Security, Security, Security

What you need to know about the latest found exploit

The WordPress world woke up to news of another vulnerability found after a month that seemed filled with news of WordPress security issues.¬† This latest one is an XSS exploit vulnerability confirmed in WordPress 4.2, 4.1.2, 4.1.1, and 3.9.3 which allows an unauthenticated attacker to inject JavaScript into comments (which could allow access into the back-end of one’s system when viewed by an Administrator). There’s no evidence that hackers are using this hole, but now that the information is out there some could decide to do so. If you have Akismet installed and active, you are already protected and have nothing to worry about. Likewise if you have comments disabled. The WordPress security team is also working on a security fix which will no doubt be pushed out automatically when it is ready. If you are not using Akismet but are using WordPress comments, I suggest installing the latest Akismet right away. You can use the service for free if you run a personal non-commercial site, but it is worth a small donation each month in my opinion.

Ways to keep your site safe from this exploit:

  • Have Akismet installed and active for comment management, OR
  • Temporarily disable comments on your blog using the Disable Comments plugin, OR
  • Require approval for comments and do not approve any comments until a fix is released

Just last week, a different security hole was uncovered which affected numerous plugins. It arose due to a vagueness in the documentation for two WordPress core functions which were used by those plugins. It was assumed that the functions were sanitizing data passed in, but they were not. More information about this issue and the coordinated response which ensued can be found on WP Tavern or Sucuri’s blog. Fixes for this issue were pushed out using the automatic security updates feature of WordPress which began with version 3.7. If you are on this version or later and have not disabled them, your site should have auto-updated last week. Check your site’s dashboard if you’re not sure.


Security Recommendations

The 3 biggest things you can to to keep your site safe and secure are:

  1. Keep WordPress core and plugins up to date (an ounce of prevention)
  2. Employ security measures on your site
  3. Do regular backups (in case the security fails)

Every web site should be implementing security measures of some sort. iThemes Security is a great all-around handy security plugin. It comes in free or Pro versions and has not only security measures, but also encourages good security practices (like avoiding the ‘admin’ username and using strong passwords). I like the flexibility of the many options, although I’ll admit it can be intimidating the first time you set it up. iThemes Security has recently incorporated brute protect features (also included in JetPack now) and now also does malware scanning. Sucuri also has a great security plugin which includes security measures as well as malware scanning. Many sites use the 2 of these plugins together.

Of course, something can always go wrong. Be it an actual malware incident or something else entirely and that’s when reliable backups are your friend. There are many plugins out there as well as¬†backup service (such as VaultPress). My personal favorite is Backup Buddy (because it’s a breeze to use) and I own the Gold lifetime subscription. If you are looking for a free solution, check out Duplicator or UpdraftPlus.

What do you think?