Jetpack

Automattic Acquires BruteProtect

I’m excited to announce that Automattic has acquired BruteProtect, a plugin and service that protects your sites from malicious logins, saves server resources so your site runs faster, and keeps all your sites on the latest and greatest versions of WordPress core, plugins, and themes.

The plugin and service are currently available, but over the coming months we’re going to build their functionality into Jetpack and retire BruteProtect as a standalone thing.

BruteProtect also has a premium service that starts at $5 a month per site — effective immediately, that will be free for every BruteProtect user and Jetpack-enabled site. If you’re already a BruteProtect subscriber we’ll be in touch soon to send you a surprise thank you for your early support. You can download and get started with Jetpack here.

The BruteProtect team is based in Bath, Maine and they’re long-time contributors to the WordPress community. We’re excited to see them join forces with the Jetpack team and up the level of security, protection, and peace of mind we’ll be able to bring to the millions of sites already using Jetpack.

Though Automattic is known for its consumer-facing services like WordPress.com and Jetpack, the infrastructure behind them is the bottom part of the iceberg. Taking services to web-scale is another one of Automattic’s specialties, whether it’s the 8 billion Gravatars we serve every day, the Simperium sync service, or the countless spam that Akismet has blocked (and time it has saved).

This is internet plumbing: when it works it’s completely invisible, and we love that. We’re now pushing 450 terabytes of data a day from 9 datacenters around the globe.

Welcome, BruteProtect! You can read more about the acquisition from Sam on their blog.

Posted in Milestone | Tagged , , | 12 Comments

Jetpack 2.9.3: Critical Security Update

Jetpack version 2.9.3 contains a critical security update, and you should update your site and any you help manage as soon as possible. You can update through your dashboard, or download Jetpack manually here.

During an internal security audit, we found a bug that allows an attacker to bypass a site’s access controls and publish posts. This vulnerability could be combined with other attacks to escalate access. This bug has existed since Jetpack 1.9, released in October 2012.

Fortunately, we have no evidence of this being used in the wild. However, now that this update is public, it’s just a matter of time before exploits occur. To avoid a breach, you should update your site as soon as possible. (The vulnerability has been disclosed on the MITRE Common Vulnerabilities and Exposures system as CVE-2014-0173.)

This is a bad bug, and Jetpack is one of the most widely used plugins in the WordPress world. We have been working closely with the WordPress security team, which has pushed updates to every version of the plugin since 1.9 through core’s auto-update system. We have also coordinated with a number of hosts and network providers to install network-wide blocks to mitigate the impact of this vulnerability, but the only sure fix is updating the plugin.

Over the next few hours, we will reach out to individuals whose sites are still running an insecure version. Sites that don’t update may be disconnected from the Jetpack service for their own security, and will be able to reconnect as soon as their version of Jetpack is updated.

If you host a large number of Jetpack-powered blogs, please leave your contact information in the comments so we can be in touch in the future. We have prepared and shipped point releases for all eleven vulnerable branches of the Jetpack codebase: 1.9.42.0.6, 2.1.4, 2.2.7, 2.3.7, 2.4.4, 2.5.2, 2.6.3, 2.7.2, 2.8.2, and 2.9.3. If you can force these upgrades for your hosted users, it will prevent their sites from being compromised.

Finding and fixing bugs is a key part of software development. I can’t promise there will never be another issue like this, but I can promise that when a problem is found we will do everything in our power to protect as many people as possible, as quickly as possible. We care deeply about each and every WordPress user.

Posted in Releases | Tagged , | 92 Comments

Jetpack 2.9

Jetpack 2.9 is out! We’ve got a few exciting new additions — Multisite support, a Related Posts module, and a more secure Single Sign On — along with many smaller improvements and bug fixes.

Manage all your Multisite connections with one login

Logging in to each blog on a Multisite network to connect and configure Jetpack can be time consuming. Now, you can administer them all from one master account. When network-activating Jetpack, you’ll see a new Jetpack > Settings tab in your Network Admin. From here, you can manage all your blogs’ connections, control whether individual blog admins can reconnect with their own account, and designate which Jetpack modules are activated by default.

Make your site stickier with Related Content

The Related Posts module encourages your visitors to stick around longer by displaying links to additional content on your site related to what they’re currently viewing. Usually, analyzing website content to suggest relations eats up precious server resources. By utilizing the power of WordPress.com, the Related Posts module gives visitors more of what they came for while keeping your server resources freed up.

Sample Related Posts

More security with Single Sign On

The Single Sign On module already gives you peace of mind against compromised user accounts because WordPress.com handles all the authentication for you — your site never touches the user’s private credentials. This release takes security a step further by giving site administrators the ability to require users to have Two-Step authentication enabled on their WordPress.com account before they can log in.

Posted in Releases | Tagged , , , , , | 47 Comments
Follow

Get every new post delivered to your Inbox.

Join 63,953 other followers