As part of WordPress's commitment to maintain the WordPress core, 4.7.3 (the third maintenance release for WordPress 4.7), has been released and includes the following security corrections:
- Cross-site scripting (XSS) via media file metadata.
- Control characters can trick redirect URL validation.
- Unintended files can be deleted by administrators using the plugin deletion functionality.
- Cross-site scripting (XSS) via video URL in YouTube embeds.
- Cross-site scripting (XSS) via taxonomy term names.
- Cross-site request forgery (CSRF) in Press This leading to excessive use of server resources.
Read more information about the WordPress 4.7.3 update and be sure to perform a complete site backup, prior to updating, to ensure you can always reverse course if something breaks. The backup plugin Frugal Web Guy recommends is the free version of UpdraftPlus. UpdraftPlus Premium is the paid version of UpdraftPlus, and offers addition options, including backup to multiple locations, adjusting the time at which backups are created and support.
In addition to the backup plugin, the use of an off-site storage location such as S3 from Amazon or Dropbox are highly recommended, to ensure your sites backup files are in a secure location. Keeping backup file on-site, or at least solely on-site is not recommended. UpdraftPlus offers off-site storage support, in both the free and premium versions.