It’s been a busy week for security buffs as both WordPress and Google Accounts are both receiving major security improvements that their users should definitely scoop up as quickly as possible.
For WordPress users, they need to see about upgrading their installation to version 3.0.5, which fixes several security bugs that are most dangerous to those who have authors with limited permissions on their blog. Google, on the other hand, is slowly rolling out a new two-factor authentication system that may help keep your email and other information more secure.
If you use either or both of these tools, you may want to look at making the needed changes so you can get the full benefit of their security improvements. Otherwise, you’ll likely find that your blog, your email and your other personal information are at greater risk.
WordPress Launches 3.0.5
WordPress users who have a standalone installation of WordPress on their server, will likely want to upgrade to 3.0.5 as soon as possible.
The upgrade addresses several severe security issues including:
- Two security issues that would have allowed a author or contributor-level user to gain greater access to the site.
- Another security issue that would have allowed an author-level user to read information they weren’t supposed to access, such as drafts or private posts.
- Two additional security issues that help secure plugins, especially those that don’t use WordPress’ built-in security API.
Obviously, if you don’t have author or contributor-level users or don’t use many plugins, there is less urgency in this upgrade but, considering it is a free update and takes only minutes to install automatically, it’s well worth going ahead and upgrading.
At the same time as WordPress 3.0.5′s release, Automattic also announced the release of the fourth release candidate for the WordPress 3.1 branch. This release deals mostly mostly small bugs that were found in the third release candidate and marks a clear sign that the 3.1 branch is very near completion and should be sent out to the masses very shortly.
Google Introduces Two Factor Authentication
For users of Blogger, or even just Gmail or other Google tools, Google is rolling out two-factor authentication to help make your Google account more secure.
The basic principle is that, instead of merely having your email address and password to log into your Google account, you also have to enter a second, numerical passcode. This code is always changing and is sent to the user every login via either text message or the “Google Authenticator” app that is available for the iPhone, Android and BlackBerry.
Since this number changes regularly, it makes it much more difficult for someone to phish your password and anyone who wishes to enter your acount without authorization has to have access to your email address, password and your phone, making the process significantly more difficult.
Two-factor authentication is hardly new, PayPal has been using a security key system for years and many corporations and government agencies have required other kinds of security tokens for even longer.
But despite their history, security tokens have not gained widespread usage due to the perceived hassle (both in setting them up and using them) and the fact many don’t wish to either use text messages or to purchase keychains or cards to keep around. This has limited the application to high-risk targets such as banks, corporations and so forth.
Fortunately, Google’s system is free for anyone with a smartphone or with an unlimited text messaging plan and, as such, may mark the beginning of widespread usage for more personal targets.
As incidents like the Gawker leak have shown us, passwords are very vulnerable to being leaked, guessed or stolen, making a second layer of authentication very important for critical data.
Right now, systems such as Google’s are the best available and will likely become more common over the next few years.
Bottom Line
If you value your data, your privacy and your site, then you need to take security seriously. Fortunately, both Google and the WordPress development team are both working to help make security easier and better.
If you use either of these products, take a moment and upgrade your sites and your password security. You’ll be glad that you did.
While these steps may not secure you completely, that’s because nothing really can. They will, however, make you a much more difficult target and motivate attackers to move on to other, easier targets.