I woke up today to the following message concerning three of my blogs:
Howdy <wp.com username>,
You recently requested to have the administration email address on
your site changed.
If this is correct, please click on the following link to change it:
You can safely ignore and delete this email if you do not want to
take this action.
This email has been sent to <my email>
All at <blog name>
I was fairly sure I had not requested any changes to my admin email in the middle of the night. Could someone have hacked three of my blogs, hosted with three different providers, including one important blog (obviously not this one) protected by several additional security measures?
Furthermore, why was the pending change not shown in the user profile? Unconfirmed email changes should look like this:
Finally, as far as I understand, these emails would be sent to the new admin email address, not the old one, making a hack even more unlikely.
As it turns out, it was a bug in Jetpack. WordFence has more details.
On one of our computers, the Security Tab in the Java Control Panel sometimes looks like this:
As you can see, the part required to manage the exception site list is missing/not accessible. I have no idea why (reinstalling Java did not help).
However, you can also add exceptions by directly editing the exception.sites file. Under Win 7, it is normally found in the C:\Users\*YOUR USERNAME*\AppData\LocalLow\Sun\Java\Deployment\security directory. Simply add a new line for each URL (e.g. https://stupdidbank.example.com), save the file, then restart the browser.
See this page or the official Java documentation for further information.
Chrome comes with its own Flash plugin and – if you’ve enabled “click-to-play plugins” you might get the impression that Flash is still widely used (and required) on the internet. According to what I’ve read today, this might be misleading: Even though you’ve enabled click-to-play, websites will still detect that your browser supports Flash and serve you the Flash-enabled version instead of the Flash-less alternative.
To disable Flash in Google Chrome, enter “chrome://plugins” and then click on “Disable”: