以下这封邮件是来自ICDSoft,从这个地方也可以看出ICDSoft是一体值得信赖的主机提供商。Sucuri安全公司的研究人员发现,所有使用genericons图标字体数据包的WordPress插件或主题均受到基于DOM的跨站脚本漏洞,原因是genericons中包含一个不安全的文件example.html。但请根据这封邮件的提示,升级你的WordPress或者删除这个文件。
Dear xxx,
Recently, a critical 0-day vulnerability was discovered in the Genericons package, which comes with the popular Jetpack plugin and the TwentyFifteen theme of WordPress. The latter is installed by default with all recent WordPress installations/updates. The vulnerability represents a DOM-based XSS (cross-site scripting), and it allows attackers to modify the execution of scripts in the user/visitor browser. For example, if a site administrator is tricked to click on a link while logged in to the WordPress site, the attacker could gain control over the site.
As the vulnerability affects millions of sites on the Internet, we took proactive steps to secure automatically all WordPress installations on our servers. On May 6, we set permissions 000 to the "genericons/example.html" files on your accounts, and later deleted these files from the server. A full list of the affected files can be found below.<!--more-->
The "example.html" file is not necessary for the operation of a WordPress installation.
A general security precaution is to always keep your software up to date, along with its plugins and themes.
If you need any additional information, you can always contact us through our support site http://www.suresupport.com.
Best regards,
ICDSoft Team
----------------------
Domain name xxx.com:
- /home/xxx/xxx/www/wp-content/themes/twentyfifteen/genericons/example.html
----------------------
NOTE: This message comes from a "noreply" mailbox. Please do not reply directly to it. If you need to get in touch with us, please use our support ticketing system at http://www.suresupport.com.
如果你也是ICDSoft的用户,那你放心吧,客服已帮你清除此脚本漏洞。
4.2.2 已经找不到 example.html 了,没有这货就安全了吧?
是的,没这个文件就安全了。
最近一段时间被发现的漏洞的确蛮多,要及时升级。
现在wordpress支持自动升级了,打开自动升级功能既可。
小版本默认是自动升级的,除非自己用代码禁用了。
我昨天就发现了genericon这个东西拖慢了网站速度,害得后台怎么也打不开。
怎么注解掉它,使得wordpress后台不使用genericon?
不使用可视化编辑框既可以不使用genericon了。
不使用可视化编辑框那我怎么所见即所得、看图说话啊?
呵呵。直接代码式写文章既可或者使用Markdown语法进行书写。
http://hst.liuyuxuan.com/3932.html
这里有详细的教程。