Security Alert – WordPress Website Vulnerability and How to Fix

Posted by Timothy Platt on Nov 2, 2017


In this series of articles, we’ll address a timely security issue relevant to our clients. We’ll relate complex security topics in easy to understand terms. This article is being posted on November 3, 2017.

WordPress CMS - Logo

WordPress SQL Injection Vulnerability v4.8.2 and Earlier

WordPress versions 4.8.2 and earlier contain a serious SQL injection vulnerability. Websites using these versions of WordPress are exploitable remotely. It is not known if this vulnerably is already being exploited “in the wild” – but you can bet that it will be shortly, now that details have been made public about the vulnerability. WordPress released a fix for this (in the form of version 4.8.3) on October 31, 2017.

WordPress is a website building framework that is frequently used by small businesses.

Contact VO for security help now

What is a “vulnerability”?

A vulnerability is a bug or defect in the underlying code that allows unintended usage or attacks. In this particular case it is a “SQL Injection” vulnerability, which allows an attacker to run arbitrary SQL commands against the underlying database. This is particulary dangerous for WordPress, because the database formats (table names, columns, etc.) are well known. Lastly, it is believe it can be exploited remotely without a login on your web site or server – and this combination of factors makes this a serious security issue.

What’s the impact of this bug?

This particular vulnerability is concerning – it’s widespread, easy to utilize remotely, and does not require the attacker to have a valid login to exploit. Once the attacker has used this exploit they can do a number of things: defacement (vandalism), planting malware downloads on your website, download sensitive information, or use your server to attack other websites. This particular vulnerability doesn’t jeopardize the core of WordPress, but can jeopardize themes and plug-ins – and those things are in use on nearly every WordPress installation.

What is WordPress?

WordPress is one of the most common frameworks used to build public websites – it is estimated that over 30 million websites are currently using this system. WordPress is a “Content Management System” (CMS). It’s popular because it is open source, easy to maintain, and very flexible. If you have a website, there’s a good chance it’s using WordPress.

How does this affect my business?

Padlock - symbolizing the security provided by HTTPS
If your public website utilizes WordPress version 4.8.2 or earlier – you are potentially vulnerable to this. In the case of defacement, the short term impacts can mean your website is inaccessible by your customers and potential customers or provides misleading information. Longer term, your Google search rankings can be affected by defacement, or if the attacker has uploaded malware to your site (Google may block access to websites it deems are hosting malware). Lastly, because it is a SQL injection attack, any information hosted on your website server can potentially be stolen (databases, login credentials, etc.) The last item is particularly concerning if you have any customer information on your website. You may be legally required to disclose that the information was potentially hacked.

Often business owners believe they aren’t a target for these kinds of exploits – they believe their website or business is too small or too unimportant to be targeted. The major flaw in this logic is that these attacks are often scripted (automated) and are performed on a massive scale. They do not require that an individual or person is targeting your website, the mere fact that your website is on the internet opens it up to attack.

How can I fix this issue?

We recommend you confirm with your managed service provider what version of WordPress your site uses. After making a complete backup of all your website files and database, we recommend immediately updating to the current available version. As with all upgrades there is occasionally an incompatibility with your website’s code or content and having backups will allow you or your provider to restore service quickly if needed.

Equifax Data Breach and Identity Theft - takeaways for small business

Long Term Best Practices

Vulnerabilities such as this are a by-product of the technology we are dependent on – it is an ongoing problem that will not end in the future. Therefore we recommend the following best practices be implemented for all client websites:

The above is general advice that should apply to any business with a public website. But your situation may be different. If you’d like specific help for your situation, please reach out to us.

Contact VO for security help now

IT Support by Virtual Operations

Virtual Operations provides IT support for small businesses in the Orlando and Central Florida area. Our managed IT services offering provides the expertise and quality care your small business needs. Please contact us today to find out how we can help with your computer support and network support needs.

Photo credit: Malware image Photo by HTSABO


Like To Learn More? Send Us A Message or call direct 407.268.6626

Back to Blog

Sign up for free and be the first to know about updates

Subscribe to Email Updates

It appears you are viewing this site through an obsolete web browser.

This site was built to comply with modern web standards and relies on features unavailable in browsers that are out of date.

You can learn more about your browser here. And you can learn more about modern web browsers here.

To hide this notice, click here.