Security Alert – WordPress Website Vulnerability and How to Fix
Posted by Timothy Platt on Nov 2, 2017
In this series of articles, we’ll address a timely security issue relevant to our clients. We’ll relate complex security topics in easy to understand terms. This article is being posted on November 3, 2017.
WordPress SQL Injection Vulnerability v4.8.2 and Earlier
WordPress versions 4.8.2 and earlier contain a serious SQL injection vulnerability. Websites using these versions of WordPress are exploitable remotely. It is not known if this vulnerably is already being exploited “in the wild” – but you can bet that it will be shortly, now that details have been made public about the vulnerability. WordPress released a fix for this (in the form of version 4.8.3) on October 31, 2017.
WordPress is a website building framework that is frequently used by small businesses.
What is a “vulnerability”?
A vulnerability is a bug or defect in the underlying code that allows unintended usage or attacks. In this particular case it is a “SQL Injection” vulnerability, which allows an attacker to run arbitrary SQL commands against the underlying database. This is particulary dangerous for WordPress, because the database formats (table names, columns, etc.) are well known. Lastly, it is believe it can be exploited remotely without a login on your web site or server – and this combination of factors makes this a serious security issue.
What’s the impact of this bug?
This particular vulnerability is concerning – it’s widespread, easy to utilize remotely, and does not require the attacker to have a valid login to exploit. Once the attacker has used this exploit they can do a number of things: defacement (vandalism), planting malware downloads on your website, download sensitive information, or use your server to attack other websites. This particular vulnerability doesn’t jeopardize the core of WordPress, but can jeopardize themes and plug-ins – and those things are in use on nearly every WordPress installation.
What is WordPress?
WordPress is one of the most common frameworks used to build public websites – it is estimated that over 30 million websites are currently using this system. WordPress is a “Content Management System” (CMS). It’s popular because it is open source, easy to maintain, and very flexible. If you have a website, there’s a good chance it’s using WordPress.
How does this affect my business?
If your public website utilizes WordPress version 4.8.2 or earlier – you are potentially vulnerable to this. In the case of defacement, the short term impacts can mean your website is inaccessible by your customers and potential customers or provides misleading information. Longer term, your Google search rankings can be affected by defacement, or if the attacker has uploaded malware to your site (Google may block access to websites it deems are hosting malware). Lastly, because it is a SQL injection attack, any information hosted on your website server can potentially be stolen (databases, login credentials, etc.) The last item is particularly concerning if you have any customer information on your website. You may be legally required to disclose that the information was potentially hacked.
Often business owners believe they aren’t a target for these kinds of exploits – they believe their website or business is too small or too unimportant to be targeted. The major flaw in this logic is that these attacks are often scripted (automated) and are performed on a massive scale. They do not require that an individual or person is targeting your website, the mere fact that your website is on the internet opens it up to attack.
How can I fix this issue?
We recommend you confirm with your managed service provider what version of WordPress your site uses. After making a complete backup of all your website files and database, we recommend immediately updating to the current available version. As with all upgrades there is occasionally an incompatibility with your website’s code or content and having backups will allow you or your provider to restore service quickly if needed.
Long Term Best Practices
Vulnerabilities such as this are a by-product of the technology we are dependent on – it is an ongoing problem that will not end in the future. Therefore we recommend the following best practices be implemented for all client websites:
- Create and test complete backups of your website on a regular basis – this ensures you can restore the website if a major problem occurs
- Upgrade your WordPress framework promptly – WordPress regularly releases security fixes, and you should implement these as quickly as possible
- Set your website to automatically apply updates – WordPress can easily be configured to automatically apply updates
- Upgrade all your WordPress plug-ins and themes regularly as well – These bits of code can have their own vulnerabilities too. Nearly every installation of WordPress utilizes one or more plug-ins.
- Secure and maintain a “hardened” server configuration – Follow general best practice for your website server – minimizing the services running and ensure the underlying Operating System (OS) is patched for security vulnerabilities regularly.
The above is general advice that should apply to any business with a public website. But your situation may be different. If you’d like specific help for your situation, please reach out to us.
IT Support by Virtual Operations
Virtual Operations provides IT support for small businesses in the Orlando and Central Florida area. Our managed IT services offering provides the expertise and quality care your small business needs. Please contact us today to find out how we can help with your computer support and network support needs.
Photo credit: Malware image Photo by HTSABO