Informed Webmaster

The newly updated WordPress 5.5 contains a feature that prevents rogue plugins from taking over WordPress sites. The change allows a WordPress site to check if a plugin is legitimate or not and to block it from updating if it is flagged as blocked from updating.

Our team recently stumbled across an interesting example of malicious code used to add an arbitrary user inside WordPress.

The following code was detected at the bottom of the theme’s functions.php. It uses internal WordPress functions like wp_create_user() and add_role() to create a new user and elevate its role to “administrator:”

WordPress 5.5.1 is now available!

This maintenance release features 34 bug fixes, 5 enhancements, and 5 bug fixes for the block editor. These bugs affect WordPress version 5.5, so you’ll want to upgrade.

You can download WordPress 5.5.1 directly, or visit the Dashboard → Updates screen and click Update Now. If your sites support automatic background updates, they’ve already started the update process.

WordPress 5.5.1 is a short-cycle maintenance release. The next major release will be version 5.6.

To see a full list of changes, you can browse the list on Trac, read the 5.5.1 RC1 and 5.5.1 RC2 posts, or visit the 5.5.1 documentation page.

Experts reported threat actors are increasingly targeting a recently addressed vulnerability in the WordPress plugin File Manager.

Researchers from WordPress security company Defiant observed a surge in the number of attacks targeting a recently addressed vulnerability in the WordPress plugin File Manager.

Users of the Discount Rules for WooCommerce WordPress plugin are urged to apply a third and (hopefully) final patch.


E-commerce sites using the WordPress plugin Discount Rules for WooCommerce are being urged to patch two high-severity cross-site scripting flaws that could allow an attacker to hijack a targeted site. Two fixes for the flaws, first available on Aug. 22 and second on Sept. 2, failed to patch the problem.

A third round of patches for the bugs became available to customers on Sept. 9. On Thursday, the Wordfence Threat Intelligence researchers that were tipped-off to the vulnerabilities, publicly disclosed the flaws and offered a technical analysis....

WordPress 5.5.2 is now available!

This security and maintenance release features 14 bug fixes in addition to 10 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.5.2 is a short-cycle security and maintenance release. The next major release will be version 5.6.

This maintenance release fixes an issue introduced in WordPress 5.5.2 which makes it impossible to install WordPress on a brand new website that does not have a database connection configured. This release does not affect sites where a database connection is already configured, for example, via one-click installers or an existing wp-config.php file.

5.5.3-alpha Issue

Earlier today — between approximately 15:30 and 16:00 UTC — the auto-update system for WordPress updated some sites from version 5.5.2 to version 5.5.3-alpha. This auto-update was due to an error in the Updates API caused by the 5.5.3 release preparations (see more here). The 5.5.3-alpha version at this point was functionally identical to 5.5.2 as no development work had been started on 5.5.3; however, the following changes may have been made to your site:

The default “Twenty” themes installed as part of the pre-release package.
The “Akismet” plugin installed as part of the pre-release package.

These themes and plugins were not activated and therefore remain non-functional unless you installed them previously. It is safe to delete these features should you prefer not to use them.

If you are not on 5.5.2, or have auto-updates for minor releases disabled, please manually update to the 5.5.3 version by downloading WordPress 5.5.3 or visiting Dashboard → Updates and click “Update Now.”

...WordPress 5.6 brings you countless ways to set your ideas free and bring them to life. With a brand-new default theme as your canvas, it supports an ever-growing collection of blocks as your brushes. Paint with words. Pictures. Sound. Or rich embedded media...