WordPress 4.7.1 - Security and Maintenance Release is now available

Less than a month after the release of version 4.7 “Vaughan”, WordPress releases version 4.7.1 of the most used CMS in the world.
This is a “security and maintenance” release which fixes 8 important vulnerabilities that affect all WordPress versions (4. included), in addition to 2 bugs of the previous version.
The 8 vulnerabilities, which are now fixed, include cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks.

The update is available at the administration dashboard and at the official Website. We encourage you to update your installation as soon as possible.

Let us remind you the new features introduced with version 4.7 “Vaughan”:

  • Twenty Seventeen theme: it is an ambitious theme designed for business websites that focuses on a creative home page and an easy site setup experience for users
  • Video Headers: WordPress 4.7 extends the Custom Header feature to introduce support for video. Video headers play automatically, loop by default, and don't have sound. They work best when paired with an image, so they can progressively enhance the experience when video is supported.
  • Custom CSS: sometimes you just need a few more visual tweaks to make your site perfect, or a plugin adds something that doesn't quite look right with your site. WordPress 4.7 allows you to instantly see changes while adding custom CSS to give your site that polish.
  • PDF Preview: managing your document collection is easier with WordPress Version 4.7, which now shows preview thumbnails instead of a generic icon for PDFs in the media library.
  • REST API: API endpoints for WordPress content. WordPress 4.7 comes with REST API endpoints for posts, comments, terms, users, meta, and settings. Content endpoints provide machine-readable external access to your WordPress site with a clear, standards-driven interface, paving the way for new and innovative methods of interacting with your site.
  • Demo data: new data to show promptly the potentialities of the CMS to new users that will have a complete demo site
  • New menu: menu management has been improved by adding the possibility of organizing it before adding any content, in order to structure quickly the site.


Joomla 3.6.5 is now available

Joomla 3.6.5 is now available: this is a security release which aims to improve the overall security level of the CMS. 3 vulnerabilities and 3 system bugs have been fixed and security hardening best practices have been added in the code and user permissions management.

The update is available within the administration dashboard and on the official website. We encourage you to update your Joomla installation as soon as possible.

At the same time, version 3.7.0 Alpha 2 is available. This testing release follows the roadmap that will end up in the release of version 3.7 in late March.
Two new features are introduced: Multilingual Associations Manager, which allows to translate content within a single interface, and Backend Menu Manager, which allows to create a custom administration menu.
You can find the Alpha release for testing purposes here.


Visbot malware identified in 6691 online Magento shops

Visbot is a malware that attacks Magento ecommerce websites: it steals credit card data, encrypts it and hides it in images with a technique called steganography. The images are then sent to the hacker’s server.
The malware has been identified for the first time in March 2015, but its ability in hiding successfully in web servers and the difficulty in identifying the infection contributed to let it remain unknown.
Visbot doesn’t work on the frontend level by injecting infected code into webpages, instead it works in the backend without exposing itself; only server admins can identify it.

William de Groot, a security analysti for the Dutch company byte.nl, states in an article on his blog on his blog that Visbot has a weak point: its creator(s) uses an user agent to track all infected websites. But the same user agent can be used by a webmaster to find out it a Magento website has been infected by using a simple command as curl -LH 'User-Agent: Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;This email address is being protected from spambots. You need JavaScript enabled to view it.)' \ http://magento-website-address.com or by using the MageReport service, which de Groot is one of the founders. This service identifies infected Magento websites.

A research performed by de Groot with MageReport identified 6691 online webshops infected by Visbot; de Groot then warned providers and Authorities.
The malware gains access to Magento websites with brute-force attempts or by leveraging vulnerabilities that haven’t been discovered yet: therefore if you manage a Magento ecommerce, or any other ecommerce system or CMS, be sure to adopt strong access credentials and update your system as soon as updates are available.


New WordPress features will require HTTPS

Matt Mullenweg, the founder of WordPress, announced on his blog  that the new features of the famous CMS will require the use of seure connections with the HTTPS protocol.
At the moment we don’t have a list of features that will be available only if SSL support is enabled.
The recent introduction of PHP7 played an important role in this decision: the new PHP version allows to take advantage of the secure protocol with a lower computational cost than the previous versions.
Google too takes SSL security seriously by taking HTTPS into account in the factors that determine the ranking of a website, and also by marking as insecure sites that are still available with HTTP connections.