WordPress 开发团队刚刚发布了 WordPress 4.0.1 安全更新版本,现在已经可以下载了。这是一个极其重要的安全更新版本,WordPress 官方强烈建议您立即升级您的网站到这一版本。
如果你的网站没有关闭自动更新功能,那么WordPress将会在接下来的几个小时内陆续给你自动更新到最新版本。如果你使用的是早起版本,比如 WordPress 3.9.2,3.8.4,3.7.4等,你的网站将会被自动更新到3.9.3,3.8.5,3.7.5版本,来确保你网站的安全。(尽管如此,我们强烈建议你不要使用这些旧的版本)
WordPress 3.9.2 以及较早的版本,均受到严重跨网站脚本漏洞的影响,使得匿名用户有可能危害到网站安全。WordPress 4.0 版本解决了这一问题,让你的 WordPress 网站更加安全。WordPress 4.0.1 主要解决了以下八个安全问题:
- Three cross-site scripting issues that a contributor or author could use to compromise a site. Discovered by Jon Cave, Robert Chapin, and John Blackbourn of the WordPress security team.
- A cross-site request forgery that could be used to trick a user into changing their password.
- An issue that could lead to a denial of service when passwords are checked. Reported by Javier Nieto Arevalo and Andres Rojas Guerrero.
- Additional protections for server-side request forgery attacks when WordPress makes HTTP requests. Reported by Ben Bidner (vortfu).
- An extremely unlikely hash collision could allow a user’s account to be compromised, that also required that they haven’t logged in since 2008 (I wish I were kidding). Reported by David Anderson.
- WordPress now invalidates the links in a password reset email if the user remembers their password, logs in, and changes their email address. Reported separately by Momen Bassel, Tanoy Bose, and Bojan Slavković of ManageWP.
此外,WordPress 4.0.1 还修复了23个bug,改进了2个小细节。立即下载 WordPress 4.0.1 。
你可以在 WordPres 网站后台,通过点击【Dashboard(控制台)】->【Updates(更新)】内的『Update Now(立即更新)』按钮,进行更新。