The WordPress Twilight Zone…
It has been a really busy month for WordPress and WordPress users. It’s enough to freak a person out.
But don’t. I know how out of control you can feel when you rely on technology to take care of itself, and it’s been doing a really good job of it until BAM it’s not.
You know that saying, “A little information is a dangerous thing?”
March 11th the WordPress SEO by Yoast vulnerability.
The news spread fast, and regular blogging folks like you and me were really worried. So worried, in fact, that WordPress decided to push the update themselves. Which meant your WordPress SEO updated itself automatically before you even knew what was happening.
That was awesome, only that “little information” made people even more sure it was a “huge problem” and I even heard people dissing WP SEO. Say it isn’t so!
Here’s how the vulnerability worked:
…an outside hacker can’t trigger this vulnerability itself because the flaw actually resides in the ‘admin/class-bulk-editor-list-table.php‘ file, which is authorized to be accessed by WordPress Admin, Editor or Author privileged users only.Therefore, in order to successfully exploit this vulnerability, it is required to trigger the exploit from authorized users only. This can be achieved with the help of social engineering, where an attacker can trick authorized user to click on a specially crafted payload exploitable URL. (Hacker News)
In english? Basically the only person who could hack this vulnerability was someone who was already an Admin. Or someone who was tricked into letting someone be the Admin. And even so, no one would have had time. They found it so fast, it was as if it never happened.
April 20th A Dozen Vulnerable Plugins
You can pretty much bet you were using one of the plugins on this list: Jetpack, WordPress SEO, All-in-one SEO, Ninja Forms, Google Analytics, you name it, it was probably on the list.
This was another really weird thing….plugin developers use information on WordPress code from what is called the WordPress Codex. If you have ever Googled a WordPress problem, and you wind up on a WordPress.org page, you are in the Codex.
The Codex is a great place if you understand code. It’s a scary place if you don’t.
Here’s the skinny. Code changes, which is a really good thing. Because the more code stays the same, the easier it is for hackers to figure out how to exploit it.
A few months back, the WordPress Codex was updated and changed a bit of code. The code fixed a possible open door. The problem was that developers were using copies of the Codex that still contained the old bit of code.
A hacker would have to know about this vulnerability to use this vulnerability. But since WordPress was notified immediately, once again they pushed an update. Most of you had your plugins updated before you even realized what was going on.
April 27th Zero Day Vulnerability – WordPress
So, today. WordPress 4.2.1 was released to repair a vulnerability which allowed commentors to inject code that can take over a web server. Pretty scary. But the thing is, it’s WordPress’s job to keep you safe. And once again, they were on it.
In the course of the update, it also scanned for any malicious looking comments and removed those. So once again, you’re all good.
WordPress has got your back.
I’m a pretty big proponent of WordPress, as you have probably figured out. The truth is, as with computers, WordPress doesn’t make mistakes, users do. I know, harsh. Don’t throw anything at me *she says cowering* I’ve caused the white screen of death many times in my WordPress existence. Truth be told? It was never WordPress’s fault.
The people who work for Automattic (WordPress) are obsessed, really obsessed with WordPress. Many WordPress users are obsessed with WordPress and hang out in the WordPress forum just so if you have a question, they can answer it. For free. No one will ever let something slip in undetected because all day long they eat think and breathe WordPress.
WordPress vulnerabilities are going to happen. Hackers suck, and they aren’t going to stop trying to steal your stuff.
Don’t panic. I know it’s been crazy. But instead of thinking of the crazy as bad, think of the crazy as good. (That should be my motto.) The fact that it’s been one update after another means that everyone out there is looking out for YOU. Me too. I’m looking out for you too. Shoot me a line, day or night if you’ve got a question.