Dec 19
Everyone using the popular WordPress plugin Contact Form 7 version 5.3.1 and older needs to update it immediately to address a severe security vulnerability.

The developers of Contact Form 7 have reported:

“An unrestricted file upload vulnerability has been found in Contact Form 7 5.3.1 and older versions.

Utilizing this vulnerability, a form submitter can bypass Contact Form 7’s filename sanitization, and upload a file which can be executed as a script file on the host server.”

It has been fixed in version 5.3.2.

Feb 21

PHP 7.4.3 was released on 20th February 2020.

It has resolved the bug in PHP 7.4.2 that broke WordPress authentication for usernames with spaces.

For more information, see:

Feb 14

PHP 7.4.2, the most current version, was released on the 23rd January 2020.

A bug in this version of PHP breaks WordPress authentication for usernames with spaces. That is, if a user attempts to log into their account via the WordPress login page, it will just display the login form again. It makes no difference if the user enters their username or their email address.

The immediate workaround is to downgrade to PHP 7.4.1 and then upgrade to PHP 7.4.3 once it has been released.

For more information, see:

Sep 23

WordPress’s popularity has made it a prime target for hackers. Each day countless self-hosted WordPress sites are damaged or taken down, usually by automated attacks exploiting known vulnerabilities.

Many WordPress site administrators only learn way too late about the important of pre-emptive security hardening after they have become victims of an attack and have suffered the consequences – loss of visitors, search engine ranking and damage to data.

Our Lead Developer Vladimir Lasky will be presenting the talk “Tips for Fixing a Hacked WordPress Site” at WordCamp Sydney 2016, to be held on the weekend of September 24 & 25 at the University of Technology Sydney (UTS) City Campus. Vlad’s talk will cover strategies and approaches to recovering compromised WordPress sites.

The presentation slides are available on SlideShare


Sep 26

Our Lead Developer Vladimir Lasky will be presenting the talk “Make WordPress Fly With Virtual Server Hosting” at WordCamp Sydney 2014, to be held on the weekend of September 27 & 28 at the University of Technology Sydney (UTS) City Campus.

His talk advocates the benefits of moving a WordPress site from shared hosting to Virtual Private Server (VPS) hosting with information on:

  • How shared hosting environments limit the performance of a WordPress site
  • How VPS environments operate
  • Why pure SSD storage on a VPS is essential for good performance
  • The limitations and drawbacks of page caching, object caching and minifying plugins
  • Why all-in-one hosting control panels are evil
  • How PHP Opcode caching is the only true way to make WordPress run faster
  • How MySQL query caching dramatically speeds up communication between WordPress and MySQL
  • Tips on securing your VPS

Vlad presents an WordPress VPS-hosting approach designed to:

  • Not be radically different from a commonly-configured LAMP software environment
  • Avoid cache invalidation-related problems and minimise plugin incompatibilities
  • Ensure that everyone sees the most current state of your WordPress site
  • Ensure that logged in users and those working in the WordPress admin backend will also experience a speed increase

The presentation slides are available on SlideShare:

Sep 25

A major vulnerability has been found in the Bourne Again Shell (BASH) that it installed on most UNIX-based systems and this can be used to execute arbitrary code on vulnerable servers.

This vulnerability has been named “Shell Shock” and has been compared to the Heartbleed vulnerability in terms of its seriousness.

We strongly advise everyone who administers or uses a Linux/UNIX/OS X system to update their systems to the latest patched version of BASH that removes this vulnerability.

More Information:

Tags: ,

Apr 09

A severe vulnerability has been found in the OpenSSL library, widely used in UNIX-based web servers to implement support for Secure Sockets Layer (SSL) and Transport Layer Security (TLS) that underpins all encrypted web browsing. Every time you access a URL with the “https://” prefix, you are using SSL or TLS.

OpenSSL versions 1.0.1 (released December 2011) to 1.0.1f are affected, with the vulnerability fixed in 1.0.1g.

The vulnerability allows an attacker to read up to 64kB of memory contents on the server. This can potentially expose privileged information including secret keys that underpin the encryption. An attack is especially dangerous as it leaves no trace in system logs.

The vulnerability has been nicknamed “Heartbleed”, as the bug is present within the heartbeat functionality of OpenSSL. The following popular Linux/BSD distributions are known to be affected:

Debian Wheezy, Ubuntu 12.04.4, Centos 6.5, Fedora 18, SuSE 12.2, OpenBSD 5.4, FreeBSD 8.4, and NetBSD 5.0.2

If you are running one of these or a derivative, update your OpenSSL immediately to OpenSSL 1.0.1g, which can easily be done using standard package management tools e.g. yum and apt-get. After that, restart your web server.

To check if your web site or web server has the Heartbleed bug, you can use this online Heartbleed test tool:

For more information:

May 24
  • AussieWPExpert: Presentation slides from Vlad Lasky's WordCamp Melbourne 2013 talk "Beating Spam On Your WordPress Website": #wcmelb

Apr 26
  • AussieWPExpert: This WordPress plugin lets you rename media files by updating their titles. URLs within posts are auto-updated:
  • AussieWPExpert: The Media Rename WordPress plugin allows you to easily rename (and retitle) your media files once uploaded –
  • AussieWPExpert: WordPress plugin AJAX Comment Loading, implements lazy loading for comments, making your site load faster –
  • AussieWPExpert: ManageWP: How to Boost WordPress Performance Drastically with Zend Optimizer+ –
  • AussieWPExpert: Lifehacker: Clever uses for Google's Reverse Image Search –

Apr 19