This week has been a busy week for web security. Yesterday saw the release of WordPress version 3.8.2 which is a security release that patches against several vulnerabilities and Monday saw the release of information regarding a vulnerability with OpenSSL encryption which has gained a lot of media attention.
Here we’ll address both releases and provide you with some background and information to make informed decisions.
WordPress 3.8.2 Security Release
WordPress 3.8.2 was released yesterday. It includes some patches for several security vulnerabilities two of which are rated as important or moderate, meaning they can by exploited by someone with the right skill level. It is classified by WordPress as an important update and they strongly encourage administrators to update their sites.
One of the vulnerabilities can allow an attacker to gain access to your site by forging authentication cookies. The other vulnerability can allow someone with the Contributor role to publish posts.
This release also includes other bug fixes and security measures to harden WordPress.
If you have automatic background updates enabled then your site should already have been updated. If you are running WordPress version 3.7.1 you should be updated to 3.7.2 which fixes these issues. If you are running WordPress 3.7 or earlier then you will have to manually update your site by going to Dashboard, Updates. Remember to backup your site before you update just in case something goes wrong.
OpenSSL Heartbleed vulnerability
If you’ve been watching the tech news over the past few days then you’ll probably have seen something about this or you may have received an email from your hosting provider about it. This is because this is a very serious vulnerability that impacts a lot of people. The vulnerability is in software called OpenSSL which implements SSL and TLS encryption. This software is used extensively across the Internet to encrypt traffic such as passwords, emails, instant messages and content that should be secured such as banking information. Most people know that when they go to a website with an HTTPS address they see a little green padlock or other symbol to tell them the site is secure and their traffic is encrypted, it is how we know that we can trust the site and that our information is safe.
In the case of this vulnerability, an attacker can easily steal information that is protected using the SSL or TLS encryption if the vulnerable OpenSSL software is being used. This is a serious vulnerability not just because it’s easy to exploit but also because OpenSSL is so widely used on the Internet. The only way to fix the vulnerability is to install the latest patched version of OpenSSL.
You may be asking how this affects you so I’ll address the most common ways it can affect someone.
- A WordPress site owner can be affected if their hosting provider is vulnerable. You should check with your hosting provider to find out if they are or were vulnerable to the OpenSSL Heartbleed vulnerability and if the server you are hosted on was or is affected. If they are vulnerable then pressure them to fix this immediately because this is a serious issue. If they were vulnerable then make sure that you change ALL of your administrator passwords immediately. This is because vulnerable servers could lead to someone stealing password information and the only way to be sure that nobody has your administrator passwords is to change them.
- If you have a WordPress site where you collect credit card information then check with your hosting provider and your payment gateway provider to make sure any credit card transactions from the past few days are secure. Follow the advice from your payment gateway provider immediately.
- If you have an SSL certificate on your site or server then check with your hosting provider and the company that issues your SSL certificate to see if you need to change anything. Follow their advice immediately.
- If you’ve browsed any SSL encrypted sites in the past few days, especially sites where you store banking information or credit card information then check to see whether that company has issued a statement about this vulnerability and change your passwords if they think they were vulnerable. This includes email providers such as Google, Yahoo and Hotmail – most big companies have already issued statements about this.
There is a site where you can test to see if a website is vulnerable, you can find it at http://filippo.io/Heartbleed/
You can find more technical information at Heartbleed.com
It is important that you don’t ignore this vulnerability. It’s one of the most serious vulnerabilities to affect the Internet in many years and has the potential to result in a lot of stolen passwords and data.
If you need help with protection yourself against this vulnerability or updating WordPress give us a call at 1-855-284-5940 or contact us here.