WordPress 6.0.2 Maintenance Release
On August 30, 2022, the WordPress core team released WordPress version 6.0.2, which contains patches for 3 vulnerabilities, including a High Severity SQLi vulnerability in the Links functionality as well as two Medium Severity Cross-Site Scripting vulnerabilities.
These patches have been backported to every version of WordPress since 3.7. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. We recommend verifying that your site has been automatically updated to one of the patched versions. Patched versions are available for every major version of WordPress since 3.7, so you can update without risking compatibility issues. If your site has not been updated automatically we recommend updating manually.
Vulnerability Analysis
As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.
The WordPress Link functionality, previously known as “Bookmarks”, is no longer enabled by default on new WordPress installations. Older sites may still have the functionality enabled, which means that millions of legacy sites are potentially vulnerable, even if they are running newer versions of WordPress. Fortunately, we found that the vulnerability requires administrative privileges and is difficult to exploit in a default configuration. It is possible that 3rd party plugins or themes might allow this vulnerability to be used by editor-level users or below, and in these cases the Wordfence firewall will block any such exploit attempts.
Vulnerable versions of WordPress failed to successfully sanitize the limit argument of the link retrieval query in the get_bookmarks function, used to ensure that only a certain number of links were returned. In a default configuration, only the Links legacy widget calls the get_bookmarks function in a way that allows this argument to be set by a user. Legacy widgets involve additional safeguards, and the injection point of the query itself poses additional difficulties, making this vulnerability nontrivial to exploit.
WordPress content creators, such as Contributors, Editors, Authors, and Administrators, have the ability to add custom fields to any page and post created. The purpose of this is to make it possible for site content creators to add and associate additional data to posts and pages.
WordPress has several functions available to site owners to display custom fields created and associated with posts and pages. One of these functions is the the_meta function which retrieves the supplied post’s or page’s custom field data, which is stored as post meta data, through the get_post_custom_keys and get_post_custom_values functions. Once the custom fields for a post/page are retrieved, the function outputs the post meta keys and values data as a list. Unfortunately, in versions older than 6.0.2 this data was unescaped on output making it possible for any injected scripts in post meta keys and values to be executed.
Due to the fact that any user with access to the post editor can add custom meta fields, users with access to the editor such as contributors could inject malicious JavaScript that executes on any page or post where this function is called.
WordPress core does not call the_meta anywhere in its codebase by default. As such this vulnerability does require a plugin or theme that calls the the_meta function, or for this function to have been programmatically added to a PHP file for execution, so the vast majority of site owners are not vulnerable to this issue. The the_meta function is considered deprecated as of 6.0.2 and get_post_meta is the recommended alternative.
The final vulnerability involves the error messages displayed when a plugin has been deactivated due to an error, or when a plugin can not be deleted due to an error. As these error messages were not escaped, any JavaScript present in these error messages would execute in the browser session of an administrator visiting the plugins page. This vulnerability would require a separate malicious or vulnerable plugin or other code to be installed on the site, which would typically require an administrator to install it themselves. In almost all cases where this vulnerability might be exploitable an attacker would already have a firm foothold on the vulnerable site.
Why Use WordPress For Your Website
WordPress is a content management system (CMS for short). It’s a robust tool for creating and managing your website. Blogs, business websites, personal sites, and ecommerce stores alike can benefit from using WordPress.
This platform is run online, meaning you don’t need to download any desktop software to use it.
1. Reliability
You don’t want to take any chances when it comes to managing your website. Sometimes, looking at how many people use a platform is the best way to determine its reliability.
According a recent study from Kinsta, WordPress dominates the CMS market share.
WordPress controls 60% of the CMS market. Joomla is second on the list, with a percentage that’s 12 times smaller than WordPress.
Furthermore, WordPress powers 34% of all websites worldwide. Numbers like this are simply staggering, to say the least.
If the platform wasn’t reliable, it wouldn’t be so widely used. Big-name sites like TED, TechCrunch, UPS, and CNN all use WordPress.
Each month roughly 70 million new posts are published on WordPress. Those posts generate about 77 million new comments over the same period of time.
Considering the fact that WordPress is used by about one-third of websites across the globe, it’s safe to say that your site will be in good hands if you use it as well.
2. Great support
Since WordPress is used by so many people all over the world, there are countless guides, tutorials, and resources that can be found online. You can take advantage of WordPress forums where you can communicate with others who use the planet’s most popular CMS.
Aside from those options, you can also get help and support directly from the WordPress support team.
If you have a paid WordPress plan, you’ll have access to live chat support 24 hours per day, Monday to Friday. For those of you who have business or ecommerce plans, you can even reach live chat agents on the weekends.
With that said, it’s worth noting that this resource won’t be able to help you any third-party applications that you’re using on your WordPress site.
But as I mentioned before, you can easily find help with this on a community forum or guide on another site. There is definitely no shortage of WordPress “how-to” resources on the Internet.
3. SEO-friendly
SEO can make or break the success of your website. So it’s something that you need to start focusing on from the inception of your site.
WordPress makes this easy by having some built-in tools that tell you how SEO-friendly your content is. Although most of you will want to upgrade from the basic SEO tools and install a WordPress SEO plugin.
If you’re interested in this, Yoast SEO will be a top option for you to consider.
This plugin is great because there’s a free version that you can try out to get familiar with how it works. But I strongly recommend getting Yoast SEO Premium.
The paid version of this plugin gives you access to more keywords, phrases, and related terms. It will also automatically monitor your most important pages and send you a notification if too much time has passed between updates.
Upgrading to the premium plugin will give you content insights, internal link suggestions, and an ad-free experience, among dozens of other benefits.
4. Flexibility
WordPress can as in-depth and complex or as simple as you want it to be.
You have the option to just use the basic version of the platform to publish blog posts. Or on the other side of the spectrum, you can use it for your business website and add widgets and plugins to add functionality.
Nearly anything that you want to do with your website can be accomplished with WordPress.
Again, you may need to install a plugin or third-party application for that to happen, but the possibilities are still there.
The flexibility of WordPress also applies to the type of people who use it. No, I’m not talking about if you can touch your toes or not. I’m referring to your level of technical experience.
Newbies, developers, and everyone in-between the two can use WordPress. How you use it and what features you want to take advantage of will be completely up to you.
5. Security
In general, WordPress is a safe and secure platform. But it doesn’t mean you’re completely vulnerable from malicious attacks, hackers, and malware on your website.
Fortunately, WordPress makes it easy for you to enhance your site’s security with features like password protection for folder contents.
Keeping your WordPress version up to date will also fight off bugs and potential security threats.
It’s also easy to enable an SSL certificate for your WordPress site. Most of the time you can just get this from your web hosting service.
This is a simple and effective way to enhance your WordPress website security.
Furthermore, there are additional steps you can take to beef up your site’s security. I’d recommend installing a WordPress security plugin.
Adding one of these to your site is like building a moat around your house. Sure, doors might be locked, but the added layer will make it even harder for intruders to penetrate your walls.
You can also take proactive steps by installing a WordPress backup plugin.
In the event that your site is somehow compromised, you don’t want to lose all of your content and data. A plugin will make it easy for you to recover your website if something goes wrong.
6. Simplified content creation
Starting a new WordPress site is so easy; anyone can do it. You can get everything set up with just a few clicks.
Once your site is live, all you need to do is navigate to the “posts” section of your dashboard menu. From here, you’ll be able to find everything you need to write and publish a new blog post.
You’ll find text editors, formatting tools, and ways to upload media files.
As you’ll quickly learn, the entire content creation process on WordPress is very straightforward. So you won’t have any excuse for lacking in that department.
After your content has been published, you won’t have to jump through hoops to edit it moving forward. All you need to do is search the post and make any changes or updates using the visual editor.
Once those changes have been made, just click on the “save” button and the new version of that content will be live instantly.
7. REST API
Most of what we talked about today has been geared toward WordPress beginners. But the platform has plenty of advanced features as well.
If you’re a developer, you’ll be happy to know that WordPress has a REST API, which allows you to build apps using the platform.
For example, you could create a custom plugin for a new administrative dashboard experience. Or maybe you want to make changes to the front-end.
With the WordPress REST API, you’re not forced to write apps in PHP. You can use any programming language that has the ability to make HTTP requests.
Even if you have no idea what I’m talking about here, it may be something that you learn or become interested in down the road. Or maybe you’ll eventually work with a developer to create an application.
Either way, it’s nice to know that this is an option at your disposal if you use WordPress.
8. Optimized for speed
Slow websites are useless. WordPress knows this, so it has specific features and elements that you can take advantage of that will speed up your website.
For example, you can install a lightweight theme that won’t weigh down your code. You could add a plugin to reduce the size of your image files.
Take advantage of options for Gzip compression, advanced caching, and minifying CSS and JS files.
If you use tools like the examples I just gave, you can drastically reduce your website page loading speed. This will ultimately reduce your bounce rates, improve the user experience, and increase conversions on your WordPress site.
9. Multilingual
WordPress has a global reach. It supports more than 160 languages worldwide. So you’ll be able to create a website to reach your global audience as well.
With that said, it’s worth noting that English is the most popular language used on WordPress.
71% of all blogs published on the platform are written in English.
But it’s nice knowing that if you want to take advantage of other languages, WordPress makes that easy for you to do.
10. Simple integrations
As I’ve mentioned throughout this list, WordPress is compatible with tons of different third-party tools.
In addition to plugins and widgets, you can also integrate things like email marketing software, payment gateways, Google Analytics, and countless other components that you might need to run a fully functional and operational website.
Third-party tools are made with WordPress in mind. Since the CMS platform is so popular, those other companies know that their current and prospective customers might be using it to manage their websites.
So you won’t have to ditch the platforms and resources that you’re familiar with once you build a WordPress site.
Best and Cheap WordPress 6.0.2 Hosting
The hosting provider that we mean is ASPHostPortal. Who and why ASPHostPortal? ASPHostPortal is one of the best web hosting in the world. Founded in 2008, this company managed by a strong team of web hosting experts. Here are several reasons why you can choose them as your WordPress hosting partner. To make it clear, we have worked out a comprehensive review of the feature, performance, customer service and pricing of this service.
Respected By The WordPress Community
ASPHostPortal is well-respected in the WordPress community, especially for their quick, helpful support. All hosting companies have good and bad customer experiences on the web review, but if you look at ASPHostPortal’s review mentions the majority of feedback is positive.
From HostingAdvice (https://hostadvice.com/hosting-company/asphostportal-com-reviews/)
From WHTOP (https://www.whtop.com/review/asphostportal.com)
From Trustpilot (https://www.trustpilot.com/review/asphostportal.com)
Engineered For Speed
ASPHostPortal shared hosting ($3.81/month) is good. The speed depends on which plan you choose but each one comes with top-notch hardware, CDN, SuperCacher, and software for it’s a tier. ASPHostPortal also makes constant updates to improve speed – allowing customer sites to load even faster. This is our test result from GTMetrix, the loaded time is 0.7 second only.
Best Support In The Industry
With ASPHostPortal’s support system we have always been able to reach someone within minutes whether it be through 24/7 ticket. That’s because ASPHostPortal is a people-focused company who won’t make you wait around listening to bad elevator music. Their team is so helpful and will honestly bend over backward to make sure your issues are resolved. And they won’t tell you “it’s not a hosting-related problem” like other hosting companies.
Top-Notch Security
Not only will your site be protected through auto-updates, daily backups, and server protection, but ASPHostPortal also releases their own patches when there’s a widespread security vulnerability (with WordPress, or even a specific WordPress plugin). They’re both proactive AND reactive which is good because WordPress sites have become prime targets.
ASPHostPortal WordPress Hosting Plans
Whether you’re on a $3.81/month budget or you need a $12.99/month dedicated server, there’s a plan for everyone. I mentioned this already but I use their plan and my WordPress site loads in under 1 second.
Conclusion – ASPHostPortal Is Awesome For WordPress Hosting
Between their hosting and tech support, ASPHostPortal is a clear winner. I don’t write many articles on the other hosting companies because ASPHostPortal is in my opinion, the best. I do WordPress SEO and speed optimization for a living so I’ve been through a lot of hosts – and I’m just glad I found one who I can stick with and keep my website blazing fast.
