddy getting hacked again, so it may be just your website.
You can run an online scan and get monitoring here: https://wpsecuritylock.com/sucuri
Connect with me on Skype and I’ll see if I can help you out: wpsecuritylock.
~ Regina
==========
1st Alert:
——————
Infection: Exploit Blackhole Exploit Kit (type 2002)
Object: reg.jemone . com/index. php?tp=fd76b8e3ad25f317
Result: object was blocked
Screenshot: http://i54.tinypic.com/2w7r7er.png
==========
2nd Alert:
——————
I didn’t note the details.
It asked me to move to vault.
I moved it to vault and after that computer didn’t work properly.
So I RE-INSTALLED windows.
==========
3rd Alert:
——————
Infection: Exploit Blackhole Exploit Kit (type 2002)
Object: home.bouncealisious . com/index. php?tp=fd76b8e3ad25f317
Result: Object was blocked
Hi Hema,
Are you downloading your website and getting these alerts or visiting your website on the internet when you get them?
~ Regina
Just by visiting my website I get this alert.
Now (Today morning, the 3rd day), I got the 4th AVG Alert.
File name: reserve. 1poundclick. com/index. php?tp=fd768e3ad25f317
Threat name: Exploit Blackhole Exploit Kit (type 2002)
Screenshot: http://i56.tinypic.com/11gke3s.png
Hello Regina,
I found the reason.
Its’ from PopAds.net ads. I removed the ads and everything is fine now.
Thank you very much 🙂
Hi Hema,
Glad you got it worked out. I haven’t used PopAds.net ads, so not sure why it was an issue.
Thank you Regina.
Pl check the screenshot of the result. Site is clean.
But there is a red alert for the index.php file. I checked it but didn’t find any suspicious codes.
Screenshot: http://i51.tinypic.com/17v5aw.png
Do you think it must be some of the advertisements ?
Hi Hema,
The red alert is showing because your internal path is showing to the public. You can hide it by making a change in your root’s php.ini:
display_errors = Off
Hope that helps,
Regina
Hi Regina.
Now that I have set my display_errors to Off in my php.ini, does that mean that my root directory will be invisible to the public? or can they still view my internal path? If so, is there another way to protect it?
Thanks for answering my question. ^_^
Hi Peter,
Thanks for your question. It’s a good idea to hide your internal server path in case of any PHP errors, for example:
Undefined variable: options in /home/whatever/public_html/wp-content/plugins/add-to-any/add-to-any.php on line 488
As you can see by the above error, the exact location of your server path is displayed. To hide errors like these, you need to set display_errors= Off in your php.ini file.
By disabling it, these errors will not be displayed publicly from a browser. And you can still use WP debug feature to find them.
Good job on disabling yours 🙂
~ Regina
Just a note: if you are using an extremly restrictive shared hosting just put the following line at the begin of the file reported by the scanner (usually index.php inside the theme folder):
Hope that helps,
Alessio
Insert this within php tag (Sorry i used them while posting 🙂 ):
error_reporting(0);