Top Navigation

Archive | April, 2015

WordPress 4.1.2 Security Release

WordPress 4.1.2 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site.

Here’s the full release notes:

If you need assistance please contact Reliable Penguin at


XSS Vulnerability Affecting Multiple WordPress Plugins

Multiple WordPress Plugins are vulnerable to Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.

The official WordPress Official Documentation (Codex) for these functions was not very clear and misled many plugin developers to use them in an insecure way. The developers assumed that these functions would escape the user input for them, when it does not. This simple detail, caused many of the most popular plugins to be vulnerable to XSS.

To date, this is the list of affected plugins:

There are probably a few more that we have not listed. If you use WordPress, we highly recommend that you go to your wp-admin dashboard and update any out of date plugins now.

Coordinated Disclosure

This vulnerability was initially discovered last week, due to the varying degrees of severity and more importantly, the large volume of plugins affected, a joint security release with all developers involved and the WordPress core security team was coordinated.

If you use WordPress, now it is your turn to update your plugins!

If you have automatic updates enabled, your site should already be patched, especially in the most severe cases.

There are more plugins vulnerable

Only the top 300-400 plugins have been analyzed  thus far so there are likely a number of plugins still vulnerable. If you’re a developer, check your code to see how you are use these two functions:


Make sure you are escaping them before use. We recommend using the esc_url() (or esc_url_raw())functions with them. You should not assume that add_query_arg and remove_query_arg will escape user input. The WordPress team is providing more guidelines on how to use them here.

Delayed Email Due To Spam Flood

Email through the Reliable Penguin relays was briefly delayed this afternoon due to excessive levels of spam. The problem has bee corrected. Backlogged email has been delivered and email is flowing smoothly again.

Critical Magento Updates

Magento is warning user’s of their popular e-commerce platform that a critical security vulerability will be revealed in the next few days. All users should make sure they have applied the indicated patches. A copy of the notice is included below. Contact Reliable Penguin if you need assistance.

— start —

Dear Magento Community Edition merchant,

If you have not done so already, download and install 2 previously-released patches that address potential Magento software security risks. The patches prevent an attacker from remotely executing code on Magento software. These issues affect all versions of Magento Community Edition.

Check Point Software Technologies has informed us that they plan to send out a press release in the coming days making one of the security issues widely known, possibly alerting hackers who may try to exploit the issue. While we have not received any reports of merchants being impacted by the security risks, it’s important to ensure the patches are in place as a preventative measure before the issue is publicized.


Check for unknown files in the web server document root directory. If you find any, you may be impacted.

Download and implement 2 patches from the Magento Community Edition download page.

SUPEE-5344 – Addresses a potential remote code execution exploit (Added Feb 9, 2015)

SUPEE-1533 – Addresses two potential remote code execution exploits (Added Oct 3, 2014)

Note: Different versions of the patch are available for Magento Community Edition 1.4.x through 1.9.x.

Implement and test the patches in a development environment first to confirm that they work as expected before deploying them to your production site.

Magento takes security seriously and will continue to actively work to identify and resolve potential issues.

Best Regards,
The Magento Team

— end —

Persistent XSS in WP-Super-Cache

Sucuri has released an urgent security advisory for WP Super Cache. This is a very popular WordPress plugin. Details of the vulnerability can be found here:

All sites using WP Super Cache are advised to upgrade immediately.

If you are subscribed to Reliable Penguin’s Managed WordPress service then your sites have already been upgraded if necessary.

If you need assistance with this upgrade please contact support at 866-649-7984 or

04-19-2015 – RackSpace DFW Maint

Many cloud and dedicated accounts are receiving notices like the one shown below. We expect little to no impact from this maintenance.



Rackspace has prepared the following summary for this scheduled maintenance window.

Data Center:
Time Window:
April 19th, 2015
00:01 – 06:00 CDT

Maintenance events:
On April 19th, 2015, from 00:01 – 06:00 CDT, Rackspace will upgrade the operating system on an aggregation router providing service to a network switch in your cabinet.

During this time, you may lose network connectivity. Once the switch has been upgraded, all connectivity will be restored. We have taken precautions in preparation for this maintenance and anticipate only a few brief disruptions during the 6 hour window.

The following devices will be impacted:
Instance ID

We apologize for any inconvenience. These changes are necessary to help Rackspace continue to deliver optimal performance and reliability for your hosting environment. If you have any questions, please contact your support team.


— END —


Welcome to our new network status status site. The purpose of this site is to provide information to our customers about current network status. This site is hosted on a diverse network independent from our regular operating infrastructure. In the event that is unavailable, this site will provide communication and updates.

This site will also be used to distribute important alerts and notices from our infrastructure provider networks. This includes information about outages and schedule maintenance activities.