WordPress Security Update

WordPress Security Update

Update: WordPress 1.5.2 now available.

Found out last Friday that WordPress had a securtiy update for its version that involved the register_globals settings.

They posted an updated information in the WordPress forums:

WordPress version is remotely exploitable if the web server on which it runs has register_globals = on in the PHP configuration. perl and PHP code exists to automatically exploit vulnerable WP sites, allowing the attacker to (try to) execute code on the victim’s account.

Here are some recommended steps that should be taken to secure your WP account:


Download the revised wp-settings.php file. This revised version includes specific code to thwart attacks that leverage register_globals.

To use the revised wp-settings.php file, please first make a backup copy of your existing /wp-includes/wp-settings.php file, then simply transfer the new version to the /wp-includes/ directory on your site.

We strongly encourage security in depth. In addition to the fix above, you are encouraged to disabled register_globals for your site. Most users will be able to edit your .htaccess file, and place this at the very top: php_flag register_globals off

If you control the server, you may edit php.ini and disable register_globals. You will need to restart the webserver after making this change.

Everyone is strongly encouraged to update their WordPress installation as indicated above. I suggest doing the 1st and second option.

Note to plogHost clients: Although we can turn off register_globals on all servers, a whole lot of other applications that require it to be “on” may be affected and may not work.

Abe is the founder and Editor-in-Chief of YugaTech. You Can follow him on Twitter @abeolandres.

You may also like...

13 Responses

  1. vern says:

    wp-settings.php is actually in the WordPress root (/) and not in wp-includes/. At least it is on mine.

  2. yuga says:

    wp-includes/settings.php is mentioned as the back-up. :)

  3. Jaypee says:

    same goes for me..my wp-settings.php file is found in the root folder and not inside the wp-includes folder.

  4. vern says:

    Yeah they say that, but then their instructions say

    “then simply transfer the new version to the /wp-includes/ directory on your site.”

    People who follow their instructions word for word will run into obvious problems.

  5. Jaypee says:

    i tried to upload the new wp-settings.php file and got this error message –
    Parse error: parse error, unexpected T_LNUMBER in /home/prolifik/public_html/blog/wp-settings.php on line 91

  6. Max Limpag says:


    Thanks for the warning.


  7. Kates says:

    Apparently, they forgot to change the version number in the headers. Mine still sports the version I leave that for stats. hehehe

  8. Max Limpag says:

    WordPress released version 1.5.2 just a few minutes after I did the fixes :-( . The update to my, my wife’s and our Newsletter Solutions blogs went smoothly, though. Again, thanks for the warning although i wish I had procrastinated longer (at least in time for the release announcement :-) )


  9. Jaypee says:

    i’ve upgraded mine to 1.5.2 :D

  10. markku says:

    You mean we have register_globals turned on at ploghost? It’s sad that other developers simply ignore safe programming practices to allow their apps to run with the register_globals directive set to off. It doesn’t really take much to code that way.

    Another WP update? It’s nice to see the community responding swiftly. :)

Leave a Reply

Your email address will not be published. Required fields are marked *