What you need to know about the latest found exploit
Ways to keep your site safe from this exploit:
- Have Akismet installed and active for comment management, OR
- Temporarily disable comments on your blog using the Disable Comments plugin, OR
- Require approval for comments and do not approve any comments until a fix is released
Just last week, a different security hole was uncovered which affected numerous plugins. It arose due to a vagueness in the documentation for two WordPress core functions which were used by those plugins. It was assumed that the functions were sanitizing data passed in, but they were not. More information about this issue and the coordinated response which ensued can be found on WP Tavern or Sucuri’s blog. Fixes for this issue were pushed out using the automatic security updates feature of WordPress which began with version 3.7. If you are on this version or later and have not disabled them, your site should have auto-updated last week. Check your site’s dashboard if you’re not sure.
The 3 biggest things you can to to keep your site safe and secure are:
- Keep WordPress core and plugins up to date (an ounce of prevention)
- Employ security measures on your site
- Do regular backups (in case the security fails)
Every web site should be implementing security measures of some sort. iThemes Security is a great all-around handy security plugin. It comes in free or Pro versions and has not only security measures, but also encourages good security practices (like avoiding the ‘admin’ username and using strong passwords). I like the flexibility of the many options, although I’ll admit it can be intimidating the first time you set it up. iThemes Security has recently incorporated brute protect features (also included in JetPack now) and now also does malware scanning. Sucuri also has a great security plugin which includes security measures as well as malware scanning. Many sites use the 2 of these plugins together.
Of course, something can always go wrong. Be it an actual malware incident or something else entirely and that’s when reliable backups are your friend. There are many plugins out there as well as backup service (such as VaultPress). My personal favorite is Backup Buddy (because it’s a breeze to use) and I own the Gold lifetime subscription. If you are looking for a free solution, check out Duplicator or UpdraftPlus.