WordPress Gets Clickjacking Protection

The open source WordPress blogging application is being updated to version 3.1.3 this week adding multiple security fixes and improvements.

Among the fixes is a moderately critical patch for arbitrary file upload vulnerability

“The application improperly validates uploaded files, which can be exploited to execute arbitrary PHP code by uploading a .phtml file with e.g. an appended “.gif” file extension,” Security firm secunia noted in an advisory.

WordPress 3.1.3 also provides media security fixes that were reported to WordPress by researchers from Microsoft Vulnerability Research.

Perhaps the biggest security improvement is the inclusion of clickjacking protection support in WordPress. Clickjacking was first discussed as an attack vector back in 2008 by Whitehat Security researcher Jeremiah Grossman. In a clickjack attack, an element from a third party website is hidden behind or above an item on the website a reader is viewing. When the reader clicks on an item they believe to be legitimate, they are in fact also clicking on the secondary item as well.

Browsers began implementing specifications to protect against clickjacking in 2009. The key technique is named X-FRAME-OPTIONS and provides a mechanism by which website owners can prevent a page from rendering inside of a frame on another site.

WordPress 3.1.3 release now supports X-FRAME-OPTIONS for the admin and login pages of a WordPress site.

“Send a HTTP header to limit rendering of pages to same origin iframes,” the changeset for WordPress 3.1.3 states.
By implementing the X-FRAME-OPTIONS specification, WordPress 3.1.3 helps users to mitigate the risks of a clickjacking attack against user credentials.

WordPress 3.2 Beta 2

The WordPress 3.1.3 release comes as developers push forward on the next generation of WordPress. WordPress 3.2 Beta 2 debuted this week with an enhanced administration screen.

According to WordPress developers, the 3.2 release will also provide performance improvements that make the blog software faster on the server side. For users the 3.2 release includes what WordPress developers refer to as “Distraction-free Writing.”

“The visual editor’s full-screen composing experience has gotten a major overhaul, and is now available from HTML mode, too,” WordPress developer Jane Wells noted in a blog post. “More than ever, WordPress allows you to focus on what matters most — your content.”

WordPress 3.2 isn’t just about new features; it’s also about ending support for old technology, too. Starting with the 3.2 release, Microsoft’s Internet Explorer 6 browser will no longer be supported.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.