SRG

SCSIraidGURU’s World

WordPress

Current version : 5.2.2 as of 7.7.2019.  It automatically upgrades to the latest version.

WordPress 5.1 CSRF to Remote Code Execution

Last month we released an authenticated remote code execution (RCE) vulnerability in WordPress 5.0. This blog post reveals another critical exploit chain for WordPress 5.1 that enables an unauthenticated attacker to gain remote code execution on any WordPress installation prior to version 5.1.1.

I decided to allow WordPress to upgrade itself to the latest version.  I just go into it to do the plugins.

My two WordPress servers are now on Ubuntu 18.04.2.   I have upgraded to the latest LAMP components that you are read about on Ubuntu pages.   I am on the latest version of WordPress.   This mainly affects my main webpage with videos of my children.  These files can be huge. 

/etc/php.ini
upload_max_filesize = 768M

post_max_size =768M
memory_limit = 768M
max_execution_time = 300

I have installed many plugins on the various web sites from conditional menu, WP Fastest cache, wordpress https, and others.

How did I repoint www to wp for my web sites?

On Godaddy DNS, I setup A records for wp and www pointing to my ISP IP address.

In the etc/https/sites-available/  conf files I added

ServerName wp.michaelmckenney.com
ServerAlias www.michaelmckenney.com michaelmckenney.com *.michaelmckenney.com
Redirect “/” “https://wp.michaelmckenney.com/”

The ServerAlias is the old www address.  The redirect points to the new SSL server address.   The redirect is much faster now since it happens in the website itself. 

Both WordPress servers have been duplicated and moved to Ubuntu 18.04.2 and latest components.   I then upgrade Ubuntu with LTS Enablement for the kernel updates. 

 I add the repository for Digital Ocean MariaDB,  PHP 7.3.x, Apache 2.4.x.   I install phpMyAdmin’s latest version after installing the base product in Ubuntu.   phpMyAdmin is a quick way to create the WordPress databases and user for each web site.   I have pages dediicated for each of these.    I copy in The Hacker News bug reports on all the components I use.  It is best to stay on the latest components for WordPress. 

Back to top