Reviewing WordPress 4.9.5 and the State of Platform Security

In its continual efforts to improve platform security, WordPress is at it again—this time with a new update, WordPress 4.9.5.

While not as substantial as the hastily-released 4.9.3/4.9.4 security updates back in February, it’s important for all users to understand the changes WordPress is making to its platform.

The 4.9.5 Security Update

WordPress 4.9.5 fixes three security issues identified since the last release:

  1. Don’t treat localhost as the same host by default;
  2. Use safe redirects when redirecting the login page if SSL is forced;
  3. Ensuring the version string is correctly escaped for use in generator tags.

These three were the most substantive changes, but the update also addressed 25 bugs pointed out by various WordPress users over the past few months. Here are a few of the most significant:

  • Restoring previous styles on caption shortcodes;
  • Supporting cropping on touch screens;
  • Updating various strings for better clarity;
  • Fixing the position of an attachment placeholder during uploads;
  • Improved compatibility with PHP 7.2.

While some of these are minor (and likely to go unnoticed by the majority of WordPress users), we must reiterate how important it is for every user stay up-to-date with the most current version of the platform.

WordPress is Popular—Which Makes It Vulnerable

WordPress is one of the most popular CMS platforms in the world. According to data taken from the 2018 Web Server Study published by Netcraft, an estimated 20 percent of all self-hosted websites on the internet are powered by WordPress. Other surveys estimate that WordPress itself owns close to 60 percent of the market share for all commercial CMS platforms.

There’s no denying how influential it is—but this popularity is both a blessing and a curse. With so many active users, the platform is a common target for hackers, SQL injections, and cross-site scripters seeking to exploit the platform’s vulnerabilities. And with the massive amount of custom plugins available for WordPress, there may be plenty of these vulnerabilities to be found. As much as 54 percent of WordPress’s total security vulnerabilities can be attributed to plugins, according to WP WhiteSecurity.

Of course, as Robert Abela of WP WhiteSecurity notes in the above report, it’s the user on the other side of the screen who may be truly responsible for these weaknesses:

“Most successful WordPress hack attacks are typically the result of human error, be it a configuration error or failing to maintain WordPress, such as keeping core and all plugins up to date, or installing insecure plugins etc.”

And given what we’ve seen in our experience in web design and development, we’d have to agree.

Proper Security Relies on the User

As sad as it is to say, the user is almost always the weakest link in a website security chain.

This might seem unfair—users can’t predict which security vulnerabilities will slip through the platform’s code, after all—but while WordPress is doing its part to patch its weaknesses on the backend, users have to do their part and educate themselves on proper WordPress security practices as well.

This is why it’s so valuable to have a web developer partner in your corner across your entire web marketing campaign. Whether you’re building a custom website or a WordPress-based page, it’s hard to know where vulnerabilities exist without the proper development know-how. Developer partners who take an active role in your development process can weigh in on each update, plugin, and customization to ensure that your web assets are as secure as possible.

This is crucial for all webmasters—custom and WordPress alike. While WordPress and others are always working to improve platform security, the users have a role to play as well. And as we noted above, this role can have a far bigger impact on the state of your web security.