Jetpack 4.1: Secure Sign On Improvements, Two New Sharing Buttons, and More

Jetpack 4.1 is here, and it’s packed with performance improvements, new features, improvements to existing features, and bug fixes!

Continue reading → Jetpack 4.1: Secure Sign On Improvements, Two New Sharing Buttons, and More

Posted in Releases | Tagged , , , , , | 16 Comments

Jetpack 4.0.4: Security Update, Bug Fixes and Improvements

Jetpack 4.0.4 is now available for download and includes some important security updates, bug fixes, and improvements. We recommend that you update your sites to the latest version as soon as possible.

Continue reading → Jetpack 4.0.4: Security Update, Bug Fixes and Improvements

Posted in Releases | Tagged , , , , , , , | Comments Off on Jetpack 4.0.4: Security Update, Bug Fixes and Improvements

Jetpack 4.0.3: Critical Security Update

Jetpack 4.0.3 contains a critical security update, and you should update all the sites you manage as soon as possible. You can update through your dashboard, or download Jetpack manually here.

jetpack-security

Continue reading → Jetpack 4.0.3: Critical Security Update

Posted in Releases | Tagged , , | 2 Comments

Jetpack 3.9.2: Maintenance and Security Release

Jetpack 3.9.2 is now available for download. We’ve added two security updates as well as several bug fixes and enhancements. We recommend that you update your sites to the latest version as soon as possible.

Jetpack – Supercharge your WordPress

Security updates

  • Beautiful Math: there was a potential XSS vulnerability when parsing LaTeX markup within HTML elements. The issue was discovered and fixed by our security team.
  • Contact Form: private site credentials could be saved in plain text in WordPress’ postmeta table when said credentials were set to be stored in Environment variables. The issue was discovered by Oliver Liu.

Other minor fixes

This release also includes other bug fixes:

  • Nova Menus: fixed notices as well as issues when adding menu items in bulk.
  • Publicize: Authors can now access their Publicize settings again.
  • Publicize: fixed problems for Australian and Canadian English sites using Publicize to send their posts to Facebook.
  • Embeds: it is now possible to embed Instagram posts using a www in the URL.
  • Widget Visibility: fixed an issue appearing when a page title matched an existing page ID.
  • And many more updates, listed in the changelog.

Enhancements

We added 2 new oEmbed providers, Codepen and Sketchfab. Just paste a URL in your post editor, and enjoy! Here’s a Codepen example:

We also added new filters to allow you to customize the Contact Info widget, define custom patterns to be ignored by Jetpack Markdown, or change the heading of the Related Posts.

Finally, we created a [jetpack_top_posts_widget] shortcode to allow you to display the Top Posts & Pages Widget anywhere on your site.

Staging Mode

Do you use a backup / cloning plugin to clone your production site to a staging environment? Starting with Jetpack 3.9.2, you can use a constant or a filter to flag a site as “Staging site”, thus avoid conflicts and synchronization issues with Jetpack.

Thanks to everyone who contributed to 3.9.2:

Alex Kirk, Allen Snook, Andrew Duthie, Barry Abrahamson, Ben Lowery, Bob Ralian, Brandon Kraft, Chris Rosser, Christopher Finke, Claus Colloseus, Crystal Barton, Dan Walmsley, Daryl L. L. Houston, Derek Smart, Elio Rivero, Enej Bajgoric, Eric Binnion, Gregory Cornelius, Igor Zinovyev, James Nylen, Jenia Laszlo, Jeremy Herve, Joey Kudish, Jorge Bernal, Justin Shreve, Kat Hagan, Konstantin Kovshenin, Lance Willett, Mahangu Weerasinghe, Marcus Kazmierczak, Matt Wiebe, Miguel Lezama, Mike Adams, Mo Jangda, Payton Swick, Rocco Tripaldi, Sam Hotchkiss, Sendhil Panchadsaram, Stephen Edgar, Timmy Crawford, and Veselin Nikolov.

Posted in Releases | Tagged , | 13 Comments

Securing your Site with Jetpack

jetpack-security

Website security is important, although it can seem daunting or tedious — it doesn’t have to be. These six simple and effective best practices will help you protect your WordPress website from malicious, unwanted attention (hint: Jetpack can help!).

Continue reading → Securing your Site with Jetpack

Posted in Security Series | Tagged , , , , , , , | 5 Comments

Jetpack 3.7.1 and 3.7.2: Security and Maintenance Releases

With the release of Jetpack 3.7.1 and 3.7.2 this week, we’ve added some important security updates and bug fixes. We strongly encourage that you update your sites to the latest version as soon as possible.

banner-1544x500

In Jetpack 3.7.1 we made a lot of improvements to the plugin, including some important security fixes:

  • Jetpack versions 3.7.0 and earlier are vulnerable to a cross-site scripting vulnerability in the contact form due to improper input sanitization. Reported by Marc-Alexandre Montpas from Sucuri.
  • Jetpack version 3.7.0 is vulnerable to an information disclosure vulnerability in certain hosting configurations. Reported by Jaime Delgado Horna of Listae.

Other notable updates in this release include:

  • Updating the Google+ logo in our sharing buttons.
  • Adding custom capabilities for module management for multisite installs.
  • Fixing a bug that was sending the contact form response fields in the wrong order.

In Jetpack 3.7.2, we fixed an error with the REST API that created multiple drafts and multiple published posts when posting using the REST API.

Full changelog can be found on our plugin page.

Thanks to everyone who contributed to these two releases: Alexander Kirk, Andrew Duthie, Brandon Kraft, Dennis Snell, Derek Smart, Dion Hulse, Eduardo Reveles, Enej Bajgoric, Eric Binnion, George Stephanis, Gregory Cornelius, Igor Zinovyev, James Nylen, Jeremy Herve, Jesse Friedman, Joen Asmussen, Joey Kudish, Kat Hagan, Marcus Kazmierczak, Miguel Lezama, Sam Hotchkiss, and Timmy Crawford.

Posted in Releases | Tagged , | Comments Off on Jetpack 3.7.1 and 3.7.2: Security and Maintenance Releases

Jetpack 3.4.3: Coordinated Security Release

Jetpack 3.4.3 contains a critical security update and you should update your sites and any you help manage as soon as possible.

Background

Sucuri notified us of an issue where improperly escaped URLs were being generated by a number of high-profile WordPress plugins, including Jetpack and Yoast. We’ve worked with the WordPress Security Team to coordinate a release which is being pushed out to all users. By the time we published this post (6pm GMT, April 20, 2015), if you haven’t opted out of auto-updates, your sites will update themselves automatically.

The Vulnerability

The vulnerability Sucuri discovered would allow an attacker to send a WordPress user with administrative rights a link which could execute malicious JavaScript. The vulnerability was introduced in Jetpack 3.0 and to date we have no evidence of this being exploited. However, now that this update is public, it’s more likely that exploits may occur. To avoid a breach, you should update your site as soon as possible.

How to Update

We have prepared and shipped updates to all affected versions of Jetpack. Unless you’ve opted out, your sites should update automatically – please check your sites to confirm that Jetpack plugin has been successfully updated to one of these versions: 3.0.3, 3.1.2, 3.2.2, 3.3.3, or 3.4.3.

If not, please visit the Plugins page in your Dashboard and update Jetpack from there or update all your sites in bulk from wordpress.com/plugins/jetpack.

Note: Not all plugins affected by this issue will be auto-updating, some will be releasing updates separately. For that reason, we highly recommend that you make ensure that all your plugins are up-to-date as updates are released over the next few days.

We also recommend updating any other plugins you may have installed to their latest version – not all plugins will be automatically updating (like Jetpack)

Feedback

As always, we greatly appreciate your continued use and support of Jetpack and we sincerely apologize for the inconvenience this has caused.

We take the security of your sites extremely seriously so please feel free to get in touch with our support team, create a new forum post, or leave a comment on this blog post if you have any concerns or problems updating.

We’d also like to extend our huge thanks to the crew on the WordPress Security Team who worked around the clock – and across timezones and several plugin teams – to coordinate today’s release.

Posted in Releases | Tagged , | 3 Comments

Jetpack 3.4: Protect, Secure, and Simplify

With Jetpack 3.4, we’ve added new security features to protect your Jetpack-connected WordPress sites from bot net attacks. We’ve also taken some first steps to create a simplified interface for how you interact with Jetpack.

Your WordPress, Secured.

Brute force attacks are a growing concern for many website administrators. By integrating features from the WordPress plugin BruteProtect, Jetpack Protect can help you take control of site security and protect your site from this common attack vector.

jp-stats-3-4-retina-2

A Centralized Experience

Continuing Jetpack’s mission to bring feature parity between self-hosted WordPress sites and WordPress.com, you will soon be able to manage security features from either your site’s dashboard or a central interface on WordPress.com. Locked out of your site from too many failed login attempts? You can whitelist your IP address in WordPress.com.

jetpack-manage-security

Jump Start

With the click of a button, you can immediately boost performance, security, and engagement to jump start your site with a curated set of Jetpack modules.  This feature is tailored for those who are new to the plugin or new installation of Jetpack.

jetpack-jumpstart

 

How to Update

Visit the Plugins page in your Dashboard and update Jetpack from there. Alternatively update all your sites in bulk from wordpress.com/plugins/jetpack.

 

How to Install

You can install Jetpack by visiting our install page or by searching for it in your Plugins page on your dashboard.

 

Feedback

Please give us your feedback by leaving a comment and letting us know what you love or what you’d like to see in future updates. If you find any bugs or issues, please file a new issue on GitHub, create a new forum post, or simply contact our support team.

 

Posted in Releases | Tagged , , | 21 Comments

Automattic Acquires BruteProtect

I’m excited to announce that Automattic has acquired BruteProtect, a plugin and service that protects your sites from malicious logins, saves server resources so your site runs faster, and keeps all your sites on the latest and greatest versions of WordPress core, plugins, and themes.

The plugin and service are currently available, but over the coming months we’re going to build their functionality into Jetpack and retire BruteProtect as a standalone thing.

BruteProtect also has a premium service that starts at $5 a month per site — effective immediately, that will be free for every BruteProtect user and Jetpack-enabled site. If you’re already a BruteProtect subscriber we’ll be in touch soon to send you a surprise thank you for your early support. You can download and get started with Jetpack here.

The BruteProtect team is based in Bath, Maine and they’re long-time contributors to the WordPress community. We’re excited to see them join forces with the Jetpack team and up the level of security, protection, and peace of mind we’ll be able to bring to the millions of sites already using Jetpack.

Though Automattic is known for its consumer-facing services like WordPress.com and Jetpack, the infrastructure behind them is the bottom part of the iceberg. Taking services to web-scale is another one of Automattic’s specialties, whether it’s the 8 billion Gravatars we serve every day, the Simperium sync service, or the countless spam that Akismet has blocked (and time it has saved).

This is internet plumbing: when it works it’s completely invisible, and we love that. We’re now pushing 450 terabytes of data a day from 9 datacenters around the globe.

Welcome, BruteProtect! You can read more about the acquisition from Sam on their blog.

Posted in Milestone | Tagged , , | 12 Comments

Jetpack 2.9.3: Critical Security Update

Jetpack version 2.9.3 contains a critical security update, and you should update your site and any you help manage as soon as possible. You can update through your dashboard, or download Jetpack manually here.

During an internal security audit, we found a bug that allows an attacker to bypass a site’s access controls and publish posts. This vulnerability could be combined with other attacks to escalate access. This bug has existed since Jetpack 1.9, released in October 2012.

Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before exploits occur. To avoid a breach, you should update your site as soon as possible. (The vulnerability has been disclosed on the MITRE Common Vulnerabilities and Exposures system as CVE-2014-0173.)

This is a bad bug, and Jetpack is one of the most widely used plugins in the WordPress world. We have been working closely with the WordPress security team, which has pushed updates to every version of the plugin since 1.9 through core’s auto-update system. We have also coordinated with a number of hosts and network providers to install network-wide blocks to mitigate the impact of this vulnerability, but the only sure fix is updating the plugin.

Over the next few hours, we will reach out to individuals whose sites are still running an insecure version. Sites that don’t update may be disconnected from the Jetpack service for their own security, and will be able to reconnect as soon as their version of Jetpack is updated.

If you host a large number of Jetpack-powered blogs, please leave your contact information in the comments so we can be in touch in the future. We have prepared and shipped point releases for all eleven vulnerable branches of the Jetpack codebase: 1.9.42.0.6, 2.1.4, 2.2.7, 2.3.7, 2.4.4, 2.5.2, 2.6.3, 2.7.2, 2.8.2, and 2.9.3. If you can force these upgrades for your hosted users, it will prevent their sites from being compromised.

Finding and fixing bugs is a key part of software development. I can’t promise there will never be another issue like this, but I can promise that when a problem is found we will do everything in our power to protect as many people as possible, as quickly as possible. We care deeply about each and every WordPress user.

Posted in Releases | Tagged , | 92 Comments
  • Recent Comments

    Matt on Let’s Get Visual: Five J…
    Jeremy on Jetpack 4.3 and 4.3.1: A faste…
    Jeremy on Jetpack 4.3 and 4.3.1: A faste…
    Jeremy on Jetpack 4.3 and 4.3.1: A faste…
    Jeremy on Jetpack 4.3 and 4.3.1: A faste…
  • Archives

  • Enter your email address to follow this blog and receive notifications of new posts by email.

  • Install Jetpack to see our lineup of features.

    Install Jetpack Now

    Don’t need all Jetpack’s features? No problem. Only activate what you need!