If you have a WordPress website, please read this!
I don’t want to seem melodramatic or anything, but if you have a WordPress website, you need to read this.
Over the last few weeks, some pretty serious security exploits have been announced, covering some very popular and major plugins (like WordPress SEO by Yoast, GravityForms, Jetpack, Google Analytics by Yoast and others). If you want to read the more technical explanation check out the post from iThemes and Sucuri.
If you don’t want to read the technical information, I’ll put it simply for you – some of our favorite plugins were using a WordPress function incorrectly, partly because the documentation provided for the function wasn’t very clear.
All of the affected plugins pushed updates last week, so if you haven’t updated your site recently, make a backup and go do that now.
More Importantly!!!
A critical security issue was found today that affects ALL WordPress websites, because the issue stems from the WordPress core software, not a theme or plugin. If you allow comments on your site, hackers could inject nasty code that could allow them to change your site.
From Sucuri.net –
“If your WordPress site allows users to post comments via the WordPress commenting system, you’re at risk. An attacker could leverage a bug in the way comments are stored in the site’s database to insert malicious scripts on your site, thus potentially allowing them to infect your visitors with malware, inject SEO spam or even insert backdoor in the site’s code if the code runs when in a logged-in administrator browser.”
What you need to do…
Suggestions from Sucuri are disable comments on your site or leverage a Web Application Firewall to filter good requests from exploit attempts.
To disable comments, try changing your settings on Settings > Discussion to what I have below.
In the first section, uncheck all boxes to prevent comments on new blog posts/pages. This won’t disable comments for existing posts however.
In the second section, “Other Comment Settings,” I’ve checked the box to require people to be logged in to leave a comment. Since I don’t allow anyone to register for my site, this should prevent them from leaving a comment on existing posts/pages as well.
But what do you do if you have a membership site or need to be able to have people register for your site? According to this site, which first disclosed this vulnerability, “the injected JavaScript apparently can’t be triggered in the administrative Dashboard so these exploits seem to require getting around comment moderation e.g. by posting one harmless comment first”. So, if you have to have people be able to register for your site, make sure all comments must be manually approved (last section – “Before a comment appears” and uncheck the box to allow comments if the commenter has had a previously approved comment.
As always, but especially when there’s an all-encompasing issue like this, it’s a good idea to make frequent backups. If you’re not sure how to backup your site, check out this guest post I wrote for the International Virtual Assistants Association that covers a few different ways to backup your site.
If you need help backing up or updating your site, send me a message and let me know. Because this is a big deal and affects everyone with a WordPress website, I’m going to offer some limited-time spots to get a full backup, update of WordPress core, plugins and themes, and adjust your Discussion (Comment) settings for only $40USD per site. There’s no link – just send me an email to let me you’re interested.
I’ll be sure to let you know when there’s more news about this issue, and any other security issues regarding WordPress.
Thanks for reading. Now go keep your WordPress website safe!
UPDATE:
Before I even had a chance to publish this, the WordPress team has pushed an update that should take care of the problem – version 4.2.1. (See release notes.) It’s not known yet (i.e. I don’t know if it’s been vetted and tested) so you may still want to make the Discussion changes noted above. I’ll let you know as soon as I hear anything about vetting/testing this new release.
If you’re using a version of WordPress that’s not 4.2.1, you need to backup and update your site as soon as possible.